Build a secure go and react app

OKTA noob here. I am building an app with golang as a backend server and react for frontend. I should be able to hit the APIs directly using the okta tokens and also the UI should redirect me to okta when I log in. How should I proceed with this?

You can actually plug our two sample apps together if you want to test that out:

React SPA on the frontend with an Okta hosted login (redirect based): samples-js-react/okta-hosted-login at master · okta/samples-js-react · GitHub
Golang resource server that will support the /messages route of the app: samples-golang/resource-server at master · okta/samples-golang · GitHub

Hello @andrea. Can we just merge them both like the example here “samples-golang/okta-hosted-login at master · okta/samples-golang · GitHub

Just to be clear, I should be able to hit my golang endpoints from UI as well as directly through postman. Tq for your reply.

That sample is a little different, where the Golang app is actually requesting and storing the tokens, than the resource server sample which relies on the React SPA handling the tokens. You can try to set it up the way you’ve described, but I’m not sure how well the existing samples will work to help you set this up.

Thanks for the quick response @andrea. My doubt is, If my UI (react in this case) handles the tokens, how can I directly hit golang resource server directly? Is there a way to directly generate the token if some client has to hit the resource server directly through a python script?

You still need to get the access token to authorize the request to the resource server, but OIDC flows to get tokens typically occur in the browser (since user needs to be prompted for their username/password).

Does your app only need to get tokens via script? Do the tokens need to be generated for a specific user, or do you just need a machine-to-machine connection (aka, can you use a service app to get the tokens instead)?

  • Users can raise a request from UI, which in turn will hit golang resource server.

  • Some teams wanna hit our APIs directly from a python script. So, we need to generate the tokens via script. Yes, the tokens need to be generated for specific users only.

  • From UI, we will get an access code and we can exchange it for an access token and then hit the golang server with this token. I am not sure how to generate this access token in a python script and hit the golang server.