I have configured an SPA app in Okta and using React with Authorization code flow KCE for authentication. Client now send the access token it received from Okta to make API calls to server. Now I want to know how server is verifying this with Okta?
No code or okta related endpoint has been added in server except com.okta.spring dependency in pom.xml and okta.oauth2.issuer in properties file. I wonder how everything is working with just these two.
The Okta Spring Boot starter does local validation of your JWT in the scenario you describe. You can configure it to to do remote validation, but that will be a bit slower. I believe this blog post explains things well. Please let me know if it does not.
You mean Okta Spring Boot starter uses /v1/keys endpoint to get the keys and use them while doing validation locally? If yes, how does it know which key to use as /v1/keys returns list of keys?
Also I doubt if the validation is done locally. I switched off internet connection and tried to hit an API with token on my local machine but it is not successful. If possible can you guide me to the exact class in this Jar which does the local validation?
Okta Spring Boot starter makes a call to v1/keys endpoint during application startup and caches the keys in memory. The starter is configured internally to use NimbusJwtDecoder (see here). This decoder is set to use the JWTValidator here and it validates the timestamp, issuer and audience parameters present in JWT. If there are multiple keys in your org’s v1/keys endpoint, then your JWT can include kid header parameter in the claim to identify the key id against which the validation should happen.
Validation could either be done local or remote depending on how your resource server is setup (JWTs are locally validated and Opaque tokens are remotely validated). The article that @mraible posted above explains the difference between these two approaches.
Let me know if that helps.
1 Like
Hi @mraible and @akrishnakumar
I tried using this module but the problem is, once a request (which contain a valid token) is authenticated, for the subsequent calls validation is not happening (request which doesn’t contain any token is getting authenticated) any idea on this ?