Mixing PKCE SPA Applications and non PKCE APIs

I am new to OKTA and OAuth2, so forgive me if this question is obvious. I have an single page Angular app which successfully authenticates to an OKTA SPA client application using the Authorization Code with PKCE flow. I also have some Mulesoft APIs secured by an OKTA web client application. Mulesoft doesn’t support PKCE and thus requires a client secret. I created the two apps in the same domain hoping I could authenticate using the SPA and then pass the resulting bearer token to the Mulesoft APIs.

When I test this design, I receive the following response from my call to the Mulesoft API:

{
  "error": "Invalid Client"
}

Does this mean I can’t share tokens between applications even if they are in the same domain, have the same user/group assignments, and share a single authorization server?

You absolutely can share tokens received from the same authorization server. Maybe Mulesoft has additional restrictions or requirements when making call to it. Sorry, not familiar with Mulesoft

Thanks for your reply. You were correct that the problem was on the Mulesoft side of the equation. When applying the security policy to the Mulesoft API proxy (in the API Manager => Polilcies section), there is a checkbox labeled “Skip client Id Validation” which is not checked by default. When this option is unchecked, the Mulesoft client provider won’t accept an access token granted by the authorization server for any client id other than the one registered in Mulesoft - even if the client applications share the same authorization server. Turning on this option solved my problem.

1 Like