search

okta / okta-signin-widget

HTML/CSS/JS widget that provides out-of-the-box authentication UX for your organization's apps
Other
376 stars 319 forks source link

SessionID only provided as Cookie to implicit/callback, third party cookies are blocked #724

Open MTVKuliyev opened 5 years ago

MTVKuliyev commented 5 years ago

Hello, we are attempting to build an application with the Signin Widget and we are currently blocked because we are unable to get the Session ID in any way. The only time it appears that a Session ID is provided within the context of using the sign-on widget is when it returned as Cookie from the Okta token when it redirects to the implicit/callback. We are not able to grab this cookie due to third-party cookie restrictions and there does NOT appear to be any endpoint to get a session id from access_token, id_token, refresh_token or any other way.

The only workarounds available as far as we can tell are the following:

  1. We are not able to host an Okta server on a subdomain because we are integrating with a third-party Okta provisioned to us.

  2. It appears that authn call from the Signon Widget, passes a sessionToken in its query parameters. Could you point us to where in the Signon Widget code this call is built and made so we can retrieve sessionToken to subsequently get the session id?

  3. Figuring out a way to implicitly manage the session. With regards to this, does session get extended if we refresh the access_token? If not, there doesn't appear to be any other way to implicitly extend the session.

There is an outstanding bug specifying that even if a session is destroyed the access_token is not expired (https://github.com/okta/okta-signin-widget/issues/662). This would be advantageous to us because it doesn't appear that session is used for anything, so if we maintain the validity of the access token we can continue making requests. However, if that is a bug that is going to be fixed, we cannot rely on this behavior. We can destroy the session with a browser redirect to /logout. This destroys the session.

This is related to https://github.com/okta/okta-signin-widget/issues/429 but that ticket did not provide a resolution or workaround.

aarongranick-okta commented 4 years ago

@MTVKuliyev You can retrieve details about the current session using the API endpoint session.get: https://github.com/okta/okta-auth-js#sessionget

If you have an instance of the signin widget you can access the internal authClient and call this method.

Please let us know if this can resolve this issue. (Bug #662 will be fixed, so you should not rely on that behavior)