Has anybody used the Okta API (Validate Session) to validate an Okta session ID? I have a use case where a user logs into Okta and then accesses a cloud app. This cloud app then calls an external API service, and wants to pass it the user's Okta session ID, so the API service can validate the user by calling the Okta API to validate the Okta session ID.
Does this make sense? Has anybody done something similar to this?
The cloud app shouldn't need to have the Okta session ID. You should be very wary of giving another service your user's sessions as this is pretty insecure. I'd be interested to know more specifics about your use case such as why the API service needs to validate the user is logged into Okta. If that cloud app is set up with SAML, for instance, if the user tries to access the app without a valid Okta session, they will be forced to login to Okta before accessing the cloud app.
Hope that helps and that I'm understanding correctly.
Thank you Will. I agree with you about passing the user's session ID being insecure. My response to this ask from the API service was that it should be able to trust the user information that the cloud app is passing it: The user is authenticating via Okta before accessing the cloud app, the app receives the user credentials via the Okta SAML response, and if the app chooses to pass this user information to the external API service, this service should trust it.
BTW, regarding the Okta API method called GET Validate Session. I have tried it (using an API client) and it does not seem to always work: Sometimes it returns an invalid session error like the following: