Expand my Community achievements bar.

Applications for the 2024-2025 Adobe Experience Manager Champion Program are open!

AEM as Cloud | Protect routes with Okta Authentication


Level 1

I have to implement Okta authentication for certain paths of my application. It's not author authentication, it's user authentication. To be able to access certain path of my website the user has to be authenticated with Okta. And the okta authentication is not SAML, it's the PCKE flow where tokens have to be refreshed every 5 min, etc..

What would be the best way to do it? I initially thought of a Sling Filter to validate on the server side if the user is authenticated and then a client lib with the Okta Auth JS which would handle the token refresh and everything Okta related.  

Is there a better way of doing it that I'm not aware of?

Thanks for any help


Topics help categorize Community content and increase your ability to discover relevant content.

1 Reply




Protecting Routes with Okta Authentication in AEM as Cloud: Securing specific routes in your AEM as Cloud application using Okta authentication involves implementing a combination of server-side and client-side mechanisms. While the approach you outlined using a Sling Filter and the Okta Auth JS client library is feasible, there's a more streamlined and integrated approach that leverages AEM's authentication framework and Okta's OAuth 2.0 authorization code flow (PCKE).

Server-Side Configuration:

  • SAML Authentication Handler: Configure a SAML authentication handler in AEM to act as a proxy for Okta authentication. This handler will redirect users to Okta's login page, handle the OAuth 2.0 PCKE flow, and exchange the authorization code for an access token and ID token.

  • Sling Resource Access Control: Utilize Sling Resource Access Control (Sling RAC) to protect specific routes or resources. Configure Sling RAC rules to restrict access to these protected areas based on the presence of a valid Okta access token.

Client-Side Integration:

  • Okta JavaScript Library: Integrate the Okta Auth JS client library into your AEM application. This library provides methods for initiating the OAuth 2.0 PCKE flow, handling token refresh, and managing user authentication state.


  • Seamless Integration: This approach leverages AEM's built-in authentication framework and Sling RAC, providing a seamless integration with Okta's OAuth 2.0 PCKE flow.

  • Simplified Token Handling: AEM handles token acquisition, refresh, and validation, reducing the complexity of token management on the client-side.

  • Centralized Security Management: Sling RAC provides centralized control over route protection, simplifying security management.

Implementation Steps:

  • Configure SAML Authentication Handler: Create a SAML authentication handler in AEM, specifying Okta as the Identity Provider (IDP) and configuring the necessary parameters for the OAuth 2.0 PCKE flow.

  • Integrate Okta Auth JS: Integrate the Okta Auth JS client library into your AEM application's client-side code. Initialize the library with your Okta configuration details.

  • Protect Routes with Sling RAC: Configure Sling RAC rules to restrict access to specific routes or resources. Require the presence of a valid Okta access token in the request headers for access authorization.

  • Handle Token Refresh: Implement token refresh logic using the Okta Auth JS client library. Refresh the access token before it expires to maintain user authentication.

  • Test and Verify: Thoroughly test the implementation to ensure that routes are correctly protected and Okta authentication is working as expected.

Kautuk Sahni