I am using Okta in my VueJS + Java Spring Boot app and have stumbled upon a possible bug.
I am able to create an user with password, using the option .setActive(false), so that the user goes to the “Staged” state, for later activation.
After that, I send my own activation email with a link to a route on my backend that activates the user:
1- I get the user with com.okta.sdk.client.Client.getUser(oktaUserId) -> with a properly built client
2- I activate the user with com.okta.sdk.resource.user.User.activate(false) -> no need for email
The problem is:
when the user clicks on the email link on a browser which has already logged in to the application (but is not currently logged in), the user goes to “Pending user action” state.
If the user copies the link and opens in a private window (anonymous), the user goes to “Active” state, as expected.
I want to change the user status from STAGED to ACTIVE.
It works when the user access the custom link from a private window in
chrome/firefox (maybe something to do with cookies?).
If the user access my custom link from a browser which he has already
logged in to the okta application, the state becomes PENDING USER ACTION
(instead of ACTIVE), even though the okta log shows the user is active.
The user is created with password and user.setActive(false) so it
becomes STAGED.
When you say “custom link” what exactly do you mean? Is it a custom domain name for the okta tenant? Or is it the URL for your server which performs activation? In the latter case, can you capture an api call to Okta with tcpdump or similar stuff.
Yes, I am not sending the activation email.
The password is set before the user is activated, so it should be
possible to login with the password when activated, as described in the
link you provided (see image attached).
The whole process works fine when the user uses a private window or has
never logged in to the application in the same browser.
It fails when it uses a browser which has previously logged in to the
application. (but is the same process in the back/front-end)
Oh OK, I was just referring you to the doc for the status of a user, after you activate them. Let me ask you other thing then. Is user able to log into Okta after you activate them directly, rather than to your app?
If the user is in a private window, resulting in a ACTIVE state, he is able to login with his password.
If the user is in a browser which has previously logged in, resulting in a PENDING USER ACTION state, I am able to reset his password and activate manually, and then he has to change the password. After that he is able to login.