We have S3 hosted web app and Spring boot rest api as backend. We wanted to integrate Okta SSO. I have used Okta sign-in widget hosted on S3 for login form, once the login is successful, I could get hold of “Session Token” from Okta response.
From the backend services standpoint, we need to make sure authorization session is maintained. Below is the security config on my Resource server.
On Application.java
@EnableResourceServer
application.properties
security.oauth2.client.client-id=<<CLIENT_ID>>
security.oauth2.client.client-secret=<<CLIENT_SECRET>>
security.oauth2.client.access-token-uri=<<DOMAIN>>/oauth2/default/v1/token
security.oauth2.client.userAuthorizationUri=<<DOMAIN>>/oauth2/default/v1/authorize
security.oauth2.client.clientAuthenticationScheme=form
security.oauth2.client.scope=openid profile email
security.oauth2.resource.user-info-uri=<<DOMAIN>>/oauth2/default/v1/userinfo
I tried passing “Authorization: Bearer <<TOKEN>>
” and then understood Session Token and Access Token are different as it fails with "Invalid Token"
. Do I need to have invoke Okta Sessions /authorize API to get Access Token from Session Token and then validate or is there a simple way to validate the session token against Okta Auth server using Spring Security configuration.
Thanks in advance