Context:
- We have several apps
- We want to only login once to have access to those apps
- We want to have our custom Central Auth API and Front-End (Login Page)
We are unsure between implicit grant and authorization flow (auth-code) for our setup.
What we have:
- Central Auth App
- API - Express
- Front-End - React
- App A
- API - NESTJS
- Front-End - Angular
- App B
- MVC - ASP.NET 4.6.1
Usage for Central Auth App:
- API to call Okta’s API
- (we have our own API because we need custom redirection and want all our Okta code to be on one area)
- Front-End to store session tokens and redirection
Our plan for SSO so far:
Logging into one app
> User goes to AppA
> AppA has no access_token (localStorage)
> redirect to CentralAuth Front-End
> CentralAuth Front-End has no session token (localStorage)
> show login form
> User logs in (CentralAuth API talks to Okta API - returns sessionToken)
> CentralAuth Front-End stores session token
> window.href okta's authorize w/ sessionToken to AppA + access_token/code
> (Optional: If auth-code, AppA asks Okta for access_token using code)
Logging into the other app (with an ongoing session)
> User goes to AppB
> AppB has no access token (localStorage)
> redirect to CentralAuth Front-End
> CentralAuth Front-End has a session token (localStorage)
> window.href okta's authorize w/ sessionToken to AppB + access_token/code
> (Optional: If auth-code, AppB asks Okta for access_token using code)
We will validate the session token and access tokens as well.
What is the best approach to this?
Thank you!