-
Notifications
You must be signed in to change notification settings - Fork 317
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ability to show the enroll authenticator form after authentication completes #3684
Comments
+1 It would be great if we could tell the widget "enroll this specific factor" to initiate the flow. A decent workaround is to create a an application with a sign on policy that requires your new desired factor to be enrolled. I would also encourage you to look at enabling a new EA feature "End User Settings version 2.0". This provides a very end user friendly screen to enroll factors. https://support.okta.com/help/s/article/how-to-enable-end-user-settings-version-2-0?language=en_US |
hi @RyAndrew thanks for your input. Unfortunately, this is for end users of an ecommerce application who will never have direct access to Okta dashboard, so we cannot rely on any solutions which require end user management or settings within the platform. I do wonder if it's possible to use the redirect flow you mentioned. Do you have any code samples or articles showing this strategy? Our app already heavily relies on redirecting after authentication, so I'd hope we could simply create a new widget with different app config information to get the desired effect, and then proceed with the initial planned redirect. Let me try and do a POC using a separate application and report back, but any more info you have would be helpful. Thanks. |
I created a POC to test out the technique of redirecting to a new application post-authentication, but am not having much luck. What I did was:
I am still trying to debug, but so far it seems that once you are authenticated the Widget simply refuses to show anymore. |
@RyAndrew Do you have any further guidance on how to implement your suggestion? I'm starting to think widget cannot be used in this manner. It seems to think that if you're already authenticated, it should never show. |
I agree that the widget is not designed to solve this challenge. It sure would be great if it was able to programatically allow factor enrollment. This would alleviate the requirement to build the enrollment screens yourself. |
Describe the feature request
My team is attempting to roll out some optional authentication options for users such as Passkeys. However, we cannot find a way to display this screen post authentication for existing users.
It appears widget can be initialized with a 'flow', but it is unclear if there's a way to tell it to show the "enroll-authenticator" page to prompt users to enroll in optional authenticators. We would like a way to specifically tell the widget to go to that screen.
New or Affected Resource(s)
Sign in widget
Provide a documentation link
https://github.com/okta/okta-auth-js?tab=readme-ov-file#endpointsauthorizeenrollauthenticatoroptions
It appears this may have been a feature of the classic sign in widget. YOu can see some references to this behavior here under the
multiOptionalFactorEnroll
option. The documentation states this is not supported in the new sign in widget.Additional Information?
We are currently using the Okta v3 embedded sign in widget for Password and Email / OTP and those are working well.
We are now investigating using Webauthn for authentication, specifically Passkeys.
We want to roll this out to users so that after they've logged in with a password or OTP, they can then be prompted to enroll a passkey OPTIONALLY. Since the widget already handles the enrollment quite well, we want to utilize it for this flow.
So far, we have found this easier to setup for the register / create account flow. You can simply create an enrollment policy and set FIDO2 / webauthn to optional and the widget will then prompt you to set up optional authenticators once you have created your account.
However, we have found that when using the sign in widget this doesn't work for existing users. Even when we set up a auth policy for webauthn to be optional, they are never prompted to enroll in that authenticator after authenticating. The only way we have seen to make this work involves modifying webauthn to be required instead of optional. In that case, Okta will force the user to enroll in passkeys. But, that is not what we want. We want to give the users the Option to enroll in passkeys if they want rather than force it upon them by making the authenticator required.
I'm assuming this behavior is the same for all optional authenticators, but I could use some advice on if there's a way to have the widget go straight to the optional authenticator enrollment page post sign in, or some other way to accomplish this. The create account flow with optional authenticator at the end is pretty close to what we want, but can't seem to achieve that with okta config for the logging in side of things.
The text was updated successfully, but these errors were encountered: