When logging in using the okta-signin-widget (I’m using it with okta-react), SSO does not work across other apps also using the widget. I’m logged into Okta, if I navigate to the Okta developer dashboard, but not my other apps which use the widget as well.
I’ve narrowed this issue down to the logic around the method .isAuthenticated() inside okta-react/src/Auth.js. This method only checks if either the access or id token exist in client storage, not also if a session exists in Okta. Is this a bug, or is it intentional?
Would it make sense to add a storage option such as ‘okta’ alongside ‘localStorage’, ‘sessionStorage’, and ‘cookie’, which forces the client to always call to check if the user is signed in and not rely on client storage at all?
You’re correct, in that the React SDK is ensuring that a user has been authorized into the accessed application via JWT tokens, but SSO across applications means that each application will need to make an /authorize call to get these tokens to allow the user to access protected routes.
You can just make the /authorize request yourself with the parameter prompt=none, which will automatically redirect the user to the login redirect_uri, provided the user has an active Okta session.
‘prompt’ is an optional parameter that allows you to control whether or not a user is prompted for their password. The JS SDK’s use this parameter for methods like the aforementioned getWithoutPrompt to control whether or not the user is shown a login prompt. Note that if the user does NOT have an active Okta session (which you can confirm via a /sessions/me check), an error will be returned.
I am facing the issue too. And I tried to call /authorize with many url params after redirect to react app.
But it needs nonce value. When click the app icon from Okta, it will redirect to the custom portal page with one parameter on url is “iss”, and value is our org domain. It seems I should get some key values when redirect from okta to custom react app, but not.
Okta will only redirect users to the configured “Initiate Login URI” for your application if you are using the OIDC Compliant setting for your application.
This means that your application will need to detect the Okta session and kick off the authorize call once the user lands on your login page. Okta will only make the call for you if you choose the Okta Simplified option.
Yes, my problem is how to detect Okta session? when redirect to my application, it does not carry/pass any cookies or useful information to my application.
Currently, I put a dedicated URL to allow redirect. After redirect to my dedicated URL, I will make /authorize call with several parameters, but it requires some values like “nonce”, “state”… I do not have those values.
You can detect the user’s session by making a CORS request to Okta. You can either make this request manually or you can use our Auth JS SDK (especially if your application already uses it) to determine if the user has an active session. Note that this call will fail if the user’s browser is blocking third party cookies and you are not using a Custom URL Domain. More information here.
Like I said, you will want to redirect to a login page, as the URL you set as the Initiate Login URI will be static and its not recommended to have static values for state (our SDKs generate these values for you). Then your application can make the /authorize request. Again, if you are using our Auth JS SDK, you can use getWithoutPrompt or getWithRedirect to do so automatically if the sessions.exists().
