Authorization Code Flow with PKCE for Web Apps (frontend/backend) - not Native Apps

I am trying to decide which Workflow best works for our system.

We are planning to build a system that can be roughly described like this:
There is a frontend Web SPA built on ReactJS that is rendered in a browser. It’s not a native app.
There is a backend that exposes some endpoints via REST or GraphQL to the frontend for whatever data it wants to get (e.g. NodeJS and Express).
My thoughts on adding Okta Authorization to this type of systems is:
Implement the Code Flow with PKCE at the frontend, so users can login (no backend involved, just frontend and Okta servers).
The frontend can then pass the access and ID tokens to the backend, and the backend can then talk to Okta to verify if those are valid tokens. If they are then it allows access to protected resources.

Am I correct on my thinking or am I missing something?
The documentation shows steps for Authorisation Code Flow with PKCE with a native app, no backend involved, so I am not quite sure if the way I envision my system is correct or not.

Yeah, it’s a totally valid approach. You can also setup your back/front end to establish its own session with a cookie (or token) to make you session management simple, if they both are within the same domain and you don’t plan to introspect access token for each request to the backend.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.