<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008G7VWySANOkta Classic EngineAdministrationAnswered2018-09-05T01:29:00.000Z2015-10-01T00:04:13.000Z2016-07-25T15:16:27.000Z

PatrickC.59989 (Customer) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:20 AM
Validating the Okta session ID
Hello.

 

Has anybody used the Okta API (Validate Session) to validate an Okta session ID? 

I have a use case where a user logs into Okta and then accesses a cloud app. This cloud app then calls an external API service, and wants to pass it the user's Okta session ID, so the API service can validate the user by calling the Okta API to validate the Okta session ID.

 

Does this make sense? Has anybody done something similar to this?
  • 3 answers
  • 1.78K views

  • Wils (Okta, Inc.)

    Hi Patrick,

     

    The cloud app shouldn't need to have the Okta session ID. You should be very wary of giving another service your user's sessions as this is pretty insecure. I'd be interested to know more specifics about your use case such as why the API service needs to validate the user is logged into Okta. If that cloud app is set up with SAML, for instance, if the user tries to access the app without a valid Okta session, they will be forced to login to Okta before accessing the cloud app.

     

    Hope that helps and that I'm understanding correctly.

     

    Thanks,

    Wils

     

    Wils Dawson, Sr. Software Engineer, Okta

    Expand Post

  • PatrickC.59989 (Customer)

    Thank you Will. I agree with you about passing the user's session ID being insecure. My response to this ask from the API service was that it should be able to trust the user information that the cloud app is passing it: The user is authenticating via Okta before accessing the cloud app, the app receives the user credentials via the Okta SAML response, and if the app chooses to pass this user information to the external API service, this service should trust it.
    Expand Post

  • PatrickC.59989 (Customer)

    BTW, regarding the Okta API method called GET Validate Session. I have tried it (using an API client) and it does not seem to always work: Sometimes it returns an invalid session error like the following:

     

    {

      "errorCode": "E0000005",

      "errorSummary": "Invalid session",

      "errorLink": "E0000005",

      "errorId": "oaeOWI_EsKqTBqSijMqNcF11g",

      "errorCauses": []

    }

     

    even though the session ID I pass in the API call should be valid because it's the one I retrieve from my browser's cookie after I'm logged into Okta.

     

    Have you experienced this? Is there a way to tell what this errorId code means?
    Expand Post
This question is closed.
Loading
Validating the Okta session ID