Validate user session from back-end server

I have built an SPA application using the Okta Auth SDK (tried in VueJS and Angular 8 separately) with a back-end micro-service written in Python. The back-end makes API calls into Okta (which require an admin token).

The user authenticates to the Okta server (including MFA) fine and is able to access the web application routes.

QUESTION: How can the back-end micro-service validate the currently logged in user session BEFORE making the Okta API request? (e.g. - If the user session is invalid or expired, then the appropriate response can be sent and the client side can redirect the user to log in again).

I tried making a call to /api/v1/sessions/me from the client side but I’m getting a CORS blocked request (YES: the trusted origins are configured). I think it’s because the current session cookie isn’t being sent.

QUESTION: Does the Okta AuthJS library have a call for this? (I couldn’t find one).



You can send the access token received in the front-end to the back-end Python script in an authorization header and, from there, Python can validate the token using a JWT verifier and allow the user to run the Okta API query or deny it, in which case the front-end would redirect the user to log in again.

If you are working with /api/v1/sessions/me, can you please provide screenshots of the error from browser’s console log and the Trusted Origins in Okta?