ScottD.09849 (Customer) asked a question.
How to check if a session is valid in web app back end?
I use the Okta signin widget to log a user in and get the ACTIVE session id from the widget. Then I send the sessionId to my back end, with the expectation that it will GET /api/v1/sessions/{{sessionId}} and check that it is an ACTIVE session and that the logins match (so that a user can't pretend to be someone else if they happen to have a sessionId). Unfortunately, MFA_REQUIRED is returned as the status, even though it's an admin API operation. I don't get how I can simply GET a session based on its ID. It seems like it should be simple, especially since it's an admin operation. The same sessionId in the same org should not have different results on different servers. If there is no way to verify that a session is active with just that API request, is there another way to verify it in the back end that only depends on the sign-in widget and read-only API operations?
