Hello everyone,

I am currently implementing a CIBA (Client-Initiated Backchannel Authentication) flow and have a question regarding the best way to handle scopes, specifically for a one-time device binding action.

Here is the current user flow:

1. Login: The user logs in using the authorization code flow with PKCE, as detailed in the Okta blog post on the topic (https://developer.okta.com/blog/2019/08/22/okta-authjs-pkce). At this stage, an access and a refresh token are retrieved.
2. Device Binding: To bind a device, the okta.myAccount.appAuthenticator.manage scope is required. The goal is to avoid requesting this scope during the initial login for two main reasons:

• It's a one-time action, and it's preferable not to have this permission in the access token for the entire session.
• The aim is to avoid having this scope included in the refresh token.

To obtain the okta.myAccount.appAuthenticator.manage scope, the interaction_code flow is currently being used.

This results in the user having to provide their credentials and a second factor twice: once for the initial login and again for the device binding.

My questions are:

1. Is it possible to reuse the user's initial login session to avoid challenging them for their credentials and a second factor again when the additional scope for device binding is needed?
2. Is there a more recommended approach for implementing a login followed by a device binding flow using the Okta API endpoints that would improve the user experience by reducing the number of authentication challenges?

Thank you for your help!