Skip to main content

Okta Custom Authorization Server

"Okta, is identity and access management cloud software that helps companies manage and secure user authentication into applications, and for developers to build identity controls into applications, website web services and devices.."


This guide is for the creation of a custom authorization server used to protect your own resource server which is distinctively different from accessing Okta’s own APIs. Okta refers to this as API access management and is an optional add-on in production environments.

NOTE: In order to access Okta’s own APIs your application will require to be configured for private_key_jwt auth which is not related to this guide.


Reference: Create an authorization server, Client Credentials flow for your app, Create Scopes.

Pre-Requisites: Okta Developer Edition organization, An app that you want to implement OAuth 2.0 authorization with Okta

Before you can implement authorization, you need to register your app in Okta by creating an app integration from the Admin Console.

  1. Open the Admin Console for your org.
  2. Choose Applications > Applications to view the current app integrations. Click Create App Integration. Create App Integration
  3. Select API Services as the Sign-in method. Click Next. New App Integration
  4. Enter the app integration name, then click Save. New Api Integration
  5. On the General tab, the Client Credentials section copy the Client ID and Client secret values. Client API id and secret
  6. Click on the top right menu that has your email, in the dropdown copy the Tenant ID just above the My settings link. It will have a unique value followed by the domain. Tenant Id
  7. Go to Security > API.* On the Authorization Servers tab, click the name of the authorization server (e.g., default). Client API id and secret
  8. Click the Scopes tab and click Add Scope*. Scopes* The Client Credentials flow never has a user context so you will need to Create custom scopes.
  9. Enter a Name, Display phrase, and Description.

Configuring Okta Custom Authorization Server OAuth Credentials in crul

Navigate to the credentials page in crul (top right corner menu credentials).

Crul Credentials > Workday

Click the create button.

Select OAuth Provider (Client Credentials) -> Okta Custom Authorization Server from the type and select provider dropdowns.

OAuth Provider (Client Credentials) -> Okta Custom Authorization Server

Enter the Okta Tenant ID previously copied value for the domain of the Token host into the credentials form entry.

Enter the Client Id, Client Secret and previously copied values into credentials form entry.

Click the create button.

OAuth > Okta tenant id, client id, client secret

Test the credential by running the following query. You should see a populated token.access_token column in the results.

oauth --credential "oktacustomserver"

OAuth > Okta access token