I have a requirement where I need to secure a set of APIs hosted in my own domain using Okta OAuth 2.0 with the Client Credentials flow (Client ID and Client Secret).
My requirement is to control access to specific APIs based on the client/application. For example:
-
Client A should be allowed to access API 1 and API 2.
-
Client B should be allowed to access only API 1.
-
Client C should not be allowed to access API 2.
What is the recommended approach in Okta to implement this kind of API-level authorization?
You can create a custom authorization server with custom scopes (ap1.read, api2.read, etc).
Then you can create access policies with rules to control which service apps(clients) can access which of these scopes.
Note: If you don’t have ability to see custom authorization servers, you might have to purchase API Access management for your tenant.
Reference:
A custom authorization server is necessary when you’re building and protecting your own APIs, need fine-grained control over token contents (scopes and claims), or require specific access policies for different user groups or apps. If your app needs to validate the token itself, a custom authorization server is the appropriate choice.
I need to expose multiple APIs to multiple customers, with each customer having access only to the APIs they are authorized to use. In this scenario, is the recommended approach to create a separate Service App (Client Credentials application) for each customer, and then control API access through scopes and access policies? Or is there a better way to manage authorization when the number of customers and APIs grows?