okta / okta-auth-js

The official js wrapper around Okta's auth API
Other
455 stars 267 forks source link

creating a new account sdk does not crete session #1509

Closed harpreetmand closed 6 months ago

harpreetmand commented 7 months ago

Describe the bug

When a customer creates a new account using okta-auth-js and okta-react we are not able to get an session information when calling .session.get(); Even though there are active accessToken and refreshToken. session.get() returns status: 'INACTIVE' .authStateManager.getAuthState().isAuthenticated returns true

to sign out a user we are calling await authClient.revokeRefreshToken(); then await authClient.revokeAccessToken(); and then closeSession() to check if session has been closed before completely signing out a user. closeSession() fails for new registrations but succeeds for users who have signed in.

Reproduction Steps?

create a new account using okta-auth-js and okta-react try to get session information by calling session.get()

SDK Versions

"@okta/okta-auth-js": "^7.3.0",
"@okta/okta-react": "^6.7.0",

Additional Information?

No response

jaredperreault-okta commented 7 months ago

Can you please provide a code snippet of your user registration process?

mguagenti commented 6 months ago

I noticed this behavior too. Sessions are not created when using the idx register flow.

Support confirmed this was the expected behavior of that particular endpoint and suggested adding a login call at the end of the register flow using the data provided by the user, however that is suboptimal especially when a user sets up MFA (Case 02009292).

It would be nice if there was a way this could be fixed because the session cookie would allow users to interact with other SSO apps after registering, as well as remember the device they registered on.

jaredperreault-okta commented 6 months ago

@mguagenti Since this is the expected behavior, I doubt it will be fixed. Especially with looming deprecation of 3rd-party cookies by browsers, it's counterproductive to couple the Application session and the Okta session more tightly. The accessToken can be used to protect your resource server and the idToken should provide any of the user details session.get() provides