Okta architecture for VueJS SPA (Azure Static Web App) and separate ASP.NET Core Web API (Azure app

190 views 1 replies

I am curious of the correct authentication/authorization setup for using Okta. My requirement is I want to use the Okta sign on widget so I can host the sign on experience on my web page. I do not want my frontend or anyone to be able to access my web api controllers unless they have been authenticated via my frontend SPA. My frontend is a VueJS SPA and this is hosted using azure static web app under my primary domain. Then this frontend pulls data from my backend API via axios/fetch calls which is a ASP.NET Core Web API hosted on Azure app services under a separate domain. This API does call other APIs (MS Graph API) but only as a service account so there is nothing being done on behalf of the signed in user. Despite my frontend and my backend being separate domains and hosted separately, they do work together in a sense to make a complete web application. So should i be choosing OIDC - OpenID Connect and then Web application for type?

Or should I need to create two separate applications in Okta one for service API for my web api and then the other OIDC and the type being set to SPA?

Any other settings I should check to meet the requirements above?

Replies (1)

Your architecture and security goals are quite standard — and your thinking is on the right track. Here's a clear breakdown of how to set up Okta for a VueJS SPA (hosted on Azure Static Web Apps) and a separate ASP.NET Core Web API (hosted on Azure App Service).


✅ TL;DR — What You Need

You should create two separate applications in Okta:

App Type Purpose Okta Type
VueJS SPA Frontend authentication via Sign-In Widget OIDC → Single Page App (SPA)
ASP.NET Core Web API Backend authorization via access tokens OIDC → Service (Resource Server)

This gives you secure authentication on the frontend and enforces access token validation on the backend.


🔐 Goals Recap

You want:

  1. A Sign-in Widget hosted on your VueJS SPA.

  2. Only users who authenticate via the SPA should access your ASP.NET Core API.

  3. The API does not act on behalf of users, only service account access to MS Graph.

  4. Backend and frontend are hosted on separate domains (CORS matters here).


🔧 Step-by-Step Architecture

1. Frontend (VueJS SPA on Azure Static Web App)

  • Register an OIDC SPA App in Okta:

    • App Type: Single Page App

    • Sign-in Redirect URI: https://yourdomain.com/callback

    • Allowed Origins: https://yourdomain.com

  • Use Okta Sign-In Widget in your Vue app.

  • Store the access token (in memory or secure storage).

  • Use this token in every axios/fetch call to your backend.

✅ At this stage:

  • User signs in via the widget.

  • You get an access_token and possibly id_token.


2. Backend (ASP.NET Core Web API)

  • Register a Service / API App in Okta:

    • App Type: Resource Server

    • Assign an Audience (aud) value (e.g. api://mybackend).

  • In your ASP.NET Core Web API:

    • Validate JWT access tokens from the frontend using Okta’s public keys.

    • Use middleware like:

services.AddAuthentication(options => {
    options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options => {
    options.Authority = "https://{yourOktaDomain}/oauth2/default";
    options.Audience = "api://mybackend"; // Must match what's set in Okta
});

✅ This ensures that your API only responds to requests with a valid access token issued by Okta.


3. Secure Frontend-to-Backend Communication

  • From VueJS, send the access token as a Bearer token:

axios.get("https://mybackend.azurewebsites.net/api/data", {
  headers: {
    Authorization: `Bearer ${accessToken}`
  }
});
  • CORS: On your backend, allow CORS for https://yourfrontenddomain.com.


4. Calling Microsoft Graph as Service Account (Optional)

Since the API calls MS Graph independently, you can:

  • Register an Azure AD App for the backend.

  • Use client credentials flow (not user-based).

  • No Okta involvement is needed here.


⚠️ Important Settings to Check

  • On Okta SPA App:

    • Enable CORS for your domain.

    • Redirect URIs and Logout URIs should match your frontend.

  • On Okta API App:

    • Set a unique audience string.

    • Assign scopes (e.g., api.read, api.write) that the frontend app can request.


✅ Final Summary

Component Okta App Grant Type Purpose
VueJS SPA SPA OIDC App Implicit or Authorization Code with PKCE Authenticates user & gets token
ASP.NET Core Web API Resource Server Token validation via JWT Authorizes requests
MS Graph Calls Azure AD App Client credentials Service-only

Let me know if you'd like:

  • Example okta-auth-js or Sign-In Widget setup in Vue

  • Sample axios integration with tokens

  • ASP.NET Core middleware configuration

Happy to provide full code snippets.


CCI Pro

Leave a Reply

Your are not logged in . Please login to post replies

Click here to Login / Register