Creating a new OIDC app to be published in OIN

Hi,
I am creating a new OIDC app in Okta to authenticate users. Our web service already supports OIDC for Google and Microsoft. I have created the ‘app’ in Okta in our account, and successfully authenticated myself into our web service using it.

Now I have several questions…

How can I discover which Okta Organisation the login user belongs to? Our web service is a multi-tenant service, so I need to match the login user’s Okta Organisation to our equivalent account. In Microsoft Azure I used Admin Consent to acquire a Tenant ID and store it in our account, and then I could match that against the Tenant ID which I can get from the Azure Graph API using the login user’s access token.

In Okta I requested the okta.users.read.self scope (successfully), but apparently I must use an SSWS token to get /api/v1/users/me because the OAuth access token does not work. Does that mean that every Okta customer must manually create an SSWS token to grant my application access to their logged-in user information? Surely not.

I have also read that each Okta customer will generate a new Client ID and Client Secret.
Is this true even if the application is added via OIN? If so how do I know which Client ID and Client Secret to use when authenticating a user?!? Isn’t this the point of OpenID Connect, that an application asks the identity provider to authenticate the (unknown) user for the (known) app?

The OAuth access token contains iss and aud, which maybe I can use instead? But I’m not sure which equates to the customer’s Okta Organisation, and which one is my Organisation that I have defined the application in. (Obviously they are the same until I publish the app in OIN, at least if OIN is like Microsoft Azure Marketplace). In theory I could get the administrator to login to Okta, and thus get their iss or aud value as the equivalent of the Tenant ID in Microsoft.

Another question: as noted above I have created my application, but it does not appear in my User Dashboard eventhough I have assigned the application to all users and it is Active. How can I add it to the Dashboard? From the user end I can only ‘Request an app’ which sends an email and does nothing else, or add from the Catalog but my app isn’t published yet.

Thanks in advance,
Jonathan.

Hello,

There are a number questions and not all are OIN specific. I would recommend creating a support case for the requirements for OIN applications. If you have not already I suggest going through the below links for OIN OIDC applications,

For how does your application know which Okta Org to match up a request for? The most popular way would be to use different subdomains for each Okta Org that installs your application. Other possibilities could be based of email domain, but this requires each Org to only allow a specific set of mail domains that they have full control over.

Client id/secrets will be generated when a customer installs the application from the OIN. They would supply this to you to setup in your application. The doc links I provided go over mandatory documentation for OIN applications.

There would never be a situation where end users are assigned an API Token to make API calls into Okta. A users needs to be an admin to create a token. The /api/v1/users/me does not accept an access_token, but needs a valid Okta session (sid cookie). This would be better discussed in a support case however.

For OIDC apps to be setup on the dashboard this needs to be done on an app by app basis. Note simply setting up an a icon on the dashboard does not make it functional. There are two possible ways to setup SSO for an OIDC application from the dashboard. See Okta Help Center (Lightning)