(okta-js-sdk) Not sure on which auth flow are we using


We are using okta-js-sdk in a client-side ReactJS application (SPA) to implement our own login mechanism, setting the Okta session cookies by our own. We do not use Okta-hosted login widget.

We build OktaAuth with following config:

const config = {
  clientId: "[SPA CLIENT ID]",
  issuer: "[OAUTH ISSUER]",
  redirectUri: "[STUB REDIRECT]",
  scopes: ["openid"],

Then we use signInWithCredentials method and pass the user’s username and password. On the returned promise we check for transaction.status === "SUCCESS" and finally we use the token.getWithoutPrompt method to get the session cookies and store them with tokenManager.setTokens.

So in the end we persist the clientId in the SPA, and we collect username and password from the user.

Now, since we are not using redirectUri actually, we are not sure on what Okta flow are we using: if Implicit, Client Credentials even when we just use clientId, or Authorization.

Also, we would like to know if this implementation of authentication is good for a SPA.

Thank you.

We recommend that the Authorization code with PKCE flow be used for SPAs, which is the flow used by default in our front-end libraries, including okta-auth-js which seems to be the library you are using.

So in theory, you should be all set!