Allow users to update their own profiles without exposing tokens

Hello,

I’ve got a angular web application which I can successfully sign into via Okta. I’d like to use Okta as my single source of truth for user details.

Is it possible to allow users to update their own details in Okta via REST calls? I know I can update the profiles using private tokens but I don’t think these should be exposed via web application. Is there something similar to how other providers do it via metadata?

Otherwise is my only other solution to have users submit requests to one of our trusted servers, and then push that up? Seems like double handling I’d like to avoid if possible.

Cheers

Great question. You’re right, exposing private tokens (what Okta calls API tokens) in a browser app is not the right solution.

Right now, the best solution is the second one you described: your browser app sends a request to your API, which has access to the API token (in a trusted environment) and builds/sends a request to Okta. You can use our management SDKs to make those server-side requests easy (we have SDKs for .NET, Java, Node).

You’re also right that it’s a “double hop”. We are working on adding OAuth scopes to our management APIs (including the Users API, which covers profile updates), so you can safely use the OAuth token you already have in your browser app to call Okta directly and eliminate the extra request. This feature isn’t done yet but you can follow it in the Product Roadmap (currently under In Progress).