Scenario:
We’ve built an application for internal use at my company, the only users will be users on our company domain. There will be 2 types of access: web based access with a traditional Javascript + HTML frontend and programmatic access to our API. This application is completely in python using Flask.
We plan to create an Okta application with a client id and client secret and are using an external library to handle the redirection flow for the planed UI. I have no questions about Web driven UI / authentication flow, it all works as expected.
For the programatic access, I’ve implemented a handler in our code that looks for an "Authorization: Bearer … Okta Access Token JWT … " header, decodes, verifies against the /introspect API in Okta, and finally checks that the client id matches our applications client id.
My main questions are:
- Is this even “the right way” to allow my users programatic / api access?
- If its not, what is the recommended way, I’ve been having trouble finding a clear example
- If it is, what is the proper way to instruct my users on how to obtain their access tokens (via Okta APIs). I currently have a method of doing this calling by /authn then /authorize against Okta but I am extracting the token from the response from authorize, which while it does work, does not seem to be the intended purpose of authorize. I was hoping there was some kind of /token api that my users could call to get their tokens.