ScottM.00708 (Customer) asked a question.
Does OtkaAuth JS lib support BFF AUTHO pattern?
The latest OAUTH spec suggests that SPAs use the back channel to acquire access tokens from the authorization server. Looking at the Okta auth-js library I see methods like signInWithRedirect which completes with a access token. Is there a method (I didn't see one) that completes with the authorization code, so we can send the auth code to our backend to acquire the token? Therefor keeping the tokens out of the browser. Or must we do this ourselves?
looking for existing angular solution to implement BFF pattern.
Hello @ScottM.00708 (Customer)
I hope you are having a great day
Thank you for posting, BFF is actually supported using the API's integration.
If you need further assistance you can also feel free to post this question on our Okta Developer Forums: https://devforum.okta.com this is a place for the Okta developer community to interact.
Have a great day ahead
Henry E.
Okta Inc
I am not seeing it a way to get the authorization code using okta-auth.js.
My Config
const config = {
clientId: 'xxxxxx',
issuer: `https://dev-xxxxx.okta.com/oauth2/default`,
redirectUri: 'https://10.x.x.x:3000/callback',
scopes: ['openid'],
grantType: 'authorization_code',
pkce: true,
testing: {
disableHttpsCheck: true // This does not work....
}
};
My handler
async _oAuthSigninClickEvent(event: any) {
console.log("_oAuthSigninClickEvent");
const isAuthenticated = await oktaAuth.isAuthenticated();
console.log("_oAuthSigninClickEvent: isAuthenticated " + isAuthenticated);
if (isAuthenticated) {
await oktaAuth.signOut();
console.log("_oAuthSigninClickEvent: signOut ");
}
const options = {
originalUri: '/object-navigator/mode/logical',
responseType: ['code']
}
try {
console.log("_oAuthSigninClickEvent: isAuthorizationCodeFlow " + await oktaAuth.isAuthorizationCodeFlow());
await oktaAuth.signInWithRedirect(options);
console.log("_oAuthSigninClickEvent: isAuthenticated " + isAuthenticated);
} catch (err) {
console.error(err);
this.__errorMessage = err;
}
// this._router.setCurrentView('landing-page');
}
my debug output
_oAuthSigninClickEvent
_oAuthSigninClickEvent: isAuthenticated false
_oAuthSigninClickEvent: isAuthorizationCodeFlow false
_oAuthSigninClickEvent: isAuthenticated false
The response contains the code as I requested.
https://10.2.4.1:3000/callback?code=-guniWCf1FhutX3M9q4eSXv8byI4-_jIO7Xu6cNv5vY&state=LFrEl3yqbtMojCC8FOEI5OBN2JB7NB9ZyirtoKPDTfpgNDDEdCgxXOEcfWE2ipvh
but I do not see a way to get this code using the js library so it can be sent to the backend our backend to acquire the tokens using the back channel. Is there an example getting 'code' and sending to a backend to acquire the token?
Thxs
This leads me to believe no, I would think if we asked for just 'code' then the library would not in the background go get the tokens.
https://devforum.okta.com/t/authorization-code-flow-with-pkce/5725/2
Am I wrong here?