React authentication between Okta(OIDC) as SP and another Okta(Saml2) as IDP

sofather · February 6, 2022, 12:38pm

I have a react application that is currently configured with our Okta (SP) with ODIC authentication. We decided to allow another Okta Org to access our application. This new Okta is the IDP and they are using the saml2 protocol. So we managed to do the setup between the 2 Okta correctly.

When we run the application that is based on Okta-sign-in-widget library self hosted widget. The application ask for the user name to identify which Okta to authenticate with, in the case of IDP users, the application redirect the user to the IDP login page and then after it finish authentication from the user, it will redirect the user back to the react app. The issue is that I’m not able to extract the token, and the 2 Okta doesn’t store any cookies about the authentication in order to check if the user is authentication is done or not. I can see from Okta System logs the user is authenticated successfully. I’m struggling in this flow anyone have encounter a similar use case ?

The code I’m using to try checking for session if it’s created or not to authentication is

      const session = yield call(oktaAuth.session.exists);
      if (session) {
        const response = yield call(oktaAuth.token.getWithoutPrompt);
        oktaAuth.tokenManager.setTokens(response.tokens);
}

russ · February 10, 2022, 8:10pm

As far as I know the redirect back to the application would not occur if user is not authenticated, and it follows the OAuth2 spec so assuming your application can handle the URI parameters accordingly you shouldn’t require extracting anything.

abole · February 19, 2022, 12:17pm

Hi @sofather,
In a chrome browser > dev tools > network tab, can you see the calls to /authorize and /token for your Org? I usually use this to check tokens (and you can also see which session cookie’s you’ve got).

Your app should just be expecting tokens back from your org. If you’re using idp routing rles to send them to the second okta, your app won’t know that.

Are you self hosting the widget or using okta hosted login?

sofather · February 20, 2022, 8:41am

the problem was in the IDP configuration the ACL endpoint was wrong. that’s why the cookies was not created

sofather · February 20, 2022, 8:42am

It’s self hosted, the problem was in the IDP configuration the ACL endpoint was wrong. that’s why the cookies was not created

sofather · February 20, 2022, 8:43am

the problem was in the IDP configuration the ACL endpoint was wrong. that’s why the cookies was not created

system · February 21, 2022, 8:43am

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.