Get Tokens for Logged in User


The user may already have an existing session with Okta (through another application or dashboard), however, your application may not have references to the oAuth/OIDC tokens OR the token's claim do not reflect recently updated attributes.


Okta provides the ability to silently authenticate an existing user during a browser-based OpenID Connect flow with the prompt parameter set to none.

The steps are as followed:

  1. Recommended (Same Domains): Validate Existing Session
  2. Perform PKCE OAuth flow by redirecting user to your tenant's /authorize endpoint with prompt=none with a response_mode=query
  3. Parse code from the callback redirect and exchange code for tokens
  4. Store new tokens in the application

Note, the redirect can create a jaggered user experience, but this can be improved upon with the use of an hidden iFrame. However, there is an important caveat one must consider prior to going with this approach:

⚠️ Cross-site origin iFrames are loaded in a third-party context. As a result, some browsers -- and eventually all -- block third-party cookies by default, therefore, this solution will not work for some environments. For more details, please refer to the support page.

If this caveat doesn't apply to your environment, the okta-auth-js SDK provides a method, token.getWithoutPrompt(options), all within a hidden iFrame.

responseType: ['id_token', 'access_token'], // or array of types
.then({tokens} => authClient.tokenManager.storeTokens(tokens))
.catch(err => console.err);


In practice, this approach will generally be used for applications with an SSO requirements. For some applications that just need updated JWTs, they can most likely leverage a short-lived, continually rotated refresh token.

Related Links#