- We have several apps
- We want to only login once to have access to those apps
- We want to have our custom Central Auth API and Front-End (Login Page)
We are unsure between implicit grant and authorization flow (auth-code) for our setup.
What we have:
- Central Auth App
- API - Express
- Front-End - React
- App A
- API - NESTJS
- Front-End - Angular
- App B
- MVC - ASP.NET 4.6.1
Usage for Central Auth App:
- API to call Okta’s API
- (we have our own API because we need custom redirection and want all our Okta code to be on one area)
- Front-End to store session tokens and redirection
Our plan for SSO so far:
Logging into one app
> User goes to AppA > AppA has no access_token (localStorage) > redirect to CentralAuth Front-End > CentralAuth Front-End has no session token (localStorage) > show login form > User logs in (CentralAuth API talks to Okta API - returns sessionToken) > CentralAuth Front-End stores session token > window.href okta's authorize w/ sessionToken to AppA + access_token/code > (Optional: If auth-code, AppA asks Okta for access_token using code)
Logging into the other app (with an ongoing session)
> User goes to AppB > AppB has no access token (localStorage) > redirect to CentralAuth Front-End > CentralAuth Front-End has a session token (localStorage) > window.href okta's authorize w/ sessionToken to AppB + access_token/code > (Optional: If auth-code, AppB asks Okta for access_token using code)
We will validate the session token and access tokens as well.
What is the best approach to this?