EmmetM.20005 (Customer) asked a question.
Hi,
I have multiple client apps that sit on different domains. Each client app is setup as its own OIDC client in Okta, and so should be able to use the Authorization code flow to get new tokens when required given a current okta session is valid. However given the new rules on 3rd party Cookies in browsers, this concept seems impossible to implement now. Yes custom domain is an option provided, however this does not help federated apps that sit on different domains, as the IDP can only be on one custom domain.
I have read alot about this and found this previous question, which is closed without an actual answer to the question https://support.okta.com/help/s/question/0D51Y00009mOYlQSAW/single-signon-across-multiple-domains-by-disabling-third-party-cookies-using-oktaauthjs?language=en_US .
And as mentioned in Okta docs here https://support.okta.com/help/s/article/FAQ-How-Blocking-Third-Party-Cookies-Can-Potentially-Impact-Your-Okta-Environment the line "Note: In the event that you have multiple applications running on separate domains, all of which rely on a single Okta tenant for authentication, the best course of action will be to convert your applications to use a Federation protocol like OpenID Connect (OIDC). You can learn more about OIDC in our developer docs: https://developer.okta.com/docs/concepts/oauth-openid/", doesn't actually explain how to implement this "the best course of action".
Could the community get some clear clarification and clear solution on how client apps on different domains can federate via OIDC?
Thanks
It's the widget itself - the default SPA configuration leads to a flow that looks like this:
In this flow the session cookie is set in the iframe, which is what "disallow third party cookies" disables. When the widget later tries to refresh tokens (which I'm guessing is where your developer saw that error), the session won't be set.
There are two options:
@tiberiu.mocanu1.5700144447345728E12 (Vendor Management) Sorry I didn't specify, I am not using the Okta Widget. This is a custom login UI purpose built by us, that uses the Okta APIs in the same way your widget does. We Auth the customer using AuthN APIs, we exchange the session token and so a Okta session cookie (sid) is set in the users browser.
We then federate to a second APP, and this second APP needs to get new tokens silently. So as a registered OIDC client they launch a hidden iframe and kick of the Auth Code flow. HOWEVER, performing this flow within an Iframe is not possible because when we redirect to the Okta Domain /Authorize call, the SID cookie (seen as a third party cookie) isn't sent due to browser third party rules within an iframe. So I was wondering if Okta knew of any around this issue within an iframe?