Validating the Okta session ID Skip to main content
https://support.okta.com/help/answers?id=906f0000000blvjiai&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Patrick CesardPatrick Cesard 

Validating the Okta session ID

Hello.

Has anybody used the Okta API (Validate Session) to validate an Okta session ID? 
I have a use case where a user logs into Okta and then accesses a cloud app. This cloud app then calls an external API service, and wants to pass it the user's Okta session ID, so the API service can validate the user by calling the Okta API to validate the Okta session ID.

Does this make sense? Has anybody done something similar to this?
Wils DawsonWils Dawson (Okta, Inc.)
Hi Patrick,

The cloud app shouldn't need to have the Okta session ID. You should be very wary of giving another service your user's sessions as this is pretty insecure. I'd be interested to know more specifics about your use case such as why the API service needs to validate the user is logged into Okta. If that cloud app is set up with SAML, for instance, if the user tries to access the app without a valid Okta session, they will be forced to login to Okta before accessing the cloud app.

Hope that helps and that I'm understanding correctly.

Thanks,
Wils

Wils Dawson, Sr. Software Engineer, Okta
 
Patrick CesardPatrick Cesard
Thank you Will. I agree with you about passing the user's session ID being insecure. My response to this ask from the API service was that it should be able to trust the user information that the cloud app is passing it: The user is authenticating via Okta before accessing the cloud app, the app receives the user credentials via the Okta SAML response, and if the app chooses to pass this user information to the external API service, this service should trust it.
Patrick CesardPatrick Cesard
BTW, regarding the Okta API method called GET Validate Session. I have tried it (using an API client) and it does not seem to always work: Sometimes it returns an invalid session error like the following:

{
  "errorCode": "E0000005",
  "errorSummary": "Invalid session",
  "errorLink": "E0000005",
  "errorId": "oaeOWI_EsKqTBqSijMqNcF11g",
  "errorCauses": []
}

even though the session ID I pass in the API call should be valid because it's the one I retrieve from my browser's cookie after I'm logged into Okta.

Have you experienced this? Is there a way to tell what this errorId code means?