I have a problem with understanding how to authorise calls of web tier to micro-services.
We have a classical web application comprised of the following components:
- we also have few microservices which are called by the backend.
I understand how to secure calls between two microservices with Okta. I just need to configure clients in Okta for each micro-service with ‘client_credentials’ flow and also configure authorization server for a callee. Then, I can configure Spring Security on the caller side to automatically obtain access tokens when caller makes a call. Works fine!
But It is unclear how to set up access tokens for the backend calling micro-service. Backend already has a client in Okta with ‘authorization_code’ flow (acts on behalf of a user) and gets (only) ID token for user during authentication. Now, the backend needs to somehow get access tokens to call microservice. Do I need to configure one more client of the backend in Okta for the backend? Or should I allow both client_credentials and authorization_code flows? Does it mean that the backend will have to authorise twice (once for user and once as a machine-to-machine call)? Will it call micro service on behalf of a user or as a machine? How to configure Spring Security to make this happen automatically?
Unfortunately, I could not find any articles around this case.