Remote Resource Request

I have two orgs, both with their own Okta implementations and I have setup a trusted relationship between the two orgs’ Okta instances (hub and spoke). I want a user web app to authenticate with Org A, and then I want that user to be able to request a remote resource from Org B’s domain and have that request only return the resource if the user is properly authenticated to request the resource. I am expecting that I will need to pass a token from the Org A side of the request where the client has previously authenticated over to the Org B side of the equation where the resource exists.

I am unsure how the token is passed when I request the remote resources’ URL? Do I have to specifically attach a token in code or does the local Okta instance serve as a sort of registered proxy for the remote request whereby it attaches the token for me and forwards the request? I’m fine being pointed to documentation that answers these questions, too.

Additionally, on the Org B side of things, when the request for the resource comes in, how is the token then used to unpack and check the identity as valid (based on the org to org trust)? Does the Org B side Okta work as a proxy in that case?

In summary, Org A and Org B both have their own instances of Okta for authentication. A trusted relationship is setup between Org A and Org B in the proper direction such that Clients authenticated against Org A can make a request for a resource from the Org B domain. I’m curious in general how the request works? What needs to be configured? How is the token attached to the request? How is the token received and processed?