Can I use a login token to make calls to the okta api

I’ve created a spa that authenticates with Okta. I also have my backend, spring boot which is configured with OktaOAuth2WebSecurityConfigurerAdapter to authorize all requests. I’d like to be able to make API calls to my dev account to do things like list the groups,users, etc… I’m wondering if I can do this without creating an API token specifically for the backend, i.e just use the token created when authenticating the frontend.

Are you using a custom authorization server or the org authorization server?

There is a feature that will allow you to use access tokens minted by the org authorization server with the Okta API.

Important: You request an access token by making a call to your Okta Org Authorization Server /authorize endpoint. Only the Org Authorization Server can mint access tokens that contain Okta API scopes.

https://developer.okta.com/docs/guides/implement-oauth-for-okta/overview/

However, I believe Sprint Boot may also be validating the tokens locally which only works with a custom authorization server.
https://support.okta.com/help/s/article/Signature-Validation-Failed-on-Access-Token

You may want to confirm whether your Spring Boot backend will work with the org authorization server first.

1 Like