Okta Session token being recieved before MFA is complete

nshenoy · March 21, 2023, 5:11pm

Hello!

I’m looking to implement Okta in a CLI using our organization’s Okta Tenant.

MFA is required for all logins, however, when I use the /authn API, I receive a session token without MFA.

I can’t exchange this session token for a session cookie without a browser. When attempting to use the OIDC callback, or the redirect to get a cookie from the session token, Okta redirects me to the MFA page.

In other Okta tenants, I was forced to do MFA before I received the session token.

Is there some configuration that’s different between Okta Identity Engine vs DS Okta that I can force MFA for /authn API usage?

Thanks in advance!

andrea · March 21, 2023, 9:10pm

Do you have your app configured with its own MFA policy (Authentication Policies in OIE)?

In your other Okta tenants, I imagine the difference is that the MFA requirement is set at the Global Session Policy level. When you make a request to /authn, only the policies related to Global Session Policy will be evaluated.

If you instead have the Global Session Policy set to only require username and password and then the application’s policy (configured on the Application → Sign On tab in Okta Classic, but as an Authentication Policy in Identity Engine) is the one set to prompt for an additional factor, then that would explain why you see it when trying to use the sessionToken (which only proved that username/password auth was completed) to log into a given application.

nshenoy · March 21, 2023, 11:33pm

Thank you, Andrea. Will see if we can update the Global Policies to require MFA

Naman

vdc305 · April 1, 2023, 1:16am

Is it possible to get okta session token and then use the okta session token to get the factors for the user ?

nshenoy · April 10, 2023, 9:52pm

Unfortunately no, that seems to require a state token.

We’re working to update the Global Session Policy and giving @andrea’s solution a go

nshenoy · April 28, 2023, 9:34pm

This seems like an approach.

We were reading about the integration code auth flow and wondering if there was any SDK information or example code or any implementation documentation outside of:

Thank you

andrea · May 2, 2023, 3:17pm

The Interaction Code flow is available to use with our IdX SDKs:

AuthJS (sample apps here)
.NET (sample apps here)
Golang (sample apps here)
Java (sample apps here)
Android (sample app here)
Swift (sample apps here)

nshenoy · May 3, 2023, 12:11am

Thanks!
Another thing I wanted to double confirm was that using the /login/sessionCookieRedirect flow won’t with IDX, as we’re seeing a forbidden response, even with the Global Policy Session change.

andrea · May 10, 2023, 6:22pm

That’s correct, that endpoint is to establish an sid session cookie, which is achieved when using /authn instead (to get a sessionToken). Since we’re backwards compatible, the authn flow will still work (/authn to get sessionToken, login/sessionCookeRedirect to get session cookie), but you will have a classic “sid” session instead of an “idx” session

system · May 11, 2023, 6:22pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Post		Replies	Views
Auth code pkce with MFA for a SPA app OAuth/OIDC reactjs	5	2638	February 13, 2024
Do we need a session token? If so, how do we get it? OAuth/OIDC	2	3465	November 15, 2021
Generating OIDC Token using PKCE with MFA OAuth/OIDC	4	1377	March 25, 2024
Authorization via CLI with MFA doesn't work OAuth/OIDC	3	1872	February 15, 2024
How to Implement Adaptative MFA using Okta Authentication API API api	3	1813	February 15, 2024

Okta Session token being recieved before MFA is complete

Related topics