ID Token vs Access Token Angular and Spring

Hello All,

Pardon my lack of experience when it comes to security and its concepts but i’m learning here. :slight_smile:

So I have a front end application built on angular with a backend in Spring serving my database. My Client side is set up so with the many tutorials i’ve found on here. When I log in, I get an access token in my local storage.

When I copy that token and really look at it, I see my access token, id token, user name, etc. How can I pass my name securely? I’ve always noticed that many database fields have a created_by field of some sort. And with my rest apis secured, I pass the access token to my backend. I verify it, and all is good. However, I only get the access token without any user information. I’ve seen the API okta provides for user info but I would think it would be terrible on performance to redirect to another service every time a user posts a new object instead of securely passing that id token from angular local storage to my backend. Is that feasible to do or do I indeed have to call that user info endpoint every time?

If you’re using the Okta Spring Boot starter on your backend, you should be able to use Spring Security’s @AuthenticatedPrinciple to get the user’s information.

@GetMapping("/hello-auth")
public String hello(@AuthenticationPrincipal OidcUser user) {
    return "Hello, " + user.getFullName();
}

Thanks for the quick response!

So I’ve seen this in the docs I looked at and when I tried it, my backend was throwing a null pointer. But maybe I misinterpreted what I was supposed to do.

If I have an endpoint in java called getList()
Im assuming I put that auth principle there?

Like so:

getList(@AuthenticationPrinciple OidcUser user){}

On the off chance I’m completely off and you mean that’s a separate endpoint Altogether.