I am using Okta in my VueJS + Java Spring Boot app and have stumbled upon a possible bug.
I am able to create an user with password, using the option .setActive(false), so that the user goes to the “Staged” state, for later activation.
After that, I send my own activation email with a link to a route on my backend that activates the user:
1- I get the user with com.okta.sdk.client.Client.getUser(oktaUserId) -> with a properly built client
2- I activate the user with com.okta.sdk.resource.user.User.activate(false) -> no need for email
The problem is:
when the user clicks on the email link on a browser which has already logged in to the application (but is not currently logged in), the user goes to “Pending user action” state.
If the user copies the link and opens in a private window (anonymous), the user goes to “Active” state, as expected.
Any ideas on what is going on?