I’m developing an application with a MicroServices architecture and I think I am having some confusion about how my Okta should be configured.
I have a front-end application which uses OIDC to authenticate the user. This works correctly and the user is able to log in and receives a cookie with the access_token and identity_token.
The next part is what I’m having trouble with. In the API management documentation, it says that “API Products” should each have their own authorization server so I have created different ones to represent those which each define their own issuer and audience. I had intended to send the users original access_token to the services which each call to make sure that the user is authorized to perform an action at each service call but because the Issuer and Audience don’t match the original token, I receive an unauthorized response.
Am I using API management incorrectly or is there some way I can take the users token and fetch one specific to each authorization server?
For context, I’m using ASPNet Core 2.0.