I am trying to understand how, if possible, to create a shared session cookie so that a user already authenticated through the web client is SSO-ed when launching a native app both using Okta authentication.
Here is my scenario:
1- User launches web client, gets authenticated through the middleware logic using authorization code flow, accesses protected resources.
2- Same user launches a desktop client, which starts a browser instance (same browser type as web client’s) with a request to the authorize endpoint, supplying a client id, nonce, state and code challenge. User enters credentials in Okta’s sign in page one more time, is authenticated.
Is it possible to create an Okta session by the first web client, then utilize it to sso the user to the protected resources of the native app bypassing authentication?
I know this is achievable through IWA. The goal is to have the same functionality when IWA is not in place.