I’m planning to build an application using react, springboot with Okta as IAM. I don’t want to give access token to UI (react) , Planning to have tokens at spring boot server or dB level.
So, the flow should be like, React redirecting to Okta sign in page , and okta sending auth code and Id token & access token to Spring.
Is it possible ?
If Yes, how UI will come to know whether user got authenticated or not ?
What values will go to UI to tell application that ‘xyz’ user got authenticated ?
Sorry for the delay! What you are describing is typically what we recommend, if a backend can handle authentication, it should.
We have a React + Kotlin post, the Spring Security configuration bits would be the same for Java too. If you handle the authentication with your backend, then your frontend just uses cookies (you can cluster sessions with Spring Session if you need to).
As for how your UI knows when your user is authenticated or not, that’s and application-specific concern (although a very common one). You could create a REST endpoint that returns info about the currently logged-in user. If your application stores data about the user in a DB, you could perform a query and return the info.
If you just need information about the user you can inject it with the @AuthenticationPrincipal annotation:
As for what values go to the UI to inform the frontend the user is authenticated, that’s also up to you. Do you need the UI to handle anonymous user requests? If so maybe you create some /user endpoint that returns an empty object (or maybe a 403 status code).
You could also look at what JHipster (an application generator) does: Using React (It uses Spring Security by default)