We are building Angular 5 SPA and using Okta OIDC for user authentication. The angular app will be called from an external app like Salesforce within the enterprise. The user from external app will already be authenticated in Okta and the ID token will be passed from the external app.
In angular we should not display the sign in page to user, instead we have to validate the ID token received with Okta for authenticity and establish Okta SSO session. We were originally using getWithRedirect method where we pass the userid/pwd and get the Id token in Angular and add it to tokenManager within the webstorage
Please advice how can we validate the ID token received from external app and use the same token for validating the user instead of asking the user to login again
I tried with the getWithRedirect or getWithoutPrompt option, it works fine when the SSO session exists in Okta. When the SSO session expires and the angular app attempts to get new tokens, we are getting login_required error - The client specified not to prompt, but the user is not logged in.
Is there any option to get new tokens without login prompt irrespective of Okta session exists or expired
You need to have an active session with Okta to be able to get new tokens (without a refresh token). Refresh tokens are not recommended for SPAs because of security, the silent refresh (getWithoutPrompt) is more secure, but requires you have an active session with the IdP (okta). You can increase the session timeout in okta (Okta Sign-on policy) if necessary.
In the event that you do not have an active session with okta, how do you handle that gracefully in an angular application? I’m using the okta-angular library, and I’m not sure how to handle/capture expired session.