We are building SPA applications that need to call multiple microservices each with their own auth server. Each of these auth servers lives in the same orgs.
How do we go about authenticating users to each authz server to get tokens for them? Would we have to go through a /authorize call and then /token call for each authz server? Is there a reference application that Okta provides that does this (i have not found one). We are using PKCE authentication in our SPA and calling multiple custom authorization servers from a SPA does not seem to be in Okta’s documentation.
Have similar questions, and wanted to share/discuss what I had been experimenting with.
I took a couple of SPA clients, generated some users, groups, and associated apps setup for AuthCode Flow.
The clients are using the okta-auth-js libary.
The clients are then associated and configured for openid OIDC on the Idp’s organization issuer and uses sign-in redirect to the okta hosted widget.
This established the SSO capability between the apps and okta.
Then using a technique I’ve seen described and token caching, I established additional AuthClients, with a different issuers and clientIDs. From there with an established okta session from the organization issuer, I’m able to mint access tokens for separate issuers and clientIDs using a couple of methods.
However getWithoutPrompt comes with a warning about using third party cookies, and the remaining two require a popup and full page redirect for each API token required.
I still need to dig into what exactly is happening under the hood during these call, but I am able to generate tokens without a user having to login in again, but trying to figure how to manage the user experience.
Alternatives aren’t every clear to me either, some I’ve noticed are the use of an API gateway, or On-Behalf-Of (OBO) token exchange, but I don’t believe this is fully supported by okta yet, and I believe it requires an addition server to execute in a privileged back-channel.