PulkitT.47407 (Customer) asked a question.
We have an application that has frontend UI(Which is a web application) which communicates with a resource server. Our frontend will be using some APIs from a resource server to get data.
I am planning to add frontend to Okta and provide access to okta registered users.
In the resource server, we have some APIs that we want to expose to our customers to integrate in their system(Programmatically). To use our APIs, we have to provide client credentials(client ID/secret) to them. Using clientId/Secret, they will get access_token and will use that in a subsequent request. We can display this clientId/Secret via frontend UI once the user logs in to it via Okta.
How should I authenticate requests to the resource server from the frontend? And how do I authenticate requests to resource server via customer using clientId/Secret? Should I use one or two different tokens for this purpose?
Does Okta provides per-user client Id/secret that user(customer) can use to get access_token and send it to access resource server and resource server validate token against Okta.
My comment:
You said we can display this clientId/Secret via frontend UI once the user logs in to it via Okta. but I think Okta doesn't expose Client secret via API. so how you are doing that?
Q- How should I authenticate requests to the resource server from the frontend?
Ans- You can use token endpoint to get Access_Token https://developer.okta.com/docs/reference/api/oidc/#endpoints
Q- how do I authenticate requests to resource server via customer using clientId/Secret?
Ans- Use the same token api endpoint with grant_type = client_credentials
Q- Does Okta provides per-user client Id/secret that user(customer) can use to get access_token?
Ans - No. client Id and client_secret are per application.
No, Okta doesn't expose Client Secret via API. Let me give you more details about requirement.
We have our resource server, which expose few apis. Those Apis can be accessed via our UI or 3rd Party developer using clientId/Secret(Client Credentials).
Now to achieve this, once user login to UI via Okta, all the request to resource server will have okta access_token and in API Gateway we will validate it against the okta. We will have our authentication server, which will generate clientId/secret per okta user, and display it to 3rd party developer on login to UI. So developer can get access_token from our authentication server using clientId/secret and use that token to access apis.
But here problem is, api-gateway needs to be aware of 2 tokens, one from Okta(which will come from UI) and second from our authentication server(which will come from 3rd party developer).
Is there any better way to achieve this requirement using OKTA?
If I understand your question correctly then question is not really about Okta, its about API Gateway to validate two types of token. one is from Okta and another is from your Auth server.
In that case you need to write some logic on API gateway to verify token at both place before taking final decision.
What my question was, does Okta provides any other functionality(related to api authentication using client credentials) to achieve this instead of managing 2 different tokens.
Thanks for your help!