API custom scope scalability

We want to protect internal APIs for the machine-to-machine use-case. The clients for the API would have different privileges so using scopes seems reasonable for that.

However, in Okta we define a custom scope on the authorization server. For every new client that should receive a different set of privileges, we would have to define a new auth server and custom scope which seems not scalable, given how cumbersome it is to setup a new auth server.

Am I missing an obvious way to pass through a custom scope from the “Api Services” type app to the auth server?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Hi Florian,

Thank you for reaching out to Okta Developer Forum. My name is Akash, from Okta and I would be answering your queries.

With regards to your query, it appears that you would like to assign different sets of privileges to various clients. While creating custom scopes and setting up new authorization servers may not be an ideal solution for your use case or requirement, an alternative approach is to utilize Access Policies.

With Access Policies, you can define different scopes, JWT lifetimes, grant types, and more, which can then be assigned to the appropriate clients to enforce the desired rules.

To learn more about Access Policy in the Custom Authozation Server, refer to this documentation - Configure an access policy | Okta Developer

Feel free to let me know if you have any other queries.