Hi, I am trying to integrate Okta authentication to an existing java web application implemented using java’s servlet-api. There is no quick start example for “Generic Java” server side option using Okta Sign-in page (please see below). Since our application is a web application, is Okta Sign-in page option the right way to proceed? Are there any examples available? Thanks!
The selection between sign-in widget integrated on your website versus redirect to Okta depends on the current design and flow of the application that you are building.
You can use the authentication SDK available here to authenticate the users to Okta or the Java JWT verifier to verify the tokens that you are receiving from Okta. Both repositories contain examples on how to use them.
What stack are you on? We have been thinking about creating a few more non-spring examples.
Thanks for the quick response! App is using Java servlet-api/JSP/Struts framework.
Hi @dragos, I am interested in Java JWT verifier approach.
- Even though our application is a web application, should I be pursuing sign-in widget approach?
- Should the app maintain the received token and authenticate as part of every request?
- How the session time-out and other similar features available in typical web apps work with this type of authentication?
- If you are integrating the sign-in widget, then the widget’s JS code will be hosted on your end. The advantage here would be that you can customize the sign-in widget to fit the design that you currently have for the application.
- Your application should validate the JWT token through the verifier and, if the token is valid, use the subject claim to create a local session for the user inside the application. This would be created and maintained by your application’s logic.
- If you have API Access Management, then you can customize the lifetime of the access token (5 min - 1 day) and refresh token (10 min - unlimited). If you don’t have, then the lifetime of the tokens will be 60 min for access tokens and ID tokens (ID tokens have a static lifetime in both use cases) and 100 days for refresh tokens. In some use-cases, I’ve seen the lifetime of the JWT token (exp claim) being used as the lifetime of the session.