Getting access token for SPA and server to server api access


#1

Hi,
We have a backend api application (say API Server App) with a React based Single Page App in the front (SPA Client).
We use the Okta sign-in widged for the front end authentication and use the jwt tokens for authenticating/authorizing the API calls into the API server app. Our backend is a spring boot application, with the spring security oauth2 module.
This piece works as expected.

We’re now in the process of adding server to server authentication for being able to access our APIs on the API server app from another Client App.
We’re trying to see what would be the best way to authenticate to our backend apis from this client app. The client app is another java based application running on a tomcat server.
Logically, it seems like we could use a client id/password to get a token for the Client app and then supply that token to our API server app.
In our POC, this does not work (Token gets rejected). It seems the client id/client password based solution requires us to set a Native Application in Okta for our Client app. the client id of this is different from the client id of our SPA app and the SPA’s client id is what is configured in the API Server’s oauth2 configuration.

How can we make the Client app work with the token in this case?


#2

You want to use client credentials grant type and create a service app:


#3

Thanks for your reply Tom.
I’ve looked at this option. However the only thing that I seem to be able to get back in the token is the client id itself.
In the API server I’m hoping to check for a certain group claim in the token that I can use to control the access to different APIs.
Is there a way to be able to do that. Or a different approach perhaps?

Thanks,
-Amit.