The user may already have an existing session with Okta (through another application or dashboard), however, your application may not have references to the oAuth/OIDC tokens OR the token's claim do not reflect recently updated attributes.
Okta provides the ability to silently authenticate an existing user during a browser-based OpenID Connect flow with the
prompt parameter set to
The steps are as followed:
- Recommended (Same Domains): Validate Existing Session
- Perform PKCE OAuth flow by redirecting user to your tenant's
- Parse code from the
callbackredirect and exchange code for tokens
- Store new tokens in the application
Note, the redirect can create a jaggered user experience, but this can be improved upon with the use of an hidden iFrame. However, there is an important caveat one must consider prior to going with this approach:
⚠️ Cross-site origin iFrames are loaded in a third-party context. As a result, some browsers -- and eventually all -- block third-party cookies by default, therefore, this solution will not work for some environments. For more details, please refer to the support page.
If this caveat doesn't apply to your environment, the
okta-auth-js SDK provides a method,
token.getWithoutPrompt(options), all within a hidden iFrame.
In practice, this approach will generally be used for applications with an SSO requirements. For some applications that just need updated JWTs, they can most likely leverage a short-lived, continually rotated