Hi, I have a general question (about design of applications) that I would like to clarify.
I have a rest service that acts as a resource server (spring boot, but probably doesn’t matter at all). It only validates jwt token that should be passed to it with every response.
I have a web ui application that should authenticate users using okta and pass jwt token to my web service.
There will also be other web services communication to my service and they all will also have to be authenticated using okta.
In our company we have 1 common auth server.
The questions are the following:
- Can I use same client id in all services to perform authentication/validation or it’s better for each client to have separate client id? In case each client needs to have it’s own client id, I assume it’s not an issue to validate jwt token with client_id1 if it was issued for service with client_id2?
I’m actually leaning toward separate client_id for each client…
- I think it’s a bit offtopic, but don’t want to create many threads, so:
I want to use groups claim during authorization. In docs it says, that this has to be configured by system administrator, so I guess I can get access to the user’s group in my web service after token validation?
I’m open to suggestions if application flow has to be different.
Thanks in advance for responses.