Hi @davidwells - sorry for the delay, I was on PTO.
I need some more information about your set up. How is MFA set up in your org?
The only thing that can come to mind here is that maybe the widget is using the fingerprinting functionality and your backchannel server call is not, and that would return MFA_REQUIRED.
Looking more into this, the /me call is not returning the ID of the session, but an externalID that is only used for token refreshes through CORS.
Is there any reason to not use the okta react library? Since this is SPA application, the okta-react library will not be able to get a refresh token, and behind the scenes silently refreshes the access token if the user has a valid session. This means you get can implicitly trust that the access token (if it hasn’t expired) means that the user still has a valid session. And, use the library to detect the if the user has authenticated or not.
This would require that your node backend will need to verify and validate the access token JWT before generating and returning your netlify access cookie.
Let me know if this makes sense, happy to assist further!
Tom