Okta Session API Change Recently?

Question

In our application we have been using the "Create Session with Credentials" (which is marked deprecated) which basically looks like:

POST {{url}}/api/v1/sessions

with body:

{
"username": "{{username}}",
"password": "{{password}}"
}

This returns an id which we then use in a Validate Session call any time the user visits another page:

GET {{url}}/api/v1/sessions/{{sessionId}}

This used to work but approximately around 2015-12-15 it stopped working.

Now I get an error like:

{
"errorCode": "E0000006",
"errorSummary": "You do not have permission to perform the requested action",
"errorLink": "E0000006",
"errorId": "oaee2frg7mCRGyp3TE9tgE0Gg",
"errorCauses": []
}

We originally thought it was MFA related but my admin removed me from the AD group that requires MFA and we are still having issues.

So it creates the session fine with my creds (and fails if my password is wrong) but validation of the session fails. I have been testing this with POSTMAN.

Any idea what changed? Are we using this incorrectly?

Answer 1

I'm not able to reproduce the error.

That said, we are moving away from using /sessions for authentication (hence the deprecation as you have mentioned). You should use /authn (http://developer.okta.com/docs/api/resources/authn.html#authentication-operations) to authenticate the user with username/password. You won't get a session created right away like before with /sessions. Instead, you will receive a session token which you can then use to create a session with /sessions (http://developer.okta.com/docs/api/resources/sessions.html#create-session-with-session-token)

The good thing about this new flow (besides a better use of /authn and /sessions) is that you do not need an API key for this. Only a valid set of creds would get you a one-time and short-live session token - which is then immediately used to create the session.