Best approach for legacy stack?

I have a spring boot API with a really old UI, and a client that wants to use SSO to authenticate onto our site. I have their Okta clientId, clientSecret, and issuer url. I am extremely new to SSO and hope someone can make a suggestion for best path forward. I am thinking:

  • client user provides their login credentials via a form on my really old UI. These are POST’d to my API
  • My API will take those credentials, make some sort of request to Okta
  • The Okta response will tell me if the auth call was successful, and if so return a JWT (we create) to the UI. If unsuccessful I will return the appropriate call.

The problem I have is I don’t think the UI can actually handle a redirect to Okta and then to our API. So, the best option I see if to have the API treat their form request as a password with Okta being the backer.

Open to ideas here, this feels wrong but I don’t see a way around it.

Since you’re using Spring Boot, could you use Okta Spring Boot library for your scenario?

Otherwise, I don’t think you can avoid a redirect (for the /authorize request).

is there a path I should be looking for in the okta spring boot approach that would allow my API to make the call give the credentials?

It looks like they have a few sample apps. The hosted-login-flow sample might match your scenario but it’s using the Okta widget to handle authentication instead.

Thank you Warren, I am reading up on the examples to see if I can use my hybrid approach. I really don’t want the redirect if possible, but maybe I can’t avoid that.

I am struggling here - I eventually created a Okta account, and application to authenticate. In the code sample above, it asks for three credentials:

issuer (found it as my url)
client-secret (generated apparently)

But I cannot find my client-Id anywhere in that portal. So when I navigate to localhost:8080. I get the redirect and then the error:
Unable to connect to the server. Please check your network connection.

How do I find this clientId?

If you created a Web type OIDC app then you should see it on the General tab:

Thank you, apparently I had created the wrong kind of Web app initially. When I get the Okta login dialog by running locally, I get a failure message that its unable to connect to server. In the Chrome Network debugger I see a CORS issue despite setting my trusted origin in my admin API panel.

Can you share the error message you’re seeing?

Here is a screenshot of what I am seeing. Not sure if this is helpful?

Can you show the error from the Console tab?

Request URL: https://dev-46569873.okta.com/api/v1/authn
Referrer Policy: strict-origin-when-cross-origin
Provisional headers are shown
Accept: application/json
Accept-Language: en
Content-Type: application/json
DNT: 1
Referer: http://localhost:8080/
sec-ch-ua: “Google Chrome”;v=“89”, “Chromium”;v=“89”, “;Not A Brand”;v=“99”
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
X-Okta-User-Agent-Extended: okta-signin-widget-2.13.0
X-Okta-XsrfToken
{username: “uat@talentwave.com”,…}
options: {warnBeforePasswordExpired: true, multiOptionalFactorEnroll: false}
password: “password”
username: “uat@talentwave.com

Do you have http://localhost:8080 added as a trusted origin in Okta?