I have a custom web application integrated into my company’s Okta environment users normally access by first logging into Okta. My application then uses the browser’s session cookie to determine the user making the request to a backend API.
I’d like to open up my application’s API to allow users to programmatically make requests during CLI usage. I’ve read some docs on the /authn workflow, but I’m not crazy about requiring users to supply their password to kick that off. And while grabbing the browser’s auth_token/auth_user works, it’s not realistic for long term dev work.
Is there an alternative to the /authn workflow where I can just supply an Okta token or similar to authenticate in a programmatic way? Or will I always need to supply a password to authenticate with Okta and eventually reach my app’s API?
Hi @dgs3, correct users must pass the password credential requirement to get a session token on successful login and only then can that token be exchanged for an active session.
Every authentication transaction starts with primary authentication which validates a user’s primary password credential.
One-time token issued as
sessionToken response parameter when an authentication transaction completes with the
- The token can be exchanged for a session with the Session API or converted to a session cookie.
- The lifetime of the
sessionToken is 5 minutes.
While users only need to authenticate once with Okta to establish a session, you may consider using OAuth 2.0 to generate access tokens/refresh tokens to provide access to your backend resource - OAuth 2.0 and OpenID Connect Overview | Okta Developer. Access tokens are not dependent upon user session i.e. as long as you have a valid access token you will have access to that resource until it is revoked.