Scenario:
Client A (Spring Cloud Gateway based server)
Client B (Spring Boot MVC based server) contains APIs
Client C (Spring Boot MVC based server) contains APIs
Okta(Identity provider)
SPA(React) all static sources hosted on the Client A
SPA has form-based authentication username/password(Okta hosted sign-in page and widget are not used)
Okta should be only an identity provider. Authorization to APIs (Client B and C) are not managed in Okta.
Access to Client A → B,C should be based on OIDC token which will be verified locally(signature verification)
Questions:
- What is the most optimal way to implement Oauth2 + OpenID Connect (Authorization code flow) to get the OIDC token once SPA sends the credentials?
I think firstly some custom endpoint e.g. /spalogin should make a request to Okta’s Authentication API /api/v1/authn to obtain the session token. After that make a request to OpenID Connect authorize endpoint. How this could be integrated in Spring Security? Or perhaps there is another better solution…
- What is the most optimal way to configure API access to Client A → B, C only by OIDC token, not access token?
Any comments appreciated! Thanks in advance