Hi everyone! I have this scenario:
In my organization we don’t have any authorization servers, the default one is disabled. And I need to authenticate to my web api, I’m using the official Okta package, but I read in the documentation that the authorization server id is set to default as “default” and I need it to be null or if the issuer can be something like : “https://domain.okta.com”. Any idea or solution? Thanks!.
Hello,
All Okta Orgs will have the Org Authorization Server.
Orgs that also have the API Access Management License will have the ability to create custom authorization servers and be given a preconfigured one named ‘default’
Differences between the authorizations servers are defined here.
It maybe possible that your application can use the Org authorization server if the only token that needs to be verified is the id_token, and no custom scopes/claims are needed.
Our own WebAPI SDK does NOT support using the Org Authorization Server. See notes in the readme about this:
Note: The Org Authorization Server is not supported for Web API because the access token issued by this Authorization Server cannot be validated by your own application. Check out the Okta documentation to learn more.
Your Web API will need to complete some form of token validation. Our SDK is attempting to do JWT token validation locally, but checking the claims and signature of the token to see if its still valid.
If you cannot use a custom authorization server (which is required in order to complete local token validation, as covered here), then your only option is remote token validation: sending the Access Token back to the /introspect endpoint to see if it’s still valid.
As you might expect, this will introduce some latency, so you may want to configure getting the API Access Management license if you are unable to use any custom authorization servers (including the one confusingly named “default”)
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.