Sharing Token in a suite of apps

Hi, I have a suite of applications and I want to use Okta for the authentication.

My apps are like

• auth.mydomain.com
• app1.mydomain.com
• app2.mydomain.com

When I browse to auth I can login correctly and I get back with Okta session token in a cookie auth-session. This holds the domain of mydomain.com so I can reuse it to the rest of the apps.

Now I want to browse to app1 and call its API. In my middleware till now I had only JWT validations but now as I understand I need to call Okta’s session api api/v1/sessions/me in order to get validated.

Is this the correct way or there is a better one?

Use of the /api/v1/sessions/me endpoint is so you can receive information about the users current Okta session (or a 404 if they do not have a session).

Why are you validating the Okta session? You mention doing JWT validation, which makes sense as each of these (presumably OIDC) applications would be issued their own JWTs and if they are calling an API should be validated by that API. But why would the applications be concerned about the Okta session itself?

Indeed I eventually used the normal JWT token which I managed to verify in all my apps. The session was an extra step that was not needed.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.