Okta Session token being recieved before MFA is complete


I’m looking to implement Okta in a CLI using our organization’s Okta Tenant.

MFA is required for all logins, however, when I use the /authn API, I receive a session token without MFA.

I can’t exchange this session token for a session cookie without a browser. When attempting to use the OIDC callback, or the redirect to get a cookie from the session token, Okta redirects me to the MFA page.

In other Okta tenants, I was forced to do MFA before I received the session token.

Is there some configuration that’s different between Okta Identity Engine vs DS Okta that I can force MFA for /authn API usage?

Thanks in advance!

Do you have your app configured with its own MFA policy (Authentication Policies in OIE)?

In your other Okta tenants, I imagine the difference is that the MFA requirement is set at the Global Session Policy level. When you make a request to /authn, only the policies related to Global Session Policy will be evaluated.

If you instead have the Global Session Policy set to only require username and password and then the application’s policy (configured on the Application → Sign On tab in Okta Classic, but as an Authentication Policy in Identity Engine) is the one set to prompt for an additional factor, then that would explain why you see it when trying to use the sessionToken (which only proved that username/password auth was completed) to log into a given application.


Thank you, Andrea. Will see if we can update the Global Policies to require MFA

  • Naman

Is it possible to get okta session token and then use the okta session token to get the factors for the user ?

Unfortunately no, that seems to require a state token.

We’re working to update the Global Session Policy and giving @andrea’s solution a go

This seems like an approach.

We were reading about the integration code auth flow and wondering if there was any SDK information or example code or any implementation documentation outside of:

Thank you

The Interaction Code flow is available to use with our IdX SDKs:

Another thing I wanted to double confirm was that using the /login/sessionCookieRedirect flow won’t with IDX, as we’re seeing a forbidden response, even with the Global Policy Session change.

That’s correct, that endpoint is to establish an sid session cookie, which is achieved when using /authn instead (to get a sessionToken). Since we’re backwards compatible, the authn flow will still work (/authn to get sessionToken, login/sessionCookeRedirect to get session cookie), but you will have a classic “sid” session instead of an “idx” session

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.