Can I use an inline hook to verify a 3rd party access token in a token exchange?
Have an AT being generated from Microsoft social IDP in an 3rd party application that I want to exchange for an Okta custom org access token. It’s Workforce Identity pattern that I would like à 3rd party token to be trusted.
Would an inline hook help me?
Not sure what your use case is,
No, Please do not use inline hooks for token verifications, The general recommendation is for Inline hooks to be used for adding custom claims to tokens.
Ideally you should setup Microsoft as a Social IDP Add a social login (IdP) | Okta Identity Engine Read this here Add an external identity provider | Okta Developer
or use Onbehalf token exchange
https://developer.okta.com/docs/guides/set-up-token-exchange/main/
Use case:
Identity signs into a 3rd party hosted app using a Microsoft Identity via MSAL (not configured in an Okta Tennant). They want to access an Okta protected API, so they take their Microsoft Issued Access Token and Exchange it for an Okta Token. Okta needs to know the JWKS to check signature and thats the trust part of Token Exchange.
Okta seems to only support trust between 2 Authorisation Servers in the same org.
We don’t want to have the users sign into our service first, instead use their own IDP (Microsoft IDP for example) so that they can use their own APIs which in turn calls our API with the Access Token gained from the Token Exchange.
Think of it as Workload Identity Federation - Microsoft Entra Workload ID | Microsoft Learn.
GitHub Actions. First, configure a trust relationship between your user-assigned managed identity or application in Microsoft Entra ID and a GitHub repo in the Microsoft Entra admin center or using Microsoft Graph. Then configure a GitHub Actions workflow to get an access token from Microsoft identity provider and access Azure resources.
Okta currently does not support this OOB - Token exchange is huge spec assuming RFC 8693 - OAuth 2.0 Token Exchange is what Wokrload Identity federation is making use , but Okta only supports what makes it easy between okta to okta.
Closest to what you ask is Set up OAuth 2.0 On-Behalf-Of Token Exchange | Okta Developer Although I doubt it will help your use case since I’ve never had it tried out with Azure with a service inbetween.
I think its a good cause for Ideas request Okta Help Center (Lightning)
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.