Get access token for client-facing client

kit · May 27, 2021, 8:26am

Hi all!

I have a problem with understanding how to authorise calls of web tier to micro-services.

We have a classical web application comprised of the following components:

web tier: HTML+Javascript (not SPA) with server-side logic (backend) on Spring Boot
we also have few microservices which are called by the backend.

I understand how to secure calls between two microservices with Okta. I just need to configure clients in Okta for each micro-service with ‘client_credentials’ flow and also configure authorization server for a callee. Then, I can configure Spring Security on the caller side to automatically obtain access tokens when caller makes a call. Works fine!

But It is unclear how to set up access tokens for the backend calling micro-service. Backend already has a client in Okta with ‘authorization_code’ flow (acts on behalf of a user) and gets (only) ID token for user during authentication. Now, the backend needs to somehow get access tokens to call microservice. Do I need to configure one more client of the backend in Okta for the backend? Or should I allow both client_credentials and authorization_code flows? Does it mean that the backend will have to authorise twice (once for user and once as a machine-to-machine call)? Will it call micro service on behalf of a user or as a machine? How to configure Spring Security to make this happen automatically?

Unfortunately, I could not find any articles around this case.

Thank you,
Alexey.

marcusi · May 28, 2021, 4:23pm

Hi @kit , is the goal to use an access token that is given to a user after they authenticate, or are you just trying to have server-to-server communication?

It sounds like you’re going for client credentials. Here’s an overview of client credentials flow.

You might also want to take a look at Oauth for Okta with a service app, which would involve creating and signing your own JWT token, and uses this to request an access token from Okta.

kit · January 19, 2022, 8:05am

Hi @marcusi!

Thanks for comment!

What I need is to make a call from the web app backend to another microservice. This is not typical server-to-server, as backends works on behalf of a user. So, I expect, that backend should have access token which allows him to make calls on behalf of the user to other microservices (which the user is allowed to call of course). At least, this is how it works in Keycloak. In Keycloak, access token which is obtained by web app may be configured to have claims allowing it to call other services: multiple ‘aud’, roles for all callable services.

Post		Replies	Views
Need help in machine to machine Okta Oauth2 Flow and code example in java spring boot OAuth/OIDC	1	2844	February 12, 2024
Spring boot micro service with multiple consumers Questions	2	3715	October 6, 2020
Access token for NodeJS application OAuth/OIDC api , nodejs	16	8582	January 12, 2024
Middleware webservice to call Okta API Questions	6	3212	August 27, 2021
Can I use a login token to make calls to the okta api Questions	2	2953	August 25, 2021

Get access token for client-facing client

Related topics