Tokens and Creating Users with Password/Question?

I have a few questions about the Tip on the Create User with Password & Recovery Question documentation:

Important: Don’t generate or send a one-time activation token when activating users with an assigned password. Users should login with their assigned password.

The response includes an Activate link:

{“activate”: {“href”: “https://dev-817806.oktapreview.com/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate”}}

Questions

  1. Is the string between users and lifecycle (e.g. 00ub0oNGTSWTBKOLGLNR) a unique access token for this user? The reason I ask is that I’m passing this as an event via Segment to my event based email service to trigger sending the Activation Email to the user and it is better if I build the URL in the 3rd party app. As such, I would parse the Access Token from the Activate URL returned and rebuild the same URL in the destination. Is there a way to request the Access Token without the entire URL?
  2. Will the Activate Link returned load our customized Okta Sign-In Widget?
  3. If the user attempts to login with their self generated userid and password on our site/app without first clicking on the returned Activate Link, will the login fail and what is the returned error code? (e.g. E0000004: Authentication failed, E0000011: Invalid token provided, E0000028, The request is missing a required parameter, E0000015: You do not have permission to access the feature you are requesting or other)
  1. Is the string between users and lifecycle (e.g. 00ub0oNGTSWTBKOLGLNR) a unique access token for this user? Is there a way to request the Access Token without the entire URL?
    That link just contains the user id. If you POST to that endpoint with your api_token and sendEmail as false, you’ll get an activationUrl and activationToken in response: https://developer.okta.com/docs/api/resources/users#activate-user

  2. Will the Activate Link returned load our customized Okta Sign-In Widget?
    The user shouldn’t need to login, because the activationToken serves as authentication. However, assuming the user has to reset their password on first login, they will be prompted for their security question. Your customized sign-in widget won’t be displayed for this.

  3. If the user attempts to login with their self generated userid and password on our site/app without first clicking on the returned Activate Link, will the login fail and what is the returned error code?
    When you make the POST to get an activationUrl and activationToken, the user will automatically become activated and will be able to log in to the application without clicking the activationUrl.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.