i have successfully implemented a login page using Okta sign in widget (js+html version) + server side authentication.
as my company has multiple apps on different domains here is my use case and the question is if this is the correct and safe way to do it or there is another way or how to somewhere:
- User logs in to app A using Okta signin widget, Okta saves Okta session data on local browser
- The user opens app B on the same browser in another tab, App B also uses Okta signin widget.
- App B login page checks if the user has an active Okta session by using: signInWidget.session.get
- checking the response status, if ACTIVE Redirect the page to Okta ‘/authorize’ with all the mandatory params (client_id, redirect_uri, response_type, scope, response_mode, state, nonce)
- The App B login page loads again (by redirecting back from Okta /authorize )
- It checks if there is an access_token in the url params, if so start the server side authorization flow with this captured access_token.
- If authorization flow passes, grant the access to app B and redirect user to main page.