Authorization of an SCIM client

I’m developing an SCIM (2.0) client which receives provisioning requests from OKTA. According to the doc OKTA can authorize the requests with “OAuth 2.0 Authorization Code flow”. Does this mean my client has to provide “Authorization Code” protocol for OKTA to produce the authorization tokens? In other words which part of the system produces the authorization tokens tokens, OKTA or SCIM client?

If this is an existing OIN application or you have enabled SCIM on a custom SAML or SWA application, Okta will handle fetching the tokens for you. Part of the application integration will involve providing Okta with the necessary endpoints to get tokens using Auth Code flow (the only support OAuth flow for SCIM authorization).

The only situation where this is not true is if you use the “Test SCIM Apps” that you can find in the OIN, which is designed for use when building a SCIM integration so that you can submit it to the OIN. For this type of application, you will need to supply a valid Access Token yourself (and therefore update it manually any time the token expires).


Thank you for the explanation. Is there an SCIM application with “OAuth 2.0 Authorization Code flow” that I could use for testing without submitting a new app for review in OKTA (the review takes weeks)?

Are you looking for a SCIM sample app, or just to understand how the Auth code grant works for SCIM?

If the former, there’s this blog post that has an example SCIM server you can test with: How to Build a Flask SCIM Server Configured for Use with Okta | Okta Developer

If the latter, you can just create a Custom SAML or SWA app in your org, enable SCIM Provisioning on it, and then configure the SCIM connection for OAuth:

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.