It gets logged in when i try to sign in by selecting option sign in using gmail. It first take me to my company’s okta login portal and then when I logged in successfully. It redirects to okta admin portal.
It should have stay on the same page and returned the login user name.
Then I hit the same endpoint to login which is localhost:8888/ride-share/api, this endpoint and all other endpoints are accessible.
I have gotten auth code using authorize endpoint and then pass authcode in token endpoint to get token the pass in the header as bearer token and apis are accesible.
but there are two token access token and api token.
Can you tell me difference between two of them?
when i used audience in place of client secret and client id in my spring boot app configuration file then by hitting any endpoint it is not redirecting to okta sign in widget but when I used client id and secret in application configuration file then it is redirecting to okta sign in page first.
is this a normal behaviour, can you explain this ?
There’s a couple of solid guides here about the difference between ID Tokens (which will/can contain information about the user logged in, such as their first & last name) and Access Tokens (what the given user is allowed to access): https://oauth.net/id-tokens-vs-access-tokens/
Can you expand on what you were saying about configuring the audience in place of the client ID/Secret? Configuring the audience is related to how the user’s tokens are validated, as the Access Token will contain an aud claim matching the configured Audience for the server, and your application/receiving resource server/API should be making sure that the aud it sees in the Access Token matches the one it expected (to ensure that the right Authorization Server was used to issue the users token.
