OAuth Authentication for SCIM Provisioning

Hello,

The Authentication section of the SCIM Provisioning documentation contains the following regarding OAuth 2.0 Authorization Code Grant Flow:

After a user successfully authorizes Okta using OAuth 2.0, the authorization server of your app will redirect the user back to Okta with either an authorization code or access token.

RFC 6749 - Authorization Code Grant indicates the client (i.e. Okta) passes the authorization code and authenticate in order to get the access code:

(D) The client requests an access token from the authorization
server’s token endpoint by including the authorization code
received in the previous step. When making the request, the
client authenticates with the authorization server. The client
includes the redirection URI used to obtain the authorization
code for verification.

If my authorization server returns an authorization code to Okta

  1. How would Okta authenticate with my authorization server when requesting the access token? What credentials are required between Okta (client) and my authorization server?

  2. Are refresh tokens supported when using OAuth 2.0 for SCIM provisioning?

Thank you in advance for your time,

David.

In my original posting above, is Okta acting as an OAuth client ? If true, how does Okta authenticate with my own authorization server?

Thanks,

David.

Hi David,

Did you manage to get the answers of the questions?

If yes, also how would OKTA manage the expiry of Access Token provided?

Hi @dcardozo @pradab

  1. How would Okta authenticate with my authorization server when requesting the access token? What credentials are required between Okta (client) and my authorization server?

When using “SCIM 2.0 Test App (OAuth Bearer Token)”, you will need to manually specify the access token. Okta will use the JWT as authorization header for each call that it performs to your SCIM server.

If you are integrating the application in Okta Integration Network (OIN) through oinmanager.okta.com, you will need to provide a client ID and client secret. Using this details, Okta will perform an authorization code flow with your authorization server and retrieve an access token that will be used to further communicate with the SCIM server. This Okta administrator will see this process under Provisioning tab as "Sign in with ".

  1. Are refresh tokens supported when using OAuth 2.0 for SCIM provisioning?

If the application is integrated in OIN, then yes, refresh tokens are supported in order to retrieve a new access token automatically and prevent interrupting the provisioning flow.

Hi @dragos

Does server need to provide Client ID and Client Secret per OKTA tenant or will it be used for all tenants in OKTA?

Thanks