My goal is to use Okta as an identity management solution but generate refresh tokens/jwt’s outside of Okta. The reason I am doing so is to be able to support existing methods of authentication such as active directory and saml and wanted to use Okta, instead of our own auth, for identity management. Has anyone had any experience using Okta this way?
I asked some folks this question and here’s the response I got:
You can do this by federating to an Authorization Server (AS) from an Okta org. Basically the AS would need to be configured to use Okta as an IdP. Conceptually, if you set up Okta org A and Okta org B, and configured A as an Identity Provider for B, you’d have this scenario each time B minted tokens.
Replace Okta Org B with the AS of your choice (provided it can accept incoming id tokens or SAML assertions).
@mraible thanks for that! Another way I thought of achieving what I need is to redirect users to the okta login (very much like the play framework example you have), and when we get back the profile of the user, validate the access and id token to make sure the user is authenticated, check the user is a user in our system, and then continue with the existing workflow of generating refresh tokens and jwts. This allows me to use Okta as identity management while still being able to support the other authentication mechanisms and jwt generation we currently have. Please let me know if I am off base or using this improperly.