React/.NET Core Web Api - Social Login

So, I have a React front-end, with a .NET core web api. Currently, I have Google setup within my Okta tenant as an Identity Provider, and auth is working as expected. After successful auth, a UserProfile is created within Okta UD, successful redirection back to my React client and life is good.

My question is in lieu of creating Google (or any other IdP) as a Identity Provider within my tenant, can I use, for example, the React/Google sdk, auth with Google directly, retrieve an id_token, validate that token with Google on my backend, and then mint an access_token by leveraging Okta? (id_token from Google, access_token issued by Okta), rather than after validating the id_token, minting my own access_token and bypassing Okta?

I suppose the catalyst for my question began around cost. I assume that with the first option, once the UserProfile is created within my Okta tenant, and said user logs in, that counts against my MAU’s.

Any guidance here would be greatly appreciated.

The design for the Social Auth/External Identity Provider functionality in Okta is so that Okta itself requests tokens for the user from the identity provider in order to JIT the user (with the profile attributes returned from their IdP) and create an Okta session (once the idp session starts and user is created/linked correctly). This is meant to be a two step process where two separate sets of tokens are requested: one for Okta to use to confirm the user’s identity and one for your application to get user information from Okta, with Okta functioning as an intermediary and where Okta MUST receive the token from the identity provider to validate the user.

And yes, in order to use Okta to issue tokens, the user MUST exist in Okta and be assigned to the application, there is no way to bypass this requirement. Thus, these users will have an authentication/token issuing event in Okta.

If you haven’t already, I also recommend reaching out to our Accounts/Sales team for more information about pricing.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.