JSON Web Token with React & Spring Boot

I’d like to use JSON Web Token (JWT) with a React and Spring Boot application. As I understand it, with a single-page app (SPA) I must use the implicit grant flow. Should this be the case, how can I configure Okta’s authorization server to issue a JWT rather than a session token? If sending a JWT to the SPA is not possible, is there another mechanism to acquire a JWT for the SPA, e.g. submit the session token to Okta’s authorization server for a JWT?

Further, assuming the SPA is able to acquire a JWT, how should one validate the JWT? Do the following libraries provide validation capabilities?

compile('org.springframework.boot:spring-boot-starter-security')
compile("org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure:${springBootVersion}")

Or will I additionally need okta-spring-boot-starter?

As I understand it, with a single-page app (SPA) I must use the implicit grant flow. Should this be the case, how can I configure Okta’s authorization server to issue a JWT rather than a session token?

When you create the SPA application, it will be wired to use to the implicit grant flow automatically:
https://developer.okta.com/quickstart/#/react/java/spring

is there another mechanism to acquire for a JWT for the SPA, e.g. submit the session token via a resource server to Okta’s authorization server for a JWT?

You can always use the authorize route to get JWTs based on a sessionToken that is retrieved through the Authentication API

Further, assuming the SPA is able to acquire a JWT, how should one validate the JWT? Do the following libraries provide validation capabilities?

If you are using okta-react there is an isAuthenticated function that can do this for you without needing to deal with the JWT itself.

Or will I additionally need okta-spring-boot-starter?

okta-spring-boot-starter leverages spring security under the hood. If you look at the dependencies, I doubt you will be shocked. Even though you don’t need actually need it for the basic use cases, the configuration in okta-spring-boot-starter is cleaner and easier to understand. In the future when Okta integrations like spring-boot-starter need to tie into flows such as activation and email verification, then you will be on something that will natively support it, instead of building on top of spring security / spring boot which isn’t aware of these flows.

Hope this helps,
Tom

The React SDK uses the authentication API for token generation, correct? So, I should be able to use the authorize route to get a JWT, right?

Thank you for the tip. However, at this point I’d like to have the API verify authentication and authorization. The idea I had was to verify the signature of the JWT, thus validating authentication/authorization without having to take a round-trip to Okta’s Auth server. But I don’t believe Spring Security OAuth2 provides such functionality out-of-the-box. Are you aware whether it does or not?

Your clarifications and tips are very helpful; it’s much appreciated.

1 Like

To clarify: Okta’s authorization server always returns a JWT, no extra configuration required. The Authentication API is the one that returns a session token. It’s usually used for legacy apps or very custom login workflows. I don’t think you need it here.

The React SDK uses an Okta authorization server and OpenID Connect to get a token. With the okta-react package installed in your project, you can kick off the login flow with something like:

<button onClick={this.props.auth.login}>Login</button>

You can definitely do this! The second half of the React + Spring quickstart discusses wiring up the API for token validation. As Tom said, okta-spring-boot-starter makes it easy to configure, but you could do the validation yourself too if you didn’t want to add the starter package to your project.

Thanks for the clarifications.

I’m using the React SDK’s sign-in method to get a session token. On this session token I call token.getWithoutPrompt which returns both an id and access token. Using the original token I then call getUserInfo(accessToken) which returns the user’s profile. But the profile does not include any of the groups the user is assigned to. Any ideas why and how to include the groups? I have confirmed through other means that the JWT provided by Okta’s auth server does include groups.

You can find the answer to include groups in the userInfo response in this thread - Returning Groups in the OpenID connect userinfo API call

1 Like