I have a kong gateway setup with kong-oidc plugin, hopping that it will be able to validate access token sent from the UI application. My UI is react SPA and it handles OAuth2 authentication on the client side itself by using PKCE flow. Having said that SPA received access token without any involvement of Kong setup therefore not using any kong session cookie for authentication.
Is there any fault in the above setup or concept, now I am having an issue of hitting rate limit in IDP which is Okta. Probably kong-oidc plugin is making call to Okta on every request to check token in valid or not.
Please help me giving a direction that I should use kong authentication session cookie instead of access token acquired by SPA. Or the best setup standard to work with SPA applications