We plan to create an Okta application with a client id and client secret and are using an external library to handle the redirection flow for the planed UI. I have no questions about Web driven UI / authentication flow, it all works as expected.
For the programatic access, I’ve implemented a handler in our code that looks for an "Authorization: Bearer … Okta Access Token JWT … " header, decodes, verifies against the /introspect API in Okta, and finally checks that the client id matches our applications client id.
My main questions are:
- Is this even “the right way” to allow my users programatic / api access?
- If its not, what is the recommended way, I’ve been having trouble finding a clear example
- If it is, what is the proper way to instruct my users on how to obtain their access tokens (via Okta APIs). I currently have a method of doing this calling by /authn then /authorize against Okta but I am extracting the token from the response from authorize, which while it does work, does not seem to be the intended purpose of authorize. I was hoping there was some kind of /token api that my users could call to get their tokens.