
LinusK.80451 (Customer) asked a question.
Hi,
I just tried building a RESTful API with Flask and use Okta for user authentication. The api will be consumed by a React app. There are plenty of examples on how to build this, unfortunately they seem to be deprecated? If you add a new SPA application with authentication code grant and PKCE, you do not get a secret key. So the examples use Flask-oicd but you need to provide a client id and secret. So the way I came up with was to just validate the JWT tokens received at my resource provider/api by using PyJWT, fetching the JWKs from the corresponding issuer and validating the issuer. I pretty much followed the "Validation of JWT tokens" guide from Okta. You can find my implementation here: https://gist.github.com/linuskohl/024a487c2435ba1287e2d1c9d7406aea
Or do I miss the whole point?
Would really appreciate feedback.
Best wishes, Linus

Hi Linus,
First of all we cannot use "code" as grant type for SPA, you need to use responseType: ['token', 'id_token'] or any one of these but not "code".
Regarding verifying Okta JWT token. Please use library okta-jwt https://pypi.org/project/okta-jwt/
from okta_jwt.jwt import validate_token
validate_token(access_token, issuer, audience, client_ids)