jatinj.16705 (Customer) asked a question.
Check whether the user is assigned or not to the client application while still in the local session using OIDC.
My application has OKTA integrated in it through OIDC architecture, The functionality of Sign in is working correctly through the widget we use to sign-in, but as for the Single Sign On, I am facing issues where a user is unassigned while still in the session, if I try to login, is should not be logged in but its still getting logged in because i have saved the session data to sign in, otherwise I have no other option to enable single sign on on my Single Page Application, please suggest a way to check weather the user is assigned or not while still in user local session in browser. I have already applied the method of APIs but it doesn't seem to align to our development requirements.
@jatinj.16705 (Customer) Okta has token and your application has token. your application not know when the user are remove from the application in Okta. so you should set your application token more short. when the application token is expired, it will redirect to Okta for verify.
@Hengfeng Ge (Customer) can you please tell me how to set my application token short, what does it mean ? you mean i have to set my token time period short ?
@jatinj.16705 (Customer) if your application session not expired, it will not redirect to Okta for verify. Okta not manage the session of applications.
@a0n5s (a0n5s) My application has OIDC architecture as you said okta not manage the session of applications so how single sign on work ? we need to login everytime ,if my application session is expired then i am not able to login directly I have to enter username and password everytime .
Is there any method to update user information from okta while i am in the session already in my application . Please suggest me something and elaborate ,its very helpful for me !
@jatinj.16705 (Customer) this is the flow of OIDC with PKCE.
What means: how single sign on work? Your Application has integrate Okta with this flow. So when your application session is expired, you application will redirect to okta for single sign on. whether need enter username and password depend with global and application authentication policies. Policy in OIE is more flexible than Classic.
update user information from okta? Do you mean replace the application user information with Okta profile user information? you can add the attribute which you want in the application in te profile mapping of okta to application. then query the attribue by /userinfo.
I don't know if I understand your question.
Hi @a0n5s (a0n5s) I phrased my question wrongly sorry for that and thanks for your valuable time,
My application has okta integration with OIDC architecture and The functionality of Sign in is working correctly through the widget we use to sign-in, but as for the Single Sign On, i am facing issue where a user is unassigned to okta while still in the session,if i tried to login it should not be logged in but it still logged in , i understand your previous answer its helpful for me but i need to know that how can i identify that user is assign or not from okta in my application is their any way to do this except sign in widget ? because i don't want to prompt widget again while i am in the session i just want to know the user assign unassign information from okta in my application .
Is their any way to redirect to okta for verification without expiring token and session .
I tried one method where i get api from okta and send it to back end and converted into json so in that json i get all the information of the user and that method is working correctly but in that method i have to handle many things so i don't want to use it .
i just need updated user information form okta to my application while in the session.
i hope you understand my question.
first question: I think you can upgrade the Classic tenant to OIE. Authentication policy in OIE is more More flexible. Global session policy:
application authentication policy, after the user login okta with password, then login application no need password. like this can use any other 2FA. or you can skip 2FA.