Okta Architecture SSO using Okta API Best Practice

Context:

  • We have several apps
  • We want to only login once to have access to those apps
  • We want to have our custom Central Auth API and Front-End (Login Page)

We are unsure between implicit grant and authorization flow (auth-code) for our setup.

What we have:

  • Central Auth App
    • API - Express
    • Front-End - React
  • App A
    • API - NESTJS
    • Front-End - Angular
  • App B

Usage for Central Auth App:

  • API to call Okta’s API
    • (we have our own API because we need custom redirection and want all our Okta code to be on one area)
  • Front-End to store session tokens and redirection

Our plan for SSO so far:

Logging into one app

> User goes to AppA 
> AppA has no access_token (localStorage)
> redirect to CentralAuth Front-End
> CentralAuth Front-End has no session token (localStorage)
> show login form
> User logs in (CentralAuth API talks to Okta API - returns sessionToken)
> CentralAuth Front-End stores session token
> window.href okta's authorize w/ sessionToken to AppA + access_token/code
> (Optional: If auth-code, AppA asks Okta for access_token using code)

Logging into the other app (with an ongoing session)

> User goes to AppB
> AppB has no access token (localStorage)
> redirect to CentralAuth Front-End
> CentralAuth Front-End has a session token (localStorage)
> window.href okta's authorize w/ sessionToken to AppB + access_token/code
> (Optional: If auth-code, AppB asks Okta for access_token using code)

We will validate the session token and access tokens as well.

What is the best approach to this?

Thank you!