We have S3 hosted web app and Spring boot rest api as backend. We wanted to integrate Okta SSO. I have used Okta sign-in widget hosted on S3 for login form, once the login is successful, I could get hold of “Session Token” from Okta response.
From the backend services standpoint, we need to make sure authorization session is maintained. Below is the security config on my Resource server.
security.oauth2.client.client-id=<<CLIENT_ID>> security.oauth2.client.client-secret=<<CLIENT_SECRET>> security.oauth2.client.access-token-uri=<<DOMAIN>>/oauth2/default/v1/token security.oauth2.client.userAuthorizationUri=<<DOMAIN>>/oauth2/default/v1/authorize security.oauth2.client.clientAuthenticationScheme=form security.oauth2.client.scope=openid profile email security.oauth2.resource.user-info-uri=<<DOMAIN>>/oauth2/default/v1/userinfo
I tried passing “
Authorization: Bearer <<TOKEN>>” and then understood Session Token and Access Token are different as it fails with
"Invalid Token" . Do I need to have invoke Okta Sessions /authorize API to get Access Token from Session Token and then validate or is there a simple way to validate the session token against Okta Auth server using Spring Security configuration.
Thanks in advance