OpenID token based API access + custom login

Scenario:

Client A (Spring Cloud Gateway based server)
Client B (Spring Boot MVC based server) contains APIs
Client C (Spring Boot MVC based server) contains APIs
Okta(Identity provider)
SPA(React) all static sources hosted on the Client A

SPA has form-based authentication username/password(Okta hosted sign-in page and widget are not used)

Okta should be only an identity provider. Authorization to APIs (Client B and C) are not managed in Okta.
Access to Client A -> B,C should be based on OIDC token which will be verified locally(signature verification)

Questions:

  1. What is the most optimal way to implement Oauth2 + OpenID Connect (Authorization code flow) to get the OIDC token once SPA sends the credentials?

I think firstly some custom endpoint e.g. /spalogin should make a request to Okta’s Authentication API /api/v1/authn to obtain the session token. After that make a request to OpenID Connect authorize endpoint. How this could be integrated in Spring Security? Or perhaps there is another better solution…

  1. What is the most optimal way to configure API access to Client A -> B, C only by OIDC token, not access token?

Any comments appreciated! Thanks in advance :smiley:

1 Like

I will risk to suppose (never tried to do that on my own) that b/c OIDC token is a subset of OAuth token and is JWT, you should be able to present it to your resource server.

https://docs.spring.io/spring-security-oauth2-boot/docs/current/reference/htmlsingle/#oauth2-boot-resource-server-minimal

that should help you to start thinking in the right direction.

As for #1 then you also guessing correctly, that will give you the token(s).