How an application request scopes (on behalf of a user) defined in multiple custom authorization servers?

sami · November 10, 2021, 6:11pm

If you login to an application to get an access token in a user identity context i.e. not client credentials grant, can the application access multiple custom authorization servers on the same Okta tenant instant? or should an application only use a single custom authorization server for an Okta tenant (in user identity context)?

For Example, We have two API Products, and scopes for those APIs are defined in different custom Authorization servers.
CustomAuthServer1:
Issuer: https://dev-#####.oktapreview.com/oauth2/aus8zlpy8i8IaiccN0h7
Scopes: team.photos.read team.photos.readwrite team.photos.private

CustomAuthServer2:
Issuer: https://dev-#####.oktapreview.com/oauth2/aus9879046CkVDWt5
Scopes: im.contacts.read im.contacts.readwrite im.contacts.private

How can an application request an access token (on user behalf) for scopes when users login if they are defined in different custom authorization servers?

sami · November 30, 2021, 4:54pm

According to Okta documentation, we should create one custom authorization server per API product.

"Assign one authorization server per API Product. Doing so allows teams to maintain separate authorization policies and token expiration times while eliminating scope name collisions. "

Okta documentation:
https://developer.okta.com/docs/concepts/api-access-management/#authorization-server

However, if you follow this practice for each API product then what will happen if the client application is a Mobile App and the mobile app needs to call three APIs (in user context)? How will you get three access tokens in the user context? How will you show the consent screen to user from multiple authorization servers (as part of the OIDC/OAuth.20 PKCE flow)?