Self-Service Registration and Email Activation flow

Hello, I am using Okta hosted widget for sign in/sign up. As I’ve been working with it I noticed there is some strange behavior with the self-service registration and email activation. My current understanding of the email activation with self-service registration flow is this:

  • User navigates to my web page
  • User clicks login button and is redirected to okta sign in widget
  • User signs up for a new account
  • User is sent an email with activation link
  • User clicks on Activation link and is taken back to my web page, but the URL has extra query parameters in it
  • User clicks login and is automatically logged in, however, they have not officially activated their account
  • User clicks logout then clicks login again and is taken to okta hosted sign in widget
  • After authenticating with sign in widget the user is then taken through the rest of the activation process.

I don’t like this flow, it seems very off. Is there a way for the activation link in the email to bring the user directly to the activate portion of the okta hosted widget where they can choose their security question and image and then after activating be redirected to my web page?

Hi @npaulson

When implementing this use-case, the recommendation is to create a custom callback endpoint which will either reauthenticate the user if it receives the registration query parameters or exchange the authorization code for tokens if you are using authorization code flow with PKCE.

This use-case is not currently implemented in the SDK, however there are discussions to have it released in a future version.

Thanks for the reply @dragos I am in fact using Authorization Code Flow with PKCE. Do you know of documentation that covers creating a custom callback endpoint? I saw you wrote “reauthenticate”, my main concern is Activation. Is there a difference between these two? Does the custom callback handle when the user hasn’t completed activating their account by adding a challenge question and security image? Would I exchange the authorization code for tokens and then send the user to finish their account activation?