I am trying to decide which Workflow best works for our system.
We are planning to build a system that can be roughly described like this:
There is a frontend Web SPA built on ReactJS that is rendered in a browser. It’s not a native app.
There is a backend that exposes some endpoints via REST or GraphQL to the frontend for whatever data it wants to get (e.g. NodeJS and Express).
My thoughts on adding Okta Authorization to this type of systems is:
Implement the Code Flow with PKCE at the frontend, so users can login (no backend involved, just frontend and Okta servers).
The frontend can then pass the access and ID tokens to the backend, and the backend can then talk to Okta to verify if those are valid tokens. If they are then it allows access to protected resources.
Am I correct on my thinking or am I missing something?
The documentation shows steps for Authorisation Code Flow with PKCE with a native app, no backend involved, so I am not quite sure if the way I envision my system is correct or not.