Sign in Widget & sessions API returning different status

I’m having the same issue as this https://support.okta.com/help/answers?id=9062A000000XZogQAG

The signin widget has a active of ‘ACTIVE’ while a backend API call to /api/v1/sessions/ says the status is ‘MFA_REQUIRED’

Here is the code:

The status is ‘ACTIVE’ here in the frontend : netlify-gated-sites/okta/login-site-okta/src/App.js at master · netlify-labs/netlify-gated-sites · GitHub

But when trying to verify server side it says the status is ‘MFA_REQUIRED’ here: netlify-gated-sites/okta/login-site-okta/functions/verify-okta-session.js at master · netlify-labs/netlify-gated-sites · GitHub

Whats going on here? How can I verify the session correctly?

1 Like

This definitely seems like interesting behavior. Mind shooting us an email to developers@okta.com?

I think this is going to require some troubleshooting.

Thanks,
Tom

Hey @tom thanks for the reply. I just sent an email

Hey @tom I never got a response back from developers@okta.com

How can we figure out this issue? It’s holding back a release of a demo I’m building

Thanks

Hi @davidwells - sorry for the delay, I was on PTO.

I need some more information about your set up. How is MFA set up in your org?

The only thing that can come to mind here is that maybe the widget is using the fingerprinting functionality and your backchannel server call is not, and that would return MFA_REQUIRED.

My app is setup in here: https://dev-652264-admin.oktapreview.com/admin/app/oidc_client/instance/0oafn99h3qdL5jY6P0h7/#tab-assignments

It is setup with SMS auth https://www.screencast.com/t/e03b0RRt https://www.screencast.com/t/hTphcokhQ9

https://dev-652264-admin.oktapreview.com/admin/access/multifactor

The site is here: https://okta-login-portal.netlify.com/. When trying to verify the token server side it says the status is ‘MFA_REQUIRED’ here: https://github.com/DavidWells/netlify-gated-sites/blob/master/okta/login-site-okta/functions/verify-okta-session.js#L32 1

Thanks for your help

Looking more into this, the /me call is not returning the ID of the session, but an externalID that is only used for token refreshes through CORS.

Is there any reason to not use the okta react library? Since this is SPA application, the okta-react library will not be able to get a refresh token, and behind the scenes silently refreshes the access token if the user has a valid session. This means you get can implicitly trust that the access token (if it hasn’t expired) means that the user still has a valid session. And, use the library to detect the if the user has authenticated or not.

This would require that your node backend will need to verify and validate the access token JWT before generating and returning your netlify access cookie.

Let me know if this makes sense, happy to assist further!
Tom

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.