Okta - exchange a session token for session cookie

After you perform primary auth using Okta /authn API, you receive a session token.

This is a nice guide which explains the various ways you can redeem a session token for a session cookie, which is stored in your web browser.

https://developer.okta.com/docs/guides/session-cookie/overview/

I tried to see the different approaches listed in the above doc in action.

Learnings

1. All these are ways to set the session cookie (sid) after the user authenticates using the /authn API

2. The sessionToken returned by the /authn API is exchanged for a session cookie, which is set by Okta in the user's browser

3. The browser uses this sid cookie for subsequent requests to Okta, which achieves SSO

4. Now, if sid is available, why is there an OAuth2 /token call made from the browser? This is because for making API calls (XHR - XMLHttpRequests) the browser cant use certain cookies, like cookies which are set to HttpOnly, like the sid cookies in our case! This is because Javascript can manipulate cookies, and hence the HttpOnly tells the browser that JS (the API call in this case) cannot use the cookie. The reason is very well explained here - https://stackoverflow.com/a/15300769

Well ^^ is not entirely correct. Cookies are sent with XHR calls if the call is made from the same domain. The reason we make the token call is because some APIs are resticted by OAuth2 bearer tokens. This is the case with deployments outside Oka, like splitnot.com. Hence you see it make a call to /token endpoint, but shantanu-ok11.okta.com does not. However, sometimes shantanu-ok11.okta.com does call the /token endpoint. I still have to figure out why.

1. Retrieve a session cookie through the OpenID Connect authorization endpoint 
I tried this with https://www.splitnot.com/. Okta Sign In Widget hosted by customer uses this approach.

2. Retrieve a session cookie by visiting a session redirect link
I tried this with https://shantanu-ok11.okta.com. Okta Sign In Widget hosted by Okta uses this approach. 

3. Retrieve a session cookie by visiting an application embed link 
I haven't been able to repro this.

Comments

Post a Comment

Popular posts from this blog

Should you always have null checks?

 I had a habit of always adding a null check at the start of a method, for validating method arguments. However, I gradually learnt this might not always be a good idea. Checking for nulls when your code does not expect a null value would just hide the problem happening upstream. Also, since the error would manifest in some other part of the code, it will be a nightmare the debug what actually failed. Instead, if you let the code throw an NPE, your application will fail fast and report exactly where the exception was thrown. So, unless your code expects nullable values, its not a good idea to add null checks. More discussion on this - https://softwareengineering.stackexchange.com/questions/147480/should-one-check-for-null-if-he-does-not-expect-null
Read more

Identity Terms and Definitions

Identity Terms and Definitions SAML Profiles http://saml.xml.org/components-profiles gives the best definition of identity protocol profiles in general, Generally, a profile of SAML defines constraints and/or extensions in support of the usage of SAML for a particular application – the goal being to enhance interoperability by removing some of the flexibility inevitable in a general-use standard. For instance, the Web Browser SSO Profile specifies how SAML authentication assertions are communicated between an identity provider and service provider to enable single sign-on for a browser user.
Read more