I have 2 UI’s on the same domain, Registration UI and MFAUI. Registration UI will create the user and authenticate the user after successful registration and then redirect to MFAUI since there is Okta idx cookie. MFA UI will proceed with email MFA based on Okta idx session.
I have configured profile enrollment as below
-
The signOn authentication policy for my OIDC app has only password as authenticator.
-
I had to update authenticator enrollment policy to include email and phone as optional or disabled.
-
Global session policy allocated to the pertaining group the user is created. For this example I have it as “Everyone”
I am able to create a user in Okta get status as Pending with enroll-authenticator with password as next step as below
Step 1
let registerTransaction = await oktaAuth.idx.register({
firstName: "testuser",
lastName: "testlastname",
email: "testemail@gmail.com"
authenticators: ["okta_password"]
});
and then proceed with
Step 2
const proceedTransaction = await oktaAuth.idx.proceed({
password: "myPwd"
});
for the above step 2 I get status as Pending and nextStep as select-authenticator-enroll for email and phonenumber and that could be because authenticator enrollment policy as email and phone number as optional. But since I need registration only with password I have step 3
Step 3
const skipTransaction = await oktaAuth.idx.proceed(
{ skip: true }
);
for the above step 3 I get status as Success with tokens consisting of access, id and refresh in network tab.
How do I get the idx session cookie?
When I try step 4, I get the idx session cookie. I need to have a Okta session and tokens after registration with only password factor.
Step 4
const authenticateResponse = await oktaAuth.idx.authenticate({
username: 'testemail@gmail.com',
password: 'myPwd'
});
can idx.register() provide Okta idx cookie ? Also, idx.register() registers the user in Okta but sends an email verification. It seems like idx.register() wants the user to enroll in email factor. Once I get the idx cookie from Registration UI I need to redirect it to another UI that grabs the okta idx cookie and performs email MFA.
If my registration UI creates the user with a backend service through Okta /users?activate=true api, user doesnt get any email verification and I am able to execute idx.authenticate() in Registration UI to get the Okta idx cookie and OIDC tokens after which I redirect it to MFA UI for email MFA.