I am building an application that consists of three parts: a Spring Boot resource server, a single page application that communicates with the resource server and Okta as an authorization server. The SPA should get a token with the implicit flow and use it as a HTTP Authorization Bearer token to authenticate with the resource server. The resource server should verify the token with Okta using the /introspect endpoint.
There is an Okta application for each component (resource server and SPA) with seperate client credentials. Both applications are enabled for the authorization server api://default.
When I use a token to authenticate on my resource server I always get a 401 unauthorized. I thought my implementation was wrong but when I manually check the /introspect endpoint I always get
Has anybody had similar issues?