Our app needs to authenticate and authorize with our customer’s tenant. They were able to create the SPA registration that we required. However, they’re not able to get all the way through logging in. I’m using https://.okta.com/ouath2/default as the issuer. However, when I asked them what their Authorization Server was they said that the tab is not available. So is there something they need to turn on or does this require a change in their contract with Okta in order to do authorization? I was able to integrate sign in with SAML am I going to have to change my app to use SAML instead of OIDC to authenticate and authorize the app?
I faced a simialr issue, it turns out to use OIDC and the auth flow you mentioned the tenant DOES need to have API access management. This gets confusing since it is a free or included feature in the developer account. Okta should clarify this.
If you only need to support SSO (OIDC), then you do not necessarily need to use a custom authorization server (which requires the API Access Management feature mentioned). In these situations, you can set the issuer for your application to your Okta domain, https://company.okta.com) and ensure that your requests goes to the built in ‘Org’ Authorization server instead of a custom server, such as the one called ‘default’. For example, without API AM, your authorize request will look like this: https://company.okta.com/oauth2/v1/authorize?client_id=…
For OAuth use cases, where you are protecting resources with access tokens, you will need API AM as you will not be able to locally validate tokens issued by the Org authorization server
The following articles are about the different authorization servers and the limitations of using the built in Org auth server:
Composing your base URL
Difference between Okta as an Authorization Server vs Custom Authorization Server
Signature Validation Failed on Access Token