What Ory solution would be best here (fosite, hydra, or kratos). Also looking for advice on overall oauth2 setup. • Company uses Okta for SSO • We have a react.js SPA • We have a headless REST based API • We want to secure our API as well and provide auth via users through Okta as well as access from external systems (client credentials). Our SPA is currently setup with PKCE and we are working out details of securing the API side of things using OAuth2. We'd ideally like the token generation to be consistent regardless of coming from Okta or via client credentials flow. I'm not exactly clear here in understanding, but from reading around it seems like our UI would first retrieve a token from Okta through OIDC PKCE flow, then use that to exchange for a token generated by our auth service by calling something like

/oidc/okta/login

to kick start the OAuth2 flow. This endpoint would handle verifying the clients key with Okta and then generating a new access token for the client to use against the API. For client credentials, we would have something like a generic OAuth2 handler, initiate URL would be

/oa/login.

Does this seem correct? If so, what would be the best fitting Ory solution here.

@salmon-island-58827 Are you trying to write a login/sign up for the SPA, or are you looking for service authorization, or rule based api protection, or SSO? Ory does all of the above. We are not Okta experts at Iry but many in the community used Okta in the past.

We already have a corporate sign in page and our SPA is already hooked up to sign in through OIDC + PKCE flow. No need for a solution to host a UI or be the IDP What's missing is auth on the API side. I'm not clear on the flow and setup needed to have UI login through OIDC and use that identity to retrieve authorization into our API. It seems like we need an endpoint on our auth API to take an Okta token, verify it, then if valid exchange for an application access token.