Generating JWT for third-party API

nynapalm · January 14, 2022, 3:30pm

Hello, I am developing an API that accepts JWTs containing a payload specific to my API in order to manage Multi-Tenant accesses.

I’m having a hard time finding my way through the Okta documentation to answer my question.

Here is the use case:

The company has several third-party services and wants to centralize the generation of tokens to these different third-party services.

A user connects to the website through the sign-in proposed by Okta. Is Okta able to generate JWTs specific to each third-party service that will be used according to what the user needs or does?

Does the third-party service have to be coupled in any way to Okta? (Exchanging specific network calls?)

Thank you a lot for your answer and help.

phi1ipp · January 15, 2022, 8:51pm

Yes it’s possible.

If you need a JWT generated for your service with a special set of information, these claims have to be configured for your Okta authorization server/scope.
You only need to register the service with Okta, if you plan to do online JWT introspection. Otherwise your service can periodically check your (Okta) authZ server JWKS URL (manually or through a JWT verification library) to stay aware of a current signing key

nynapalm · January 17, 2022, 1:57pm

Hi phi1ipp!

Thank you for this answer!

As it is I want to avoid coupling my API product which can be distributed to several users as a binary but I would like the API to be interoperable with systems like Okta for users who would find it useful.

In the case of JWTs generated for my service, they must be signed by an API key previously generated on my API to be valid. In this case, are there any hooks or a way to store them in Okta to use-it when generating the JWTs?

Are there any claims reserved by Okta or that should not use to do validation/business logic? I’m thinking of iss for example.

Thanks for your answer, it’s really helpfull.