I just tried building a RESTful API with Flask and use Okta for user authentication. The api will be consumed by a React app. There are plenty of examples on how to build this, unfortunately, they seem to be deprecated? If you add a new SPA application with authentication code grant and PKCE, you do not get a secret key. So the examples use Flask-oicd but you need to provide a client id and secret. So the way I came up with was to just validate the JWT tokens received at my resource provider/api by using PyJWT, fetching the JWKs from the corresponding issuer and validating the issuer. I pretty much followed the “Validation of JWT tokens” guide from Okta. You can find my implementation here: https://gist.github.com/linuskohl/024a487c2435ba1287e2d1c9d7406aea
Is this correct or do I miss the some important point?
Would really appreciate the feedback.
Best wishes, Linus