I’m looking to implement Okta in a CLI using our organization’s Okta Tenant.
MFA is required for all logins, however, when I use the /authn API, I receive a session token without MFA.
I can’t exchange this session token for a session cookie without a browser. When attempting to use the OIDC callback, or the redirect to get a cookie from the session token, Okta redirects me to the MFA page.
In other Okta tenants, I was forced to do MFA before I received the session token.
Is there some configuration that’s different between Okta Identity Engine vs DS Okta that I can force MFA for /authn API usage?
Do you have your app configured with its own MFA policy (Authentication Policies in OIE)?
In your other Okta tenants, I imagine the difference is that the MFA requirement is set at the Global Session Policy level. When you make a request to /authn, only the policies related to Global Session Policy will be evaluated.
If you instead have the Global Session Policy set to only require username and password and then the application’s policy (configured on the Application → Sign On tab in Okta Classic, but as an Authentication Policy in Identity Engine) is the one set to prompt for an additional factor, then that would explain why you see it when trying to use the sessionToken (which only proved that username/password auth was completed) to log into a given application.
That’s correct, that endpoint is to establish an sid session cookie, which is achieved when using /authn instead (to get a sessionToken). Since we’re backwards compatible, the authn flow will still work (/authn to get sessionToken, login/sessionCookeRedirect to get session cookie), but you will have a classic “sid” session instead of an “idx” session