I have a spring boot API with a really old UI, and a client that wants to use SSO to authenticate onto our site. I have their Okta clientId, clientSecret, and issuer url. I am extremely new to SSO and hope someone can make a suggestion for best path forward. I am thinking:
- client user provides their login credentials via a form on my really old UI. These are POST’d to my API
- My API will take those credentials, make some sort of request to Okta
- The Okta response will tell me if the auth call was successful, and if so return a JWT (we create) to the UI. If unsuccessful I will return the appropriate call.
The problem I have is I don’t think the UI can actually handle a redirect to Okta and then to our API. So, the best option I see if to have the API treat their form request as a password with Okta being the backer.
Open to ideas here, this feels wrong but I don’t see a way around it.