Incremental authorization for public clients

Hi Okta community,

Does Okta implements the “incremental authorization” feature ? We want to implement the least privilege principale and allow clients to request only the scopes they need. During the user session, if other scopes required, we will request for more scopes by “exchanging” a valid token with a new one (adding the requested scopes to the existing one).
Here is a draft from IETF: draft-ietf-oauth-incremental-authz-04

Regards,

Hi there. Unfortunately we don’t have any functionality related to that draft spec and it’s not currently on our roadmap. It could be a good submission for Okta ideas, though, as I don’t see this posted there as of yet.

Thanks Cale. I will submit it in Okta ideas.

Hi Boubker,
May not be exactly what you’re after, but we’ve had a light chat with Okta here in Aus about how to do something similar. It’s possible to achieve a similar outcome by having multiple applications setup with different policies, scopes, etc.

We were looking at having one Okta application which can access ‘low risk’ features in our application context and another Okta application for our ‘high risk’ features with different scopes, polies etc. Client would need some extra logic to know which client ID and token to use when. Our API gateway would have policies that only allow the higher privilege token to access the ‘high risk’ features/APIs.

Cheers, Adrian

Thanks Adrian. That is, indeed, the alternative for the incremental authorization, as suggested by the RFC. It comes with a cost: Complex of Governance (strategy to regroup high vs low risk capabilities, managing multiple clientIDs, applications, scopes …) and also complex implementation (extra logic to know which client ID and token to use when, deal with multiple access tokens). Hope we will get the Incremental authrization soon from Okta Team :slight_smile:

1 Like