Looking for some help understanding the basic flow for an SPA using the Okta Simplified Flow.
I have created an application within Okta using the SPA and "Send ID Token directly to app" settings.
-- User clicks on the app tile in Okta, Okta mints and posts the id_token JWT to the SPA
-- SPA stores this token client side (cookie etc).
-- The SPA then interacts with a corresponding API and sends that token with each request
-- The API validates the JWT, checks expiration, checks user in certain group and authorizes or denies
Do I have this correct or am I missing something here? Does the API in the scenerio need to interact with Okta for any reason?