Self-Service Registration and Email Activation flow

npaulson · April 8, 2020, 5:22pm

Hello, I am using Okta hosted widget for sign in/sign up. As I’ve been working with it I noticed there is some strange behavior with the self-service registration and email activation. My current understanding of the email activation with self-service registration flow is this:

User navigates to my web page
User clicks login button and is redirected to okta sign in widget
User signs up for a new account
User is sent an email with activation link
User clicks on Activation link and is taken back to my web page, but the URL has extra query parameters in it
User clicks login and is automatically logged in, however, they have not officially activated their account
User clicks logout then clicks login again and is taken to okta hosted sign in widget
After authenticating with sign in widget the user is then taken through the rest of the activation process.

I don’t like this flow, it seems very off. Is there a way for the activation link in the email to bring the user directly to the activate portion of the okta hosted widget where they can choose their security question and image and then after activating be redirected to my web page?

dragos · April 13, 2020, 1:51am

Hi @npaulson

When implementing this use-case, the recommendation is to create a custom callback endpoint which will either reauthenticate the user if it receives the registration query parameters or exchange the authorization code for tokens if you are using authorization code flow with PKCE.

This use-case is not currently implemented in the SDK, however there are discussions to have it released in a future version.

npaulson · April 13, 2020, 3:55pm

Thanks for the reply @dragos I am in fact using Authorization Code Flow with PKCE. Do you know of documentation that covers creating a custom callback endpoint? I saw you wrote “reauthenticate”, my main concern is Activation. Is there a difference between these two? Does the custom callback handle when the user hasn’t completed activating their account by adding a challenge question and security image? Would I exchange the authorization code for tokens and then send the user to finish their account activation?