Sign in with email only

Identity Engine

Enable an email-only sign-in flow in your app using the embedded SDK.

Learning outcomes

• Configure your Okta org to enable a user to sign in without a password.
• Integrate a password-optional sign-in flow into an app based on an embedded SDK.

What you need

• Download and set up the SDK
  

Sample code

• The embeddded Javascript SDK sample application (opens new window)

---

Update configurations

Before you can start integrating password-optional sign-up flows in your app,

Set up your Okta org for a password-optional use case

. See also

Recommended best practices

.

Note: To test the sign-in integration, you must use a user with an enrolled email authenticator.

Integrate

Summary of steps

The following summarizes the steps involved in the password-optional sign-in flow.

1: Your app displays the sign-in page

Create a sign-in page that captures the user's username.

2: The user submits their username

Call OktaAuth.idx.authenticate() and pass in the username.

  const { username } = req.body;
  const authClient = getAuthClient(req);
  const transaction = await authClient.idx.authenticate({ username });

3. The user verifies their identity with the email authenticator

OktaAuth.idx.authenticate() returns an IdxTransaction object indicating that the user needs to verify their identity with the email authenticator challenge.

{
  status: "PENDING",
  nextStep: {
    name: "challenge-authenticator",
    type: "email",
    authenticator: {
      type: "email",
      key: "okta_email",
      displayName: "Email",
    },
  },
}

The email authenticator supports user verification by one-time passcode (OTP) and by magic links. To learn more, see the Okta email integration guide.

4. Your app handles an authentication success response

When the user completes the email authenticator verification, one of OktaAuth.idx methods returns IdxTransaction.status of SUCCESS along with ID and access tokens, which indicates that the user successfully signed in.

{
  status: "SUCCESS",
  tokens: {
    accessToken: {
      accessToken: "eyJraWQiOiJLSWdvVHlt...",
      expiresAt: 1656106249,
      tokenType: "Bearer",
    },
    idToken: {
      idToken: "eyJraWQiOiJLSWdvVHltSGlL...",
      expiresAt: 1656106249,
    },
  },
}

Store these tokens for future requests and redirect the user to the default page after a successful sign-in attempt.

Note: In other use cases where additional sign-in authenticators are required, the user needs to choose and verify all required authenticators before IdxTransaction.status of SUCCESS is returned.