We have API gateway and it requires a valid token from Okta to access the API, now we want to open this API for other applications to use (same organization) and are planning to implement machine to machine app and using this guide Implement OAuth for Okta with a service app | Okta Developer but when I looked at authorization server it says only custom authorization server can do machine to machine authentication, do we need custom authorization server all we want is apps with client secret to be able to generate token using okta and access our API using that token?
I touched upon this in my response to your other thread, but to add an answer here, if you’re looking to secure your own API with Access tokens issued by Okta, it is recommended/required that you use a Custom Authorization Server.
Also, I do want to note/clarify here that the guide you linked to discusses how to use Access Tokens issued by the built-in Org Authorization Server is specifically intended to be used against Okta’s own API endpoints, which is what that guide is focused on. You would follow these instructions if you are looking to use OAuth authorization to access Okta’s endpoints instead of using an API token.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.