Reputation: 119
Spring Boot with Apigee and Okta
I have been exploring APIgee and okta configuration using https://github.com/tom-smith-okta/okta-api-center repo. Here APIgee edge acts as a gateway to https://okta-solar-system.herokuapp.com/ api’s and the token for authentication is generated via okta. My understanding is that https://okta-solar-system.herokuapp.com/ doesnt have any okta authentication enforcement. The check is via apigee.
If I were to replace https://okta-solar-system.herokuapp.com/ with a spring boot application hosted publicly should the application have okta security enabled (eg : https://github.com/oktadeveloper/okta-spring-boot-oauth-example) or should i follow same procedure as above and delegate enforcement of token to apigee, without any security enforcement on the spring boot application?
Can someone tell me what is the standard way of implementation I should follow?
Upvotes: 1
Views: 2960
Answers (1)
Reputation: 13619
If the spring boot application has no enforcement of security, what is to prevent someone from bypassing the Apigee API gateway and calling it directly?
If you have successfully managed to secure the spring boot application so that only the API gateway can communicate with it (via mutual TLS connection, IP allow listing, etc), you might be able to forego any enforement at the service level, but I would recommend doing some authorization checks in the service itself.
Upvotes: 1
Related Questions
- Implementing Okta - Angular SPA + SpringBoot + Oauth2
- how to do Okta SSO Integration with SpringBoot app? and all user management would be on Okta's Side
- Springboot application with 3rd Party API
- After successful OKTA login spring boot application enters a infinite loop
- Spring boot API end point issue
- Get 401: Invalid Token After install okta-spring-boot-starter
- How to Autowire a OkHttpClient bean in Spring Boot?
- Spring okta oauth2 properties using spring cloud vault
- Spring Boot aspect doesn't work in my API
- How to use Okta with Keycloak?