Okta Authentication and OAuth to secure API

Question

I'm creating an Android application for my employee that will require the sales people to login using Okta authentication (I plan on using their authentication api). My question is on how to secure the WEB API my code will be calling from the android app. Should I use Okta's OAuth implementation to do this?

What I was thinking was if I use Okta's authentication (to have them login), I can also call the OAuth API to retrieve a token and then an access token. I could then lock down the API by checking the access token I received from Okta.

Do you think this is the best way to do this using Okta?

Thanks!

Answer 1

08/18/2016 update: we now have a Xamarin code sample available at https://github.com/raphaellondner-okta/okta-oauth-xamarin-android-customtabs

As of 08/18/2016, you will need a slightly modified version of IdentityModel.OidcClient ( https://github.com/raphaellondner-okta/IdentityModel.OidcClient/tree/rl-pkce-secretless ) to make it work with Okta and PKCE. Hopefully these proposed changes will make it to the master branch soon.

Original answer: I suggest you take a look at our OAuth Android sample available at https://github.com/oktadeveloper/okta-openidconnect-appauth-sample-android (we leverage AppAuth to achieve both the authentication with Okta and the authorization using OAuth and our OAuth features).

We do not yet have a Xamarin sample available yet, but the general idea is to leverage the OAuth authorization code flow using an embedded browser to call the Okta /authorize endpoint, grab the code that's returned from Okta in the browser response url (as a fragment) and pass it on to your mobile app to exchange the code for an access token.

Our OAuth features are still in beta so if need access to them, please contact us at developers at okta dot com.