mjg7v (mjg7v) asked a question.
Hi, I'm creating a design for authentication between a bunch of backend services. e.g, I have services A, B, C, all of them require an access token from Okta.
1) Apps go through Okta authentication, gets an access token and calls A, B, or C. This is pretty straightforward.
2) Behind the scenes, services A, B, and C also talk to each other. How do I design it in such a way that A can talk to B all the time with proper authentication, while at the same time, A and B don't have to bug Okta all the time?
One thing I found is refreshing access tokens.
https://developer.okta.com/authentication-guide/tokens/refreshing-tokens
The workflow described in the link above makes a lot of sense. I do have a couple of detailed questions1) Is it possible to create a service account (just like an user but tied to a service) to get Refresh Token? If yes, how can that be done?
2) What are the best good practices around caching/storing the long-lived refresh token locally (to a service like A or B)? Thanks,
The workflow seems to fall into the category of "Service Application" in the link below
https://developer.okta.com/standards/OAuth/#access-token
however, that section pointed to some external RFC but lacked details.