I really appreciate your help, thank you!
- Your backend takes this code and exchanges it for a token
Isn’t that the SPA’s job to get the token and use it in order to make API calls to my backend?
On Okta, it seems that a “Web” app and a “SPA” app give two different setups. The first provides a client_id and client_secret while the second provides a client_id and uses PKCE for client auth (I haven’t looked into PKCE, but will definitely).
I was about to use the /authorize endpoint but this ended up not working. Somehow the SPA doesn’t redirect to the login page and okta-vue returns an error.
So I decided to use the implicit flow instead. If I’m only using “Authorization Code” as the allowed grant type doesn’t that mean it’s actually using the implicit flow? It definitely qualifies as being Auth Code Flow since there’s a code request then a token request. It’s quite misleading since the redirect endpoint is called implicit/callback…
Anyway here’s my current setup
redirectUri: window.location.origin + '/implicit/callback',
scopes: ['openid', 'email'],
This seems to work. When I visit the SPA, a button allows me to trigger a
okta-vue function which gets the code. I can login on the Okta hosted page, then I am redirected to implicit/callback where
okta-vue captures the code and redirects again to the main page. From there I can get the token and use it to make API calls to my backend. I can also access the user’s claims from the token.
I already have the API setup with
jwt-verifier. I will try to make a call from the SPA to the backend and share my progress. Also I’ll try to add PKCE into the flow.
Thank you again!