I want to allow a user to update profile information from a SPA.
I know I can do this using the OKTA API. I use an API Token from the backend API. However, this creates a security risk if my backend server is compromised.
Is it possible to modified a users profile data by using their JWT token ? i.e. frontend forwards the JWT token to the backend. The backend then updates the users Okta profile data for the application using the JKW for auth i.e. calling /api/v1/users/me.
Can you call “/api/v1/users/me” without using an API token or JWK ?
Does a user have permissions by default to edit all profile values?