I have a web front end that's using Okta, and a backend API that is a separate application. I want the users of the front end to be able to query the API directly with AJAX and authenticate/authorize with Okta.
I can add SAML auth using Okta to both apps, but I don't know how to 'share' or generate the auth token for the API in a way that is transparent to the user. How can I achieve this?
Typically, you won't want to SAML enable the API endpoints as it isn't the best solution for API's. However, Okta's API Access Managment will be able to handle both of these flows.
If you OIDC enable your web app and then protect your API's with OAuth 2.0 you will get the desired authn/authz.
For example, when the user navigates to the app they can click "login" to login to Okta. Okta can return an ID Token (OIDC) and an Access Token (API Access Managment). The ID Token will contain information about the user that you can display in the app. The Access Token can be passed to your API to grant access to the API.
Your exact use may be different as you can use a handfull of technologies (SAML, OIDC, OAuth) depending on your use cases.