Using the Okta sign-in widget, I need to get user session status via Okta API in my own API

Hi,

What I’m trying to accomplish is this flow:

  1. Utilize the okta sign-in widget
  2. On successful response from the sign in widget grab the accessToken and email (or whatever is needed to accomplish what I’m thinking of trying)
  3. Make a call to my own API passing the accessToken and email (or whatever is needed to accomplish what I’m thinking of trying)
  4. In my API use that accessToken and email to make sure that user exists and the session is still active
  5. Depending on the response I receive from Okta in my API, either continue with the logic I have or throw an error
  6. Return response to the browser and handle it accordingly

I’ve been successfully signing in with the widget, which isn’t the problem. It’s mainly just getting the session in my C#. I’ve been trying to prove this will work by using the postman collections. If I can get it to function in postman then I should be able to get it to work in my C#. I can only get it to work if the sid header cookie is passed. I thought that would be what I could pass to my API, but being that sid is a header cookie, I am unable to access it.

My front end is using vanilla JS and I am using the okta-sign-in.min.js and okta-auth-js.min.js CDN tags. API is C#, however I already have my sessions being handled with a custom process by my API, so I basically want to grant my own session permissions with my API if the user’s Okta credentials are real and their session is active.

Any direction on how to handle this is appreciated.

Thank you!

reference to my help center forum post (was instructed to post here): Okta Help Center (Lightning)

Basically all I want to do is use the sign in widget, take whatever data I can from that successful sign in response, then send that data to my C# and check in my API if everything that was sent is correct. I just don’t know which Okta endpoints will work to find this out.

What information are you trying to get from the Okta session that wouldn’t be present in their ID or access tokens?

Thank you for the response!

I just want to know if the session is active in my API with the data that comes back from the widget on the browser.

I have all the data necessary on the browser I believe. I’m doing a normal login with the widget and then I do a authClient.token.getWithoutPrompt to get additional data about the session. All that works fine, but the next step I need is to check in my API as well to see that the sessions is active/valid. I’m testing with postman but I get 401 errors and/or “Invalid token provided”. Been reading the docs like crazy but just can’t get it to work.

if you’re trying to do anything with the Okta sessionToken, you should know that its an ephemeral token thats just being used by the widget to complete the /authorize call after user has completed primary authentication (the sessionToken is proof of the user completing primary auth).

There are a couple of ways to get information like this, but the simplest one is a CORS request to /api/v1/sessions/me from the browser where the user logged in (the Okta session cookie will be the auth for this request). See our API docs for more details Sessions | Okta Developer

If that doesn’t work and/or you need to make this request from your completely separate backend, you could look to store the user’s session ID within one of their tokens. Your backend could then make a request to /api/v1/sessions/{{sessionId}} (with an API token for auth) to get these details. Check out my response in this thread for details: Validate access token is linked to Okta session - #2 by andrea

However, I should note that as soon as the user is logged into your app, and, particularly if your app uses refresh tokens to keep them logged in, the Okta session is more or less divorced from the tokens the user was issued. The Okta session only needs to exist to log the user into Okta. After that, it would only be important if refresh tokens were not being used by your application and the user’s tokens have expired. Its worth knowing that, if refresh tokens are used to extend the user’s application session, that the session ID will not be sent in a request for an Inline Token Hook, because the user’s session wasn’t used to request the token, the refresh token was.

Thanks again, Andrea. I finally got my flow to work! Your mention of needing the API token for auth led me to figuring out the problem I was having. My API key was incorrect during my testing :man_facepalming: Made a new one and then the /api/v1/sessions/{{sessionId}} call worked like a charm.

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.