I want to allow a user to update profile information from a SPA.
I know I can do this using the OKTA API. I use an API Token from the backend API. However, this creates a security risk if my backend server is compromised.
Is it possible to modified a users profile data by using their JWT token ? i.e. frontend forwards the JWT token to the backend. The backend then updates the users Okta profile data for the application using the JKW for auth i.e. calling /api/v1/users/me.
Can you call “/api/v1/users/me” without using an API token or JWK ?
Does a user have permissions by default to edit all profile values?
what the process for my backend API to call “/api/v1/users/me” on behalf of the user using the frontend users JWT token ?
i.e. user logs into react app using OIDC. They are assigned a JWT by the authorisation server. Now I want to update a profile value using the Users API “/api/v1/users/me”. However, I keep getting 401 errors.
The JWT will need to be issued by the Org Authorization Server (iss = https://org.okta.com) and and have been granted the “okta.user.manage.self” scope, then you can use the token as bearer auth for your API call.