Hello,
We are working on integrating SSO into our system, which consists of an Angular front-end, a React Native mobile app, and a Node.js backend. We want users to authenticate via SSO but retain the authorization logic on our backend.
Currently, without SSO, users log in with a username and password from the front/mobile app, and the backend returns a JWT for further API calls.
With SSO, I’m unsure how to handle this scenario:
- Should we initiate the authorization flow from the SPA, obtain an authorization code, send it to the backend, and have the backend exchange it for a token using the client_secret? This would allow us to then return our own JWT.
- Alternatively, should we implement the Authorization Code flow with PKCE, pass the authorization header to the backend, and have the backend call the
/userinfo
endpoint to verify the user’s identity before returing the JWT?
Which approach would you recommend for this setup?
Thank you in advance for your help.