I am working on implementing Cross App Access for one of the MCP servers we have here at my company. However, I’m running into a strange issue when exchanging the ID token for the ID-JAG token. In the payload that is passed in the token exchange request, it seems the only URL that will work for the ‘audience’ parameter is ‘http://localhost:5001’. This also happens to be the same URL that is used in one of the demos that has been posted (https://github.com/oktadev/okta-cross-app-access-mcp/tree/main). Is this the only URL that can be used for the audience with the pre-built App Integrations for Agent0 (requesting app) and Todo0 (resource app)? If not, is there somewhere in the admin console that I can adjust this and add more URL’s that can be used? I’m looking to exchange the JAG token for an access token to one of our SaaS applications, so I would think the ‘audience’ must be pointing to a token URL for that specific application.
The example app Todo0 is an app in our catalog which has a centrally configured token endpoint (http://localhost:5001) which cannot be configured on your end. This pattern will be useful for SAAS apps using a common authorization server for all customers.
Based on your question, I think you are referring to the ability to configure ability to get a JAG to access a resource server protected by an authorization server different from http://localhost:5001 like a custom authorization server in Okta like (https://youroktadomain.com/oauth2/default). If this is true, there is Okta for AI agents feature as described here. This feature is available as EA which you might be able to enable for your tenant by contacting your account team.
@ramgan, Thanks for the response. Is there any chance we could have a private chat via Zoom or Email to get further into the details of the question?