How to get access and ID token from oidc object when Using @okta\oidc-middleware node module?

We are using the @okta\oidc-middleware node module and can successfully integrate my node application.
But we need to store the access and id tokens in cookie which is later used by the backend application to validate.

I am unable to fetch the tokens from oidc object in my front end node/react application. Please suggest how to retrieve the tokens.

We are using the default http://localhost:3000/authorization-code/callback method.

We are using the Authorization Code flow

The oidc-middleware does not expose the access and id tokens in the oidc object. It was designed not to expose any OIDC/OAuth tokens to the end-user application.

Also, the oidc-middleware does all the necessary validation on the access and ID tokens on your behalf. You can be assured that the userinfo object retrieved by the middleware is valid and obtained only after the access and id tokens have been validated. These tokens are validated according to the OIDC spec.

Is there any reason you want to validate the tokens yourself?

OIDC middleware is getting the id_token and access_token for your express app as a client. The purpose of the OIDC middleware is to use the session management configured in express.

In this case, you would want to get the id_token and access_token in react application using implicit, and use the Okta JWT verifier in your node app.

https://developer.okta.com/quickstart/#/react/nodejs/generic

Thanks for your response.

Our application has the front end which is based on reactjs/nodejs and back end application based on springboot/java. Both will run on independent hosts. The front end app communicates with backend springboot app through APIs. We need to ensure that the backend APIs are also authenticated. We had planned that front end does the re-directions to okta and we will store the accesstoken/idtoken in cookies post validations. Hence when any call triggered to backend, the backend api does an introspect check on the token provided in cookies.

Please suggest how to manage OIDC authentication in both front end and back end applications which runs on independent hosts.

In this case, as @tom mentioned, you should be using the “implicit flow” instead of the “code flow”.
We have quickstart guides that will walk you through this particular setup.

Take a look at the instructions in this guide - https://developer.okta.com/quickstart/#/react/nodejs/express
Once you have setup the react client to handle authentication using okta, you can move to the server setup using java spring boot as explained here - https://developer.okta.com/quickstart/#/react/java/spring (Scroll down/click on “server setup”)

Let us know if you have any further questions.

Hi there,

Is there any way to easily log out a session when using the okta oidc middleware?

I’ve been trying to implement logout functionality, and am using this middleware for my node application, however the only way I have found so far is to use the API and pass in a token_id, however if we can’t get this, we can’t use this API endpoint.

i.e. https://developer.okta.com/docs/api/resources/oidc#logout

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.