Build authorization servers
API access management may include building custom authorization servers in Okta. Use these custom servers to create and apply authorization policies to secure your API endpoints. See Available authorization server types.
An authorization server defines your security boundary, for example “staging” or “production.” Within each authorization server, you can define your own OAuth scopes, claims, and access policies. Your apps and your APIs use a central authorization point to leverage the identity features of Okta, such as Universal Directory for transforming attributes, controlling adaptive MFA for end-users, logging system events and generating analytic data.
At its core, an authorization server is simply an engine for minting OAuth 2.0 tokens. Each authorization server has a unique issuer URI and its own signing key for tokens. This keeps a proper boundary between security domains.
Before you begin
How do you know whether to use Okta’s Org Authorization Server or a custom authorization server?
Use a custom server if:
- You need to protect non-Okta resources.
- You need different authorization policies that depend on whether the person is an employee, partner, end user, or other similar specializations.
If your employees, partners, and users can all use the same authentication policies for single sign-on, try the built-in Org Authorization Server.
To manage custom authorization between clients and Okta:
- Identify the scopes and claims in your client app and register it with Okta.
- Create one or more authorization servers and define the scopes and claims to match those expected by your app.
The client app must recognize the scope names and be expecting the claims as defined in the authorization server.
|Create an authorization server||
Use custom authorization servers to manage access between Okta and client applications.
|Create API access scopes||Scopes represent high-level operations that can be performed on your API endpoints.|
|Create API access claims||Token claims are statements about the subject, or another subject, for example name, role, or email address.|
|Create access policies||Access policies control what, and in which ways, clients can use the authorization server.|
Issue API calls to test the authorization server. You can also preview tokens.
Keys are rotated automatically by default. However, if needed, you can set an authorization server to allow administrators to rotate keys manually.
How to delete a server.