My problem boils down to the use of Okta’s access tokens to secure api endpoint.
I followed this okta guide to set up a react single-page application with their wiget.
When I log into the site I get a access token to use with my api.
I tried to access my api with the access token following this guide
On the api side Okta recommended to verify the access token. When I use their
OktaJwtVerifier to verify the token I get faced with a question. How does this verifier know that I gave them the token from a authorized state and not from someone hijacking the token?
The verifier supposedly asserts that
- Signature is valid
- Access token is not expired
- The aud claim matches any expected aud claim passed to verifyAccessToken().
- The iss claim matches the issuer the verifier is constructed with.
- Any custom claim assertions that you add are confirmed
But the validator does not know where the token came from.
I noticed that the access token gets saved into
Does this not open up for a impersination attack on the access token? Suppose someone got access to the
localStorage and used the access token on my api without authenticating. I tested if this would work and it did.
How can I prevent someone from stealing and using my access token without authenticating ???