How to have Okta login and access to API behind Okta, in React app?

I got React app. Need to:

  1. login using Okta
  2. login (get access key) to third party API protected with Okta Auth2

Could be similar to this issue OpenID token based API access + custom login

How to do it? Can one have two nested < Security > tags?

Is there at least some idea how to do it?

Hi @nems

Do you want to have an authentication on secure routes with both tokens from Okta and third party API?

Hi @dragos

I have setup AWS API Gateway, with endpoints protected with authorizer (configured with issuer, audience and scopes) .
Using SPA on frontend, and Authorization code with PKCE flow.
SPA does /authorize, get code, sends code and code_challenge to /token, receives accessToken and idToken.

Now, when protected endpoint gets called with accessToken in Authorization Header, got this response:

status 401
www-authenticate: Bearer scope=“email openid profile” error=“invalid_token” error_description=“unable to find an appropriate key in the JWKS. Ensure a “kid” is provided in the JWT, and that your JWKS has a supported cert available for this ID”

and if I use idToken instead, response is:

status 403
www-authenticate: Bearer scope=“email openid profile” error=“insufficient_scope” error_description=“expected scopes within the token”

What is going on here?
How to have scopes in idToken?
Why accessToken does not work?

Hi @nems

Usually the error regarding the keys in access token is in regards to using Okta authorization server instead of a custom authorization server. Due to RFC restrictions, only custom authorization servers can be used for local verification for access tokens. You can read further details about the difference between the authorization servers here.

Can you please try with a custom authorization server (for example https://dev-123456.okta.com/oauth2/default if using a developer tenant) to see if it works? You can register a free developer tenant here.

Hi @dragos

Thank you. That solved the issue(s).