Hi - I have an ecommerce application with SPA as front end and API server as backend. For logged in users, I will use “Authorization Code with PKCE” grant type, so no issues. But for my guest checkout (anonymous user), I don’t know which grant type I can use. The closest I can find would be the “Client Credentials” grant type but this is a public facing site hence client id and secret may be compromised. Is there any industry standard for this kind of anonymous user pattern using which we can secure the API service?
Hi there. I do not know of any industry standards for this use-case - but you would still want to stick with the auth code PKCE flow. As you alluded to, you should not be storing a client secret anywhere except a secure backend server. The client credentials flow is mainly for machine-to-machine backend communication.
I would need to know more about your guest checkout flow to spitball any possible solutions.
Thankyou @Cale for the response. My use case is a typical ecommerce use case. Say for example let us take target.com site. You can purchase a product after logging-in, also you can do the same with guest checkout. Assume that all my page data for home, product listing page, checkout are served by the API server.
For logged-in flow, i will get the access token from Okta Authorization server after providing the user credentials. I will pass that access token to the API server and will do local validation of the access token and the allow the restricted page to be accesssed.
For guest (or anonymous user) flow, I will not be able to get the access token using Authorization grant since I don’t have any user credentials to share with Okta to pass the authentication layer. So how can I get an access token with no auth? Yes I wanted to use Authorization with PKCE grant for anonymous user too.
When I did a google search for access token with no auth, It came up with links suggesting me to use Okta Access Gateway. In our organization, we currently have only Okta Customer tenant. Hence wanted to use that to get this requirement working. Access Gateway will be an overkill and more process oriented for me to procure.