SSO doesn't work when using the Okta SignIn Widget

When logging in using the okta-signin-widget (I’m using it with okta-react), SSO does not work across other apps also using the widget. I’m logged into Okta, if I navigate to the Okta developer dashboard, but not my other apps which use the widget as well.

I’ve narrowed this issue down to the logic around the method .isAuthenticated() inside okta-react/src/Auth.js. This method only checks if either the access or id token exist in client storage, not also if a session exists in Okta. Is this a bug, or is it intentional?

Would it make sense to add a storage option such as ‘okta’ alongside ‘localStorage’, ‘sessionStorage’, and ‘cookie’, which forces the client to always call to check if the user is signed in and not rely on client storage at all?

You’re correct, in that the React SDK is ensuring that a user has been authorized into the accessed application via JWT tokens, but SSO across applications means that each application will need to make an /authorize call to get these tokens to allow the user to access protected routes.

Your applications can do this when the user accesses it without prompting the user, if they have an active Okta session, by using getWithoutPrompt](

How could I leverage this without hacking the libraries?

You can just make the /authorize request yourself with the parameter prompt=none, which will automatically redirect the user to the login redirect_uri, provided the user has an active Okta session.

Could you give more detail on this? I’m trying to achieve the same thing

I was referring to one of the parameters when making a call to the /authorize endpoint, as covered here:

‘prompt’ is an optional parameter that allows you to control whether or not a user is prompted for their password. The JS SDK’s use this parameter for methods like the aforementioned getWithoutPrompt to control whether or not the user is shown a login prompt. Note that if the user does NOT have an active Okta session (which you can confirm via a /sessions/me check), an error will be returned.