Hi,
I’ve been experimenting with Cross App Access based on this post and the Agent0/Todo0 sample, and I have a question about the required architecture.
In your example, Okta acts as the IdP and there’s a separate authorization server for the resource app (e.g., the Todo0 authorization server). In my setup I have:
-
One Okta org (my “integrator” instance)
-
Two apps in that same org:
-
A web UI app that does OIDC login with Okta (Auth Code + PKCE)
-
A backend “resource server” app that I want to call via Cross App Access
-
My questions are:
-
Can Cross App Access / ID-JAG be used when both the requesting app and the resource app live in the same Okta org, and the resource’s authorization server is also that same org (e.g., via a custom authorization server like
/oauth2/default)? -
Or is it a requirement/recommendation that the resource app have its own authorization server, separate from the enterprise IdP – like in your sample (a custom auth server) or possibly a second Okta org acting as the resource authorization server?
-
If using only a single Okta org is supported, is there a minimal example or configuration you can point to that shows ID-JAG working without a separate non-Okta auth server?
I’m trying to understand the intended deployment model so I can get this working correctly with my own Okta “integrator” instance.
Thanks!