Get Tokens for Logged in User

Problem

The user may already have an existing session with Okta (through another application or dashboard), however, your application may not have references to the oAuth/OIDC tokens OR the token's claim do not reflect recently updated attributes.

Solution

Okta provides the ability to silently authenticate an existing user during a browser-based OpenID Connect flow with the prompt parameter set to none.

The steps are as followed:

1. Recommended (Same Domains): Validate Existing Session
2. Perform PKCE OAuth flow by redirecting user to your tenant's /authorize endpoint with prompt=none with a response_mode=query
3. Parse code from the callback redirect and exchange code for tokens
4. Store new tokens in the application

Note, the redirect can create a jaggered user experience, but this can be improved upon with the use of an hidden iFrame. However, there is an important caveat one must consider prior to going with this approach:

⚠️ Cross-site origin iFrames are loaded in a third-party context. As a result, some browsers -- and eventually all -- block third-party cookies by default, therefore, this solution will not work for some environments. For more details, please refer to the support page.

If this caveat doesn't apply to your environment, the okta-auth-js SDK provides a method, token.getWithoutPrompt(options), all within a hidden iFrame.

authClient.token.getWithoutPrompt({

responseType: ['id_token', 'access_token'], // or array of types

})

.then({tokens} => authClient.tokenManager.storeTokens(tokens))

.catch(err => console.err);

Discussion

In practice, this approach will generally be used for applications with an SSO requirements. For some applications that just need updated JWTs, they can most likely leverage a short-lived, continually rotated refresh token.

Related Links

• FAQ: How Blocked Third Party Cookies Can Potentially Impact Your Okta Environment
• Dev Forum: By what date should we implement refresh token rotation
• Dev Forum: Getting a fresh JWT token