search

okta / samples-nodejs-express-4

Express 4 samples. Will publish an artifact that can be consumed by end-to-end sample repos
Other
120 stars 118 forks source link

use cURL for protected endpoint #86

Open pinpom opened 4 years ago

pinpom commented 4 years ago

regarding your "sample-web-server.js" for okta-hosted login, if i want to send cURL request to your protected endpoint (the /profile endpoint), do i need access token & then include it as Authentication Bearer token inside cURL request? or what kind of token do I need?

swiftone commented 4 years ago

The main server is written with the assumption that you are serving browser clients - it relies on the browser to obtain the token and save it to the browser, which can then use the token both in handling requests for web pages as well as passing along to backend servers.

It sounds like you are interested in the backend server portion ( "resource server" in OIDC terminology) - for an example of that, see https://github.com/okta/samples-nodejs-express-4/blob/master/resource-server/server.js

In this case, the token is sent as a header (authorization) with the value Bearer TOKEN_VALUE_HERE

The resource server can then verify that token (which is a JWT) to decide if the call is authorized.