I have an Ionic/Angular Application that uses Okta to sign in with a redirectURI. Once I sign in, I get an access token that I can send to my backend API and get information back. That works great.
Problem: Once I'm signed in, I need to do another Okta call(with my app acting as the client) with different credentials to get an access token for a completely different backend API?
How can I manage both tokens at the same time + how would I store those tokens?
I have a custom http interceptor that only takes the one access token as a header for my current POST calls, but I want to do another Okta call with different credentials and then grab that token for a different POST call?
My current implementation is similar to this link: HERE
All I see are articles about Okta Sign in, etc etc.
My backends are 2 separate Spring-Boot Applications
Any direction would be great!!
I would aim for a single token, as Philipp says. since that is the standard option - others will add a lot of complexity. I am assuming here that both APIs are provided by your own backend and are equally trusted.
ACCESS TOKEN DESIGN
Each API should validate the access token, including checking that its issuer and audience have expected values. Each API should then check for its required scopes. So perhaps design the client scopes like this, so that it can call 2 APIs:
scope: openid profile orders inventory
Also issue an audience to access tokens that can be used by multiple APIs, eg api.example.com.
Note that you don't always have to have different scopes per API. Eg if there are two microservices for the same business area, for code size reasons, you might use the same scope for both.
TOKEN EXCHANGE OPTIONS
A couple of other options exist for getting new tokens for a user, but they are restricted to backend components, and require a client secret. They don't feel right for your use case:
Token exchange is used by APIs to reduce scopes when forwarding a token to a less trusted upstream API.
User Assertions can be used to get a token with a new scope for the same user. This might be used in a business system, where the user doesn't need to consent to scopes.