I have a use case that I can’t seem to find a good answer for. I have an app, and a few websites that all call .net c# API for SSO style authentication. Right now, the API uses Cognito, which returns a JWT token set upon authenticating the users and the API forwards the JWT token to the requesting client.
I’m exploring Okta as a replacement for Cognito, however; I cannot find a way for my custo API to authenticate the user via Okta and then return the JWT token to the requesting clients. I see there might be a way to do this via the Oauth 2.0 API (OpenID Connect & OAuth 2.0 API | Okta Developer), but no way for my service application to get a JWT token set that’s user specific. To be clear, the authentication call will need to stay server to server. Any guidance would be greatly appreciated.
Do you know which OIDC flow you’re using with Cognito to retrieve JWTs currently? Just to clarify, are you just looking for a way to retrieve JWT that’s user specific without the use of a browser?
If you need user context to be present in JWT, you can use authorization_code flow for web application, where you can redirect a user to Okta login screen for authentication, and then pass authorization code, returned through browser, to your backend, which will exchange it for the access/id token populated for the authenticated user.
You may need additionally to query /userinfo endpoint with Bearer <access_token> authentication scheme, if you need all user profile attributes. Alternatively you can include specific fields as custom claims into id/access token(s)
The only other way to do completely backend communication is to request a user to type their password on your site and then use resource_owner flow, which is kinda not cool. Why would I want to type my password on your site?!