I am currently working on an application with a custom login page based on this Okta example:
Where the app is an OIDC app that uses the auth code grant type. Logging in is no problem as the app handles that already. The issue/blocker I have is I don’t know how to go about checking for the Okta session and sending an auth code to the backend server when a session already exists for the user.
I know the widget contains methods to check for an existing session, using .authClient.session.exists() and authClient.session.get() to retrieve the session details, however I don’t know how to go about the auth code flow as this all runs on the front end, the backend server is unaware of the session.
Any insights/pointers will be greatly appreciated.
I think you mixed two things here, and you need to decide, what your policy is about your application session lifetime. Do you want your session to be dependent on Okta’s session, or you want your session to be managed by your backend instead?
OIDC here will only complicate the picture, as it has its own token which has its lifetime, but technically those two do not have to be intertwined. You can only use OIDC/access token to get the information about the user, and present it to your backend to establish the session with it.
Bottom line is: sometimes it’s easier to have your session not directly linked to Okta’s session, especially if all you are doing is just talking to your backend. If not you can periodically refresh id/access token, while your okta’s session is alive, and present the token to backend for validation/getting access to resources