So given that there is a spa where users are being authenticated through Okta, how would we go about placing an api between them so the spa interacts with the api for authentication services. This would facilitate, hopefully, adding other platforms e.g. a mobile app, where the authentication code would not have to be repeated.
If an api sits between the spa and Okta, would that api have to use an authorization code flow still.
And in this case, is it possible for the process of redirecting the user to the /authorize endpoint and extracting the code from the redirect uri still possible.
Trying to figure out an appropriate architecture and would really advice or a link to appropriate documentation on this possibility.
Can I ask why you are attempting to place an authentication layer between the SPA and Okta? We do have the ability to provide authentication through Okta’s universal directory and any linked IdPs. Are you attempting to avoid using this, or to avoid authenticating through Okta specifically? If so, what function are you wanting Okta to perform with regards to your Authentication? If you’re just attempting to avoid users being created in your Universal Directory you can set up any number of IdPs, and it’s not necessary to provision with them if you would like to just use Okta as a “pass through” of sorts: Identity Providers
As for flows, you can choose an app type between a Web app, a SPA, or a Native app which may allow you to recalibrate on your architecture concerns. We have some good information about this here so you can make an informed decision: OAuth 2.0 and OpenID Connect overview | Okta Developer
So it’s based on requirements that were given to us. We are using the SPA flow with a NextJS application. However, we would like to be able to add a mobile app down the road with out having to repeat the authentication code we wrote before. Login will still be handled by the front end application, however we want to be able to revoke and refresh tokens from an api we are building.
That being said, the question I relay have is how to call the /revoke and /token end point for a spa flow given that there is no client secret.
I am trying in postman and I am getting either a 401 or 403. Some guidance on this would be helpful.
In this case, without a client secret you would likely use “none” here as the method, or “No Auth” in Postman. Since a client can only revoke its’ own tokens this should work just fine, but you’ll want to make sure you include the “client_id” in the request body so the call can hit the correct application in Okta.
