For simple use cases, this out-of-the-box Custom Authorization Server is usually all that you need. It includes a basic access policy and a rule to quickly get you started. Okta provides a pre-configured Custom Authorization Server called default. Within each authorization server, you can define your own custom OAuth 2.0 scopes, claims, and access policies to support authorization for your APIs.
Okta allows you to create multiple Custom Authorization Servers within a single Okta org that you can use to protect your own resource servers.
An access token that is minted by a Custom Authorization Server is consumed by your APIs. You use a Custom Authorization Server to create and apply authorization policies to secure your APIs. OpenID: OAuth: Custom Authorization Server Clients can use this information to programmatically configure their interactions with Okta. The following discovery endpoints return OpenID Connect or OAuth 2.0 metadata related to your Org Authorization Server. Org Authorization Server discovery endpoints The access token can't be used or validated by your own applications. Additionally, the resulting access token's issuer is which indicates that only Okta can consume or validate it. You can't customize this authorization server with regards to audience, claims, policies, or scopes. The base URL for the Org Authorization Server is You use the Org Authorization Server to perform SSO with Okta for your OpenID Connect apps or to get an access token for the Okta APIs. Org Authorization ServerĮvery Okta org comes with a built-in authorization server called the Org Authorization Server. Okta has two types of authorization servers: the Org Authorization Server and Custom Authorization Server. By design, authorization servers don't have trust relationships with each other. Note: You can't mix tokens between different authorization servers. When using OpenID Connect or OAuth, the authorization server authenticates a user and issues an ID token and/or an access token. An access token is used by the resource server to validate a user's level of authorization/access. OAuth 2.0 is used to authorize user access to an API. The app uses the ID token that is returned from the authorization server to know if a user is authenticated and to obtain profile information about the user, such as their username or locale. OpenID Connect is used to authenticate users with a web app. You can also use an authorization server to secure your own APIs and provide user authorization to access your web services. You can use an authorization server to perform Single Sign-On (SSO) with Okta for your OpenID Connect apps. What you can use an authorization server for Each authorization server has a unique issuer URI and its own signing key for tokens to keep a proper boundary between security domains. An authorization server is also used to apply access policies. What is an authorization serverĪt its core, an authorization server is simply an engine for minting OpenID Connect or OAuth 2.0 tokens. Use Okta as your authorization server to retain all of your user information and grant users tokens to control their authorization and authentication. With Okta, you can control access to your application using both OAuth 2.0 and OpenID Connect. Whether you are developing an internal IT app for your employees, building a portal for your partners, or exposing a set of APIs for developers building apps around your resources, you need the right authentication and authorization support for your projects. Okta's API Access Management product - a requirement to use Custom Authorization Servers - is an optional add-on in production environments.Īuthentication and authorization are essential to application development. Note: Okta's Developer Edition makes most key developer features available by default for testing purposes.