mytechdiary

After you perform primary auth using Okta /authn API, you receive a session token. This is a nice guide which explains the various ways you can redeem a session token for a session cookie, which is stored in your web browser. https://developer.okta.com/docs/guides/session-cookie/overview/ I tried to see the different approaches listed in the above doc in action. Learnings 1. All these are ways to set the session cookie (sid) after the user authenticates using the /authn API 2. The sessionToken returned by the /authn API is exchanged for a session cookie, which is set by Okta in the user's browser 3. The browser uses this sid cookie for subsequent requests to Okta, which achieves SSO 4. Now, if sid is available, why is there an OAuth2 /token call made from the browser? This is because for making API calls (XHR - XMLHttpRequests) the browser cant use certain cookies, like cookies which are set to HttpOnly, like the sid cookies in our case! This is because Javascript can manipulate co...