I have a static react app which users login via an Okta SPA app.
The app receives a JWT, which it is stored in the browser, and passed to the backend API via Authentication
header on every request.
The API using Azure API Management. They provide "policies" to validate JWT tokens.
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="JWT Token invalid" require-scheme="Bearer">
<openid-config url="https://dev-999999.okta.com/oauth2/default/.well-known/oauth-authorization-server" />
<audiences>
<audience>api://default</audience>
</audiences>
<issuers>
<issuer>https://dev-999999.okta.com/oauth2/default</issuer>
</issuers>
</validate-jwt>
I assume that the "validation" is using a public key (obtained by the OpenId configuration url?) to check that the JWT was signed by my okta app? And that it wouldn't be possible to spoof a JWT in a way that would pass this validation?
If that's the case, is it secure to just rely on this validation alone, or are additional request needed to okta? I was hoping to use additional "group" claims on the token to manage RBAC.
I think I understand how this works (more or less), but I just wanted to make sure I'm not overlooking something.