If you have the ability to use Custom Authorization Servers (requires an additional license/specific SKU), there is a way to store the user’s session ID in the user’s token(s). With Custom Authorization Servers comes the ability to use Token Inline Hooks to synchronously add/change data in a user’s tokens before they are sent back to the SPA.
Here’s how this would generally look:
- Create endpoint for your Token Inline Hook and configure the endpoint to accept requests from Okta and respond with a JSON object containing a list of commands (in this case, adding a claim to a token). For your use case, you would want to grab the session ID that Okta sends in the hook request (stored in data.context.session.id) and set it to the value of the claim you are adding.
- Register your Hook in Okta and enable the hook on an Access Rule for the Custom Authorization Server you will be using for this application. Ensure the Policy/Rule WILL get triggered when users log into your SPA
- Double check that your application is using the Custom Authorization Server you added the hook to!
- After the user logs in and the access token is sent to your backend, you can take the session ID from the claim and send it to the Sessions endpoint to check its status. This will indicate whether or not that session is still considered Active.
After setting up the hook as described above, my token payload looks like the following:
I can then take that sessionId and send it to /api/v1/sessions: