How to validate access token in reactjs client application?

Hi Team,

How to validate access token in reactjs client application? Is it necessary to validate access token?
I have implemented Single Sign- On using react client application with Google and Facebook as identity providers. My Okta application is created using OIDC - OpenID Connect as the Sign-in method.

Grant Types for Okta Integration application - Authorization Code, and Implicit.
Grant Types for Facebook application - Authorization Code, Refresh Token, and Implicit.
Grant Type for Google application - Implicit.

Also, could you please let me know which Grant Type is recommended for SPA developed using ReactJS?

Any help would be appreciated.

Thank you.

Shardul Arun Pathak

For SPAs, we recommend using Authorization Code with PKCE authentication, which will be the default grant enabled when you create a SPA in Okta. Using Implicit flow is no longer recommended as it is less secure. You can check out our guides that talk through setting up a SPA using our SDKs, learn more about PKCE flow, and how to implement it in the links below:

Your client application does not need to validate the access token (resource servers would normally do this when the user is trying to access a protected resource), but if you intend to read the claims within an ID token in your client app (say, to show the logged in user’s name), then you will want to validate the ID token (which our frontend SDKs will do for you when the token gets storage, in case you’re using one)

Hi Andrea,

Thank you for your response, now I understand that I don’t need to validate Access Token in my client application. Also I understand about the correct grant type for SPA.

I am using name and role from the userInfo i.e. userInfo.groups.includes(‘Admins’). As you mentioned in your reply that I need to validate ID token. Also you mentioned, Okta providing frontend SDKs which will do validations of ID token. Could you please give more details which SDKs I can use to validate ID token and how to use them.

Or just like validation of access token, validation of ID token takes place inside Okta’s resource server and it is not required to make any changes in client application to validate ID token, is it correct?

Thank you.

Shardul Arun Pathak

Our JWT verifier SDKs are able to validate ID tokens. A client application should validate these tokens if its relying on the claims within to grant user access to various pages while a resource server should be sent access tokens to verify