What to do after session expired using okta-auth-js

Questions OAuth/OIDC
1

Hi everyone,

Our team’s goal is to add passwordless login option to an existing system. Due to some restrictions that are out of our control we could no use Okta’s Widget, so we decided to move on using okta-auth-js.

Once the use clicks a “send me an email”-like button we use idx’s authClient.idx.authenticate({...}) method to start the flow. Later, when they submit the OTP, we use authClient.dx.proceed({verificationCode: 'input'}) to check if it’s valid or not.

One of the scenarios we are struggling to handle is when the session expires. In this case, when we validate the OTP we get response with status PENDING and error ‘error.expired.session’. What we found checking the documentation is that we should ask the user to start the login process again.

In our case, it would end up running authClient.idx.authenticate({...}) to send a new e-mail. We would expect a new flow to be created and replace the old one, but what we receive is an error stating that ‘idx.session.experied’.

Is this expected? Are we forgetting to do some in between those steps?

I’ve tried to check the current flow ids with authClient.idx.getFlow() with no much success.

2

If the session has expired, can you try clearing the current transaction (which you can see being done here) and starting a new one (in fact, we also recommend using idx.start in place of idx.authenticate)

3

Hi Andrea, thanks for the quick reply.

I just tried and it did work!

Would you mind elaborating with we should prefer start over authenticate? I couldn’t find anything on the documentation. Also, is there any “best practices” guides for the idx flow? I’m not sure if we might be mising something else and it would be good to see some implementation examples.

4

By design, the idx.authenticate method is used when the only flow you need to complete is a login flow. In contrast, idx.start allows use of all remediation types and is what we recommend using in most cases to start the transaction so you don’t run into an issue where the remediation type you need isn’t available.

I also checked with our AuthJS developers and we are looking to update our readme to recommend the same.