Api that sits between a spa and okta

So given that there is a spa where users are being authenticated through Okta, how would we go about placing an api between them so the spa interacts with the api for authentication services. This would facilitate, hopefully, adding other platforms e.g. a mobile app, where the authentication code would not have to be repeated.

If an api sits between the spa and Okta, would that api have to use an authorization code flow still.
And in this case, is it possible for the process of redirecting the user to the /authorize endpoint and extracting the code from the redirect uri still possible.

Trying to figure out an appropriate architecture and would really advice or a link to appropriate documentation on this possibility.

Hello @abujafarjam,

Can I ask why you are attempting to place an authentication layer between the SPA and Okta? We do have the ability to provide authentication through Okta’s universal directory and any linked IdPs. Are you attempting to avoid using this, or to avoid authenticating through Okta specifically? If so, what function are you wanting Okta to perform with regards to your Authentication? If you’re just attempting to avoid users being created in your Universal Directory you can set up any number of IdPs, and it’s not necessary to provision with them if you would like to just use Okta as a “pass through” of sorts: Identity Providers

As for flows, you can choose an app type between a Web app, a SPA, or a Native app which may allow you to recalibrate on your architecture concerns. We have some good information about this here so you can make an informed decision: OAuth 2.0 and OpenID Connect overview | Okta Developer

1 Like

Good afternoon @daniel.sanders

So it’s based on requirements that were given to us. We are using the SPA flow with a NextJS application. However, we would like to be able to add a mobile app down the road with out having to repeat the authentication code we wrote before. Login will still be handled by the front end application, however we want to be able to revoke and refresh tokens from an api we are building.

That being said, the question I relay have is how to call the /revoke and /token end point for a spa flow given that there is no client secret.

I am trying in postman and I am getting either a 401 or 403. Some guidance on this would be helpful.

Good morning @daniel.sanders ,

This is an image of postman, what should change in the authorization section of postman.

@abujafarjam I see, so when calling /revoke in that way you can use a number of different Client Authentication Methods as described here: OpenID Connect & OAuth 2.0 API | Okta Developer while several examples of how to do this are here: Revoke Tokens | Okta Developer

In this case, without a client secret you would likely use “none” here as the method, or “No Auth” in Postman. Since a client can only revoke its’ own tokens this should work just fine, but you’ll want to make sure you include the “client_id” in the request body so the call can hit the correct application in Okta.

1 Like

Good afternoon @daniel.sanders ,

Thanks a lot this worked for me.

I will probably have more question over the next couple of days but thanks a lot again.