Protect custom application API using only OAuth2


We have custom APIs built for our application. We want external customers to access these API through OAUTH2. Since this will be a machine-to-machine communication, we do NOT want to use Open ID connect for this.

How to protect custom APIs using ONLY OAUTH2 in Okta for the various different external partners?

Please help.


It sounds like you’ll want to use Client Credentials flow, in which case, I would recommend creating individual applications (OIDC Service Apps) within your Okta org for each customer/partner. They will then use the Client ID/Secret for this application to get tokens from, Okta that can be used as authorization to your API.

Your API would then validate the token, both to ensure its unexpired, the signing key matches an expected value, and that it contains the expected information, and grant them access to your APIs accordingly. Since each partner would have their own application, your APIs could use that information (stored within the token claims, such as how the client ID will be available in the sub claim by default) to determine the appropriate access for each partner.