Create access policies

Access policies control which clients can interact with an authorization server. They also include access rules, such as allowing only specific scope requests.

  1. Enter the name of an authorization server.
  2. Go to Access PoliciesAdd New Access Policy.
  3. Enter a name in the Name field.
  4. Enter a description in the Description field.
  5. Assign the policy to all clients, or select The following clients and then enter the names of the clients in the field.

Create rules for each access policy

Rules control the mapping of client, user, and custom scopes. For example, you can specify an access policy rule that if the user is assigned to a client, then the custom scope Scope1 is valid.

When you create a rule, Okta assigns it to the lowest priority of the rules in that policy. This ensures that it doesn't interfere with requests that match the existing rules.

  1. Choose the name of an authorization server, and select Access Policies.
  2. Choose the name of an access policy, and select Add Rule.
  3. Enter the following information:
    • Rule Name

    • IF Grant type is: Select the grant types that you want to use. Click Advanced to see more grant types. See Configure Direct Authentication grant types for descriptions of each grant type.

      • Select the Client-initiated backchannel authentication flow (CIBA) option to configure the authenticator for use with the CIBA grant type.

    • AND User is: This option only appears if you select an option under Client acting on behalf of a user. You can choose Any user assigned to the app, or define the users further. Service apps (client credentials flow) have no user. If you use this flow, make sure you have at least one rule that specifies the condition No user.

    • AND Scopes requested: Choose the scopes (any scopes, or a list that you specify) granted if the user meets any of the conditions.

    • THEN Use this inline hook: If applicable, choose an inline hook. See Inline hooks.

    • AND Access token lifetime is: Choose the length of time before an access token expires.

    • AND Refresh token lifetime is: Choose the length of time before a refresh token expires. Enter a time period during which the token must be used to validate and continue its specified lifetime.

      The expiration period must fall within the access token lifetime and the refresh token lifetime. The maximum expiration period is five years.

  4. Click Create Rule.