@okta/okta-auth-js/myaccount / Exports
MyAccount APIs enables end user account management in SPA applications. The API requires an access token obtained via OAuth flows with additional scopes.
The following scopes are required for permission to read/write the resources exposed by the MyAccount API:
profile:
okta.myAccount.profile.read
okta.myAccount.profile.manage
email:
okta.myaccount.email.read
okta.myaccount.email.manage
phone:
okta.myaccount.phone.read
okta.myaccount.phone.manage
MyAccount API is published as a submodule under @okta/okta-auth-js
package, you can access the myaccount module by following the snippets below:
ES module:
import { getEmails } from '@okta/okta-auth-js/myaccount';
CommonJS:
const { getEmails } = require('@okta/okta-auth-js/myaccount');
The built library bundle is also available on our global CDN. Include the following script in your HTML file to load before your application script:
⚠️ The version shown in this sample may be older than the current version. We recommend using the highest version available
<script src="https://global.oktacdn.com/okta-auth-js/6.7.0/okta-auth-js.min.js" type="text/javascript"></script>
Then you can create an instance of the OktaAuth
object, available globally, then access MyAccount API methods under myaccount
namespace.
const oktaAuth = new OktaAuth({
// config
});
const emails = await oktaAuth.myaccount.getEmails();
Types are exposed from both module level and SDK entries, for environment with typescript version 4.7 or above, you can import types from both module and SDK entries. But if you are with lower typescript versions, please import types from the main SDK entry.
See typescript release notes for detailed information.
Import from module entry
import { getEmail } from '@okta/okta-auth-js/myaccount';
Import from SDK entry
import { getEmail } from '@okta/okta-auth-js';
For additional security, the MyAccount API requires a higher assurance level to protect the end user's account from being manipulated by malicious actors. If the access token
provided does not meet the required assurance level, an error will be thrown to prompt the user to re-authenticate. Applications consuming the MyAccount API will need to handle this error condition. When this occurs, myaccount
methods will throw an AuthApiError
with insufficient_authentication_context
in errorSummary
and max_age
in meta
field, like so:
{
name: 'AuthApiError',
errorSummary: 'insufficient_authentication_context',
errorCauses: [{
errorSummary: 'The access token requires additional assurance to access the resource'
}],
meta: {
max_age: 900
}
}
Bootstrap re-authentication flow by calling getWithRedirect
with maxAge
.
await getWithRedirect(
oktaAuth,
{
prompt: 'login',
maxAge,
scopes,
extraParams: {
id_token_hint: idToken
}
}
);
Bootstrap re-authentication flow by calling oktaAuth.idx.authenticate
with maxAge
.
const transaction = await oktaAuth.idx.authenticate({ maxAge });
// then render form based on new transaction
Bootstrap embedded widget by passing max_age
in authParams
. Then start authentication flow from there.
const { issuer, clientId, redirectUri, scopes } = oidcConfig;
const widget = new OktaSignIn({
baseUrl: issuer.split('/oauth2')[0],
clientId,
redirectUri,
authParams: {
scopes,
...(maxAge && { maxAge }),
},
useInteractionCodeFlow: true,
});
See MyAccount API reference documentation for detailed API definitions.