I am tasked with setting up Okta for a project with has a .Net WebAPI backend and the front end being a react (JS) SPA.
What is the best practise for this scenario? Should I use JWT and drive authentication from the client side? Or is it better to have the client side submit login information to the .Net backend, and perform the authentication from the server side?
The best way is to get tokens directly in your client, and attach them to outgoing AJAX requests. Then, your backend must validate those tokens on each incoming call. We have some samples of exactly this!