I’m building a SPA with the following constraints:
offline_access scope not used)getWithoutPrompt() not viable — requires third-party cookies, blocked by modern browsersIs there any reliable way to silently fetch a new access token using the existing Okta session without the above options?
Thanks!
Hi there, To resolve this, you can still use getWithoutPrompt() if you have custom domain in okta. You need to set up a custom domain for your Okta org on a subdomain of your application’s domain:
Since both share yourdomain.com, the Okta session cookie is treated as first-party and works across modern browsers.
You can follow the Okta documentation to configure a custom domain for your org: Customize your Okta URL domain | Okta Documentation
Hi @Halen ,
Welcome to the community!
I’m sharing another resource to help you with a basic custom domain setup. The documentation link Avinash provided is more comprehensive, should you require more customization.
I linked directly to the custom domain section in this post from the OktaDev blog that walks you through the general steps.
Let us know how it works for you!
Thanks for the reply, Avinash.
Yes, we are using a custom domain as shown in the example. Currently, both the application and Okta are configured under the same shared domain. However, we are still encountering the following error:
“The client specified not to prompt, but the user is not logged in.”
with the error code:
login_required
Before calling getWithoutPrompt(), I verified that the user session had not expired. Despite this, the same error continues to occur.
Could you please let us know if there are any additional configurations or checks we should perform?
Hi Halen,
The getWithoutPrompt() function works by running a hidden iframe on your page that accesses cookies on the Okta domain. If the browser blocks those cookies, the silent authentication fails with a login_required error.
For more information, please refer to this documentation: Okta Support Center (Lightning)