Proper Approach for Programatic Access

Scenario:
We’ve built an application for internal use at my company, the only users will be users on our company domain. There will be 2 types of access: web based access with a traditional Javascript + HTML frontend and programmatic access to our API. This application is completely in python using Flask.

We plan to create an Okta application with a client id and client secret and are using an external library to handle the redirection flow for the planed UI. I have no questions about Web driven UI / authentication flow, it all works as expected.

For the programatic access, I’ve implemented a handler in our code that looks for an "Authorization: Bearer … Okta Access Token JWT … " header, decodes, verifies against the /introspect API in Okta, and finally checks that the client id matches our applications client id.

My main questions are:

  1. Is this even “the right way” to allow my users programatic / api access?
  2. If its not, what is the recommended way, I’ve been having trouble finding a clear example
  3. If it is, what is the proper way to instruct my users on how to obtain their access tokens (via Okta APIs). I currently have a method of doing this calling by /authn then /authorize against Okta but I am extracting the token from the response from authorize, which while it does work, does not seem to be the intended purpose of authorize. I was hoping there was some kind of /token api that my users could call to get their tokens.

@wcarreer Hello.

You can leverage the Resource Owner Password Flow (see here). This flow can allow you to do a single POST request to the /token endpoint, where the user’s assigned to the client application can provide their Okta username and password, and will receive in return a Access Token / ID Token.

Please follow the article provided and you should find all the information needed.

For anyone reviewing this later: I examined the Resource Owner flow, but ultimately rejected it on the advice of Okta support engineers. Instead, within our application I allow the user to retrieve their access token to use in Bearer requests via a page they can visit in the App after logging in via Okta. This is a bit more appropriate for our use case, and keeps the entire log in process offloaded to Okta.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.