We want to protect internal APIs for the machine-to-machine use-case. The clients for the API would have different privileges so using scopes seems reasonable for that.
However, in Okta we define a custom scope on the authorization server. For every new client that should receive a different set of privileges, we would have to define a new auth server and custom scope which seems not scalable, given how cumbersome it is to setup a new auth server.
Am I missing an obvious way to pass through a custom scope from the “Api Services” type app to the auth server?
Thank you for reaching out to Okta Developer Forum. My name is Akash, from Okta and I would be answering your queries.
With regards to your query, it appears that you would like to assign different sets of privileges to various clients. While creating custom scopes and setting up new authorization servers may not be an ideal solution for your use case or requirement, an alternative approach is to utilize Access Policies.
With Access Policies, you can define different scopes, JWT lifetimes, grant types, and more, which can then be assigned to the appropriate clients to enforce the desired rules.