A basic CRUD app. We need access controls on both the frontend and backend.
- Frontend: a React SPA, registered as an OpenID PCKE app. We’re using the @okta/react library to manage this
- Backend: a protected Spring-boot REST API resource server registered as an OpenID web app. We’re using okta-spring-boot-starter
- User visits the SPA and authorises access.
- SPA makes requests to the backend using the authorisation granted by the user.
- Logging into the SPA
- Making authorised requests to the backend when generating the access token through https://oauthdebugger.com
How does the SPA get the access token required for use of the protected backend using the authorisation it has already obtained?
When I try to pass the SPA’s access token through to the backend (via the ‘Authorized: Bearer …’ header) the backend responds with
WWW-Authenticate: Bearer error=“invalid_token”, error_description=“An error occurred while attempting to decode the Jwt: Signed JWT rejected: Another algorithm expected, or no matching key(s) found”, error_uri=“https://tools.ietf.org/html/rfc6750#section-3.1”