Is authorization server required for OIDC Auth flow

We are transitioning our application from a dev instance of Okta to our enterprise instance. Our Okta admin says that we don’t have the authorization server on our license. I’m assuming that in order to hit endpoints like authorize, token, and introspect that feature needs to be enabled. Is that correct?

Short answer is it depends - Some implementations can get away with using the just “Org” authorization server which doesn’t require an extra license. If you need to customize the auth server for any reason then you’ll need the extra license in order to enable that. Some more on the different types of authorization servers here:

https://developer.okta.com/docs/concepts/auth-servers/

1 Like