OKTA different tokens for admin and user

Question

I have a spring boot application with a couple rest endpoints. I am trying to user oaut2 together with okta to limit access to these endpoints depending on roles. So far I have done this:

I have been able to get a BEARER token by calling :

oauth2/default/v1/token

Then I can use the token to hit my endpoints in localhost.

I tried to use some of this https://developer.okta.com/blog/2017/10/13/okta-groups-spring-security

to implement the access based on user group. Now The problem is that when calling oauth2/default/v1/token I am using the user and password provided as client id and client credentials in my application.

Is there any way to generate tokens by calling the /token endpoint that contain user specific information?

Answer 1

Okta, has not exposed public API to generate tokens, however they can be generated using the api /api/internal/tokens, Okta UI uses this API to generate tokens

Answer 2

Most user scoped OAuth flows involve the user authenticating through the browser when you redirect them to the authorization endpoint. If you are not able to do so, you can instead make a series of backend calls to receive tokens via Authorization Code flow (recommended) or Implicit flow (not as secure). Note that this option will only work if the users in question are Okta mastered (aka, the user's have passwords within Okta and are not federated)

1. make a primary authentication call to /authn, providing the user's username/password
2. if user is not required to answer an MFA challenge, the status returned from this call will be SUCCESS and you will be returned a sessionToken in the response
3. include the sessionToken as a parameter in your authorize request to request either an authorization code (authorization code flow) or token(s) (implicit flow) for a user assigned to the application in question.
4. If using authorization code flow, make the call to the /token endpoint to get the tokens back. If using implicit flow, you already have the token(s)