Backchannel vs Front channel Okta integration

Probably this will be the first question for everyone when implementing Security(Okta integration) for any web application. We have SPA with React+Spring boot so i am planning integrate Okta so thinking what the best way to integrate to give maximum security. I am seeing lot of limitations with okta integration. I want to pass access token for each API from React to Spring.
possible design solutions thinking

1.Okta react integration and keep Spring as resource server. But I have read implementing front channel is less secure because All token info and user info is exposed in the Browser…?
2.Spring form login. Imp everything in Spring layer and pass access token back to React layer. But here how can i pass Access token and Logging user claim object back to React…? facing some challenges here I want to include some more info also after user logged in

So what best way to imp this. My application going to expose to internet and App data is also secure. Please suggest. Thanks for your help in advance.

You can do authorization code flow or PKCE, which both should be quite secure and applicable to your architecture

Thanks for the suggestion. I think authorization code flow is not suitable if I implement Client side Authorization because Secrete key will be exposed in the Javascript file.So only option is PKCE.

I am still investigating for suitable design and kind of having issues with redirection (HashRoutes (localhost:8080/#/) when trying to implement with ReactOkta loginwidget.Now exploring about Javascript based Okta login. Basically I want to customize Okta login page and at the same time get hold of complete OIDC userinfo object in Spring layer so kind of in circles now :frowning:

As you have your backend, you can consume Okta’s OIDC token there and then use your own cookie/token mechanism between your back/front end to pass the session/user information. I don’t see an issue here using authz code mechanism, b/c of the stated above.

But of course, you can go with PKCE on front end. I’m not a react guy, so can’t suggest anything, besides checking Okta guides related to the same topic.

Any suggestions how to create a Okta custom login page with Spring?

Well, if you want to have your own login page, then I misguided you, sorry. I believe Spring OIDC will redirect you to the authz server for authentication.

So in case you want to have user info at Spring layer you may obtain id_token and pass it to Spring layer. Or you can have your Spring layer with Okta API Token, and get all the information from the backend with the help of Okta API calls.

1 Like