we are using Okta as the universal authentication/SSO solution while implementing our API-based solutions on Azure. The approach for API security is to utilise OAuth 2 & OIDC which means either to use Okta (=API Access Management) or Active Directory as the OAuth2 authorisation server that gets configured in our API gateway.
- Are there any significant pro’s and con’s for these two options?
- If choosing the AD option, is it possible to delegate authentication to Okta, i.e. the client requests the set of privileges from AD, and AD hands over control to Okta to retrieve the ID token before regaining control and issuing the access/refresh tokens?
On top of that, I have another question regarding RBAC. Even though our users are typically statically assigned to groups, it is sometimes necessary to temporarily elevate group membership for users (e.g. because senior staff is off sick).
Pushing this process through the central OKTA user directory takes too long, hence we are considering to build a custom component which manages the group assignment of our users (in an app specific fashion). Not sure how these custom claims could be injected into existing id tokens which had been generated/signed previously by Okta.
- Is there any recommendation of how to operationalise that, either within Okta or outside of it?