How authorize request works for apps installed from a public app

Currently we have a private app on Okta and we can sign in using Okta enduser dashboard in our main app.

We want to publish our private app and make it a public app so our customers can also use it for sign in via Okta. Our customer have their own Okta organizations.

A customer installs our app, after that the customer clicks on the installed app on their dashboard, a request is made to the “Initiate login URI” in our main app. After this request our main app will need to make a request for authorization. My question is

  1. “Is this request made using issuer, client_id and client_secret from Original app or from Customer installed app”

I also made a loom video explaining my question: Loom | Free Screen & Video Recording Software

The /authorize request made by your app shoudl match the okta tenant that the user is in. When the user launches the application, they get redirected to the “Initiate login URI” with a query parameter, iss, that will indicate their Okta domain. You can then use that domain as the issuer to make this request: ${iss}/oauth2/v1/authorize. Your app could/would also use this iss value to determine the matching client_id (the client_id for the OIDC application added to the customer org in question) to form the request (such as with a look-up table on your side)

Hi @andrea , thanks for your answer.

So I have one more question, in my Company Okta organization I am not able to create an “Authorization server” . I found that I would need to enable API Access Management witch is a paid feature. Does this means that our customers will also need to enable API Access Management in their organization to use our SSO?

Not quite/it will depend on the integration. For OIN apps, we actually require that the application work with the built-in Org Authorization Server for exactly this reason, that the API AM SKU is a separate paid add-on that not all Orgs will have. If you want other Okta customers to be able to use your integration,I highly recommend configuring it to use the “Org” (not "Default,’ that is a custom server) Authorization Server.

Here are some guides you may want to take a look at: