<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
0D51Y00007yrBeHSAUOkta Classic EngineSingle Sign-OnAnswered2024-04-15T09:30:27.000Z2020-03-09T12:28:28.000Z2020-03-09T15:01:56.000Z

LinusK.80451 (Customer) asked a question.

Validation of JWT tokens issued by Okta

Hi,

I just tried building a RESTful API with Flask and use Okta for user authentication. The api will be consumed by a React app. There are plenty of examples on how to build this, unfortunately they seem to be deprecated? If you add a new SPA application with authentication code grant and PKCE, you do not get a secret key. So the examples use Flask-oicd but you need to provide a client id and secret. So the way I came up with was to just validate the JWT tokens received at my resource provider/api by using PyJWT, fetching the JWKs from the corresponding issuer and validating the issuer. I pretty much followed the "Validation of JWT tokens" guide from Okta. You can find my implementation here: https://gist.github.com/linuskohl/024a487c2435ba1287e2d1c9d7406aea

Or do I miss the whole point?

 

Would really appreciate feedback.

 

Best wishes, Linus

 


  • bc221 (bc221)

    Hi Linus,

     

    First of all we cannot use "code" as grant type for SPA, you need to use responseType: ['token', 'id_token'] or any one of these but not "code".

     

    Regarding verifying Okta JWT token. Please use library okta-jwt https://pypi.org/project/okta-jwt/

     

    from okta_jwt.jwt import validate_token

    validate_token(access_token, issuer, audience, client_ids)

     

     

     

    Expand Post
This question is closed.
Loading
Validation of JWT tokens issued by Okta