Node Server + React Client Session

I have a web application that uses a React frontend served on port 3000 and a NodeJS server running on say port 3001 that I can’t seem to figure out how to create an Okta session between the two.

How do I go about creating a session between the two so that when a user makes requests from the React frontend, their user info object is available in the request so that my Node server can use that information to determine if the resource is accessible by that user?

There are documents on how to do a SSO authentication with React to secure specific routes/pages, and there are docs on securing a simple REST server. But nothing on them combined. What I need and can’t seem to figure out is this…

User navigates to the web app running on port 3000, the web app redirects them to Okta to be authenticate. Once back on the web app, the user clicks a button that makes a call to the Node server running on port 3001. The node server needs to be able to get the authenticated users info such as permissions from the request object.

How is this done? Any help is much appreciated!

Hi @sisrael

From the React application on port 3000 you can do a CORS request on NodeJS server running on port 3001, calling specific endpoints and passing the access token as an authorization header. The NodeJS application will need to read the authorization server, retrieve the user from it, check his permissions on the server and return a response containing either the resource or an error message in case he is not allowed to access it.

@dragos so basically I should implement Okta auth on my React app which will redirect my user to the login page and return them back to my React app. From there, any requests made to the NodeJS server will contain the access token? In which case on each request I query the authorization server?

Is there a preferred method for querying the authorization server? I’ll take a look through the docs but I assume Okta has a library for doing that?

Hi @sisrael

After the authentication, your React app will need to make requests to NodeJS passing the access token received from Okta as Authorization header inside the request. The NodeJS application will check the Authorization header, validate the JWT and retrieve the user from it, after which it will return the result.

To verify the JWT on NodeJS side, you can use https://www.npmjs.com/package/@okta/jwt-verifier.

@dragos Okay this makes sense now. Thank you so much for the explanation.