Get access token for client-facing client

Hi all!

I have a problem with understanding how to authorise calls of web tier to micro-services.

We have a classical web application comprised of the following components:

  • web tier: HTML+Javascript (not SPA) with server-side logic (backend) on Spring Boot
  • we also have few microservices which are called by the backend.

I understand how to secure calls between two microservices with Okta. I just need to configure clients in Okta for each micro-service with ‘client_credentials’ flow and also configure authorization server for a callee. Then, I can configure Spring Security on the caller side to automatically obtain access tokens when caller makes a call. Works fine!

But It is unclear how to set up access tokens for the backend calling micro-service. Backend already has a client in Okta with ‘authorization_code’ flow (acts on behalf of a user) and gets (only) ID token for user during authentication. Now, the backend needs to somehow get access tokens to call microservice. Do I need to configure one more client of the backend in Okta for the backend? Or should I allow both client_credentials and authorization_code flows? Does it mean that the backend will have to authorise twice (once for user and once as a machine-to-machine call)? Will it call micro service on behalf of a user or as a machine? How to configure Spring Security to make this happen automatically?

Unfortunately, I could not find any articles around this case.

Thank you,
Alexey.

Hi @kit , is the goal to use an access token that is given to a user after they authenticate, or are you just trying to have server-to-server communication?

It sounds like you’re going for client credentials. Here’s an overview of client credentials flow.

You might also want to take a look at Oauth for Okta with a service app, which would involve creating and signing your own JWT token, and uses this to request an access token from Okta.