Okta oauth2 with external IdP

I have an Angular app with express server where Okta acts as an IdP. This is already setup and works well. Now, I need to support SSO from an external app which uses Amazon Cognito. They have enabled our app for OAuth2 Auth code flow by providing us the clientId and Secret.

What I want to understand is where I should exchange authCode with accessTokens and also how I should manage sessions for users who come via SSO in Okta. I have few options:

I tried in the angular app using "angular-oauth2-oidc" library but ran into CORS issue while calling /authorize endpoint with AWS Cognito. Further, it seems like exchanging authCode with accessToken in front channel may not be the most secure way.
For SSO users, I could write a new route handler in express to manage the token exchange and have this route as the callback url in the initial authorization call to Cognito. However, my express server already uses "express-stormpath" sdk which handles session management for our usual case where Okta acts as IdP. How do I have express manage both local Okta user sessions as well as SSO user sessions with Cognito IdP, in the same place.
I also tried setting up Okta federation to external IdP. But, I am not sure how to route the auth call to external IdP while Okta itself acts as an IdP for our internal users.

I am more inclined towards 3 where I only talk to Okta and it takes care of managing auth for our internal users (Okta IdP) as well as SSO users from external IdP (Cognito).

Any help here would be much appreciated..

Thanks, RK

Solution

That's an awful lot of questions in one, but here are some pointers:

1a. You need to add your SPA's domain to Okta as a trusted origin, as in step 7 of my write up

1b. You need to be more explicit about your concerns and what you mean when you say 'not the safe way'.

If you just want to get integrated with Okta as an SPA, try running my initial code sample.

2a. You need to have a strategy here, based on your goals. My personal views on best overall architecture for an SPA are summarised in my blog posts below, but there is a lot to understand here, and some people may have different views:

2b. If you are building an SPA you probably should avoid older web back end session management features, though some people use them.

3a. I agree with you that this is the preferred option. Aim to build your app so that it uses tokens from one provider, regardless of login method.

3b. When you redirect to Okta, you need to do one of these:

Send an idp parameter to the Cognito issuer Id when building the authorize request
Configure Okta to prompt the user for a login method, so that either Okta or Cognito can be used as the identity provider. This may happen by default once you configure an idp connection in Okta.

FEDERATION SCREENSHOTS

I had a quick look into this, and I'm not claiming it will be easy, or even possible, since it is common to run into vendor limitations. However, it is how the technology is supposed to work. It is better for this complexity to exist in the Authorization Server than in your application code.

In Cognito create an OAuth client:

Then get the metadata for Cognito, from a URL such as this:

https://cognito-idp.eu-west-2.amazonaws.com/eu-west-2_qqJgVeuTn/.well-known/openid-configuration

Then fill in the endpoints Okta needs:

This will generate the IDP value and give you a redirect URL:

Then enter the generated values in Cognito, to complete the configuration: