0

I will try to keep the question as clear and direct as possible.

  1. Social authentication (Facebook) configured with Okta with redirect URI as URL to my custom webapp. This custom webapp relies on Okta for authentication.
  2. User visits my custom webapp (unauthenticated) and clicks on the social authentication URL to login to my custom webapp.
  3. User follows the normal flow, gets authenticated by facebook and thereby by Okta (as per usual flow) and is then redirected by Okta back to the custom webapp.
  4. The entire flow is successful and the user can see an Okta session cookie set in their browser.
  5. Custom webapp now needs to show the user their own profile by making an Okta API call.

Problem: How can my custom webapp identify who just logged in so that they can fetch their Okta profile using API?

I am aware that Okta knows who just logged in due to claims that facebook sends to the OAuth client (Okta), but how will my app know the identity of the user who logged in?

Thanks,

Jatin

Daniel Widdis
  • 8,424
  • 13
  • 41
  • 63
Jatin
  • 667
  • 8
  • 16

1 Answers1

0

It depends on the OAuth2 flow you've chosen for your app, but the end state is getting an id_token from Okta which contains claims about the user that just logged in.

If you've set response_type=code in your social auth url (/authorize), after Step 4 you'll get a code query param in the redirect that you can then exchange for the id_token using the /token endpoint.

Or, if you've set response_type=id_token, you should already have the id_token in the redirect - you just need to validate/decode it (more info here).

remanc
  • 205
  • 2
  • 10