Spring Boot + Security OAuth2 integration with Okta Signin widget

We have S3 hosted web app and Spring boot rest api as backend. We wanted to integrate Okta SSO. I have used Okta sign-in widget hosted on S3 for login form, once the login is successful, I could get hold of “Session Token” from Okta response.

From the backend services standpoint, we need to make sure authorization session is maintained. Below is the security config on my Resource server.

On Application.java

@EnableResourceServer

application.properties

security.oauth2.client.client-id=<<CLIENT_ID>>
security.oauth2.client.client-secret=<<CLIENT_SECRET>>
security.oauth2.client.access-token-uri=<<DOMAIN>>/oauth2/default/v1/token
security.oauth2.client.userAuthorizationUri=<<DOMAIN>>/oauth2/default/v1/authorize
security.oauth2.client.clientAuthenticationScheme=form
security.oauth2.client.scope=openid profile email

security.oauth2.resource.user-info-uri=<<DOMAIN>>/oauth2/default/v1/userinfo

I tried passing “Authorization: Bearer <<TOKEN>>” and then understood Session Token and Access Token are different as it fails with "Invalid Token" . Do I need to have invoke Okta Sessions /authorize API to get Access Token from Session Token and then validate or is there a simple way to validate the session token against Okta Auth server using Spring Security configuration.

Thanks in advance

If you’re using the sign-in widget in your front-end, it has helper methods to parse the access token from the URL after login.
You can see an example of how it works in the quick start guide - https://developer.okta.com/quickstart/#/widget/java/spring