OAuth Authentication for SCIM Provisioning



The Authentication section of the SCIM Provisioning documentation contains the following regarding OAuth 2.0 Authorization Code Grant Flow:

After a user successfully authorizes Okta using OAuth 2.0, the authorization server of your app will redirect the user back to Okta with either an authorization code or access token.

RFC 6749 - Authorization Code Grant indicates the client (i.e. Okta) passes the authorization code and authenticate in order to get the access code:

(D) The client requests an access token from the authorization
server’s token endpoint by including the authorization code
received in the previous step. When making the request, the
client authenticates with the authorization server. The client
includes the redirection URI used to obtain the authorization
code for verification.

If my authorization server returns an authorization code to Okta

  1. How would Okta authenticate with my authorization server when requesting the access token? What credentials are required between Okta (client) and my authorization server?

  2. Are refresh tokens supported when using OAuth 2.0 for SCIM provisioning?

Thank you in advance for your time,



In my original posting above, is Okta acting as an OAuth client ? If true, how does Okta authenticate with my own authorization server?