Build authentication with OAuth 2.0

OAuth 2.0 is a protocol that allows you to grant limited access to resources on a third-party site without having to expose your credentials to Workflows. Before beginning the OAuth process, you must first register a new application with the service. The Redirect URL for your development environment is listed in the Credentials section of the authentication form.

To add OAuth 2.0 authentication:

  1. Click the Overview tab.

  2. Click Set up authentication.

  3. From the Authentication dialog, in the Auth Type dropdown, select OAuth 2.0.

  4. Add values to the following fields:

Field Definition
Paths
Base URL

This is the root URL for the service’s authentication endpoints (for example, https://account.box.com/api/oauth2).

This optional field serves as the base endpoint for any other paths that you want to append.

Authorize Path The authorization path for the service. This field can be a path, for example, /authorize, or if Base URL isn't specified, a full URL. For example, https://account.box.com/api/oauth2/authorize.
Token Path The URI where a flow can exchange an authorization code for access and refresh tokens. This field can be a path, for example, /token, or if Base URL isn't specified, a full URL. For example, https://account.box.com/api/oauth2/token.
Refresh Token Path (Optional) The refresh token path is often the same as the access token path. However, if your service uses a separate endpoint for refreshing the access token, then it can be entered here. For example, /token.
Credentials
Redirect URLs When registering a new app, you usually register basic information such as application name or web site. In addition, you must register a redirect URL to be used for redirecting authentication back to Okta Workflows. Use the following Redirect URLs to connect to Okta preview and production sites, respectively:

https://oauth.workflows.oktapreview.com/oauth/{{auth.connector_key}}/cb and https://oauth.workflows.okta.com/oauth/{{auth.connector_key}}/cb

Your connector key can be found on the Settings page.

Client Ownership

Determines the type of user who manages the OAuth application. Options are Developer and Customer.

Developer: The connector builder creates the application and manages its settings. The connector builder also supplies the values for the Client ID and Client Secret fields.

Customer: The end user of the application manages it and provides the values for the Client ID and Client Secret fields. If you choose this option, the Client ID and Client Secret fields are automatically added to the New Connection dialog.

Client ID A publicly exposed string provided by the service that is used to identify the OAuth application and build authorization URLs.
Client Secret A private value provided by the service used to authenticate the identity of the application to the service.
Scopes (Optional)
Scopes Scopes specify the precise level of access provided to Workflows. To verify whether a special scope is needed to retrieve a refresh token (such as refresh_token or offline_access), see your API documentation. For a CAPIA card to hit all endpoints on an API, typically all scopes must be enabled in your app.
Scopes Delimiter Specify a delimiter for how scopes are separated. Multiple scopes are often space or comma separated, but this can depend on the service. Options are space and comma.
Parameters (Optional) Parameters allow you to collect any additional information from the connector user that may be necessary for authentication, such as instance or subdomain. These fields are presented to the user when they first create a connection and are required.

Label: Display name that shows on the New Connection dialog when configuring the connector.

Key: Text value in the key-value pairing that is used by the service. For example, api_key, application_key, or authentication.

Type: Three different field types are available.

  • Text: A plain text field is presented to the user. This is an open text field with no redaction.

  • Password: A redacted text field. The user can't see what is entered into this field.

  • Dropdown List: A manually created dropdown of values for the user to select.

Config Values (Optional)

Other configuration values may be needed to define how a user authenticates to your connector. You can add values in this section.

Label: Display name for the configuration value that shows on the New Connection dialog when configuring the connector.

Definition: Indicate whether this field is populated with a static value or a value from a helper flow:

  • For Static Value, enter the value in the Value field.

  • For Value from Helper Flow, select a flow from the Choose Flow dialog.

Type: Two different field types are available.

  • Text: A plain text field is presented to the user. This is an open text field with no redaction.

  • Password: A redacted text field. The user can't see what is entered into this field.

The Visible toggle determines whether the configuration value appears in the authentication dialog for the connector.

Next step

Add option fields to connector cards