My Spring Boot app functions as the backend for a Single Page Application (SPA). Authentication occurs within the SPA (using OAuth with PKCE via Okta), which then sends an accessToken to the backend. The backend successfully receives the accessToken in the header for authentication, and the current configuration appears as follows:
return http.httpBasic((AbstractHttpConfigurer::disable))
.formLogin((AbstractHttpConfigurer::disable))
.csrf(AbstractHttpConfigurer::disable)
.logout((AbstractHttpConfigurer::disable))
.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.authorizeHttpRequests(it -> it.anyRequest().authenticated())
.cors(Customizer.withDefaults())
.oauth2ResourceServer(it -> it.jwt(Customizer.withDefaults()))
.build();
However, now I need IdToken from this token in Spring app. How, do I get IdToken from this accessToken when I do this
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
// In this case authentication is instance of JwtAuthenticationToken.
Since I'm using Okta, I'm aware I can make API calls to the userinfo endpoint using the accessToken. However, I'm curious if there's another way to accomplish this in Spring Boot.
You can't derive idToken from accessToken.
You SPA should request it from Okta (though this may be happening already) and then explicitly send it to your Spring Boot app.