Which App type am I making?

I am making a “SaaS Management Tool” that allows you to connect to various apps and list users. In a way, it can be said to be tiny subset of Okta features.

I have a client who wants an Okta integration, so I am trying to figure out how I can make that possible. For other apps like Github, I offer a “connect” button that opens Github’s OAuth2 login screen, grants access and I can then ask the Github API about the users in the organization. I am not sure how (if?) I can do something similar with Okta. I tried creating an “API services” app in the admin app, but if I try to access the auth endpoint I am told that “Clients with ‘application_type’ of ‘service’ are not allowed to access the ‘authorize’ endpoint.”. So I am guessing that is not the right approach.

My question is: is it possible to create an app that people can use like this, and if so, how?

It sounds like in this integration Okta will not be used as an IdP to your application where multiple users from an Okta will login to your application authenticating against Okta. Rather you are looking for an integration where your application can query an Okta Org for things like applications installed, users, etc?

If the above is true there are 3 ways I can think (least secure to most)

  • use an API Token
  • use a service App like you are to do an OAuth2 Client Credentials flows. (note in this flow there is no user context associated with it, so no authorize would be done. Rather permissions would be granted based off of the applications allowed scopes)
  • use the OAuth2 authorization code flow which requires a user to authorize. In addition to having a user context the application used needs to allow the correct scopes to make the calls into Okta, as well as the user who does the authorization needs to also have the correct permissions to allow those scopes (Appropriate Admin group/role)
1 Like

Thank you for responding, Erik!
You are correct, and your third option sounds like my preference.

I am a bit confused as to how I set it up. Can you guide me to a place in the documentation that tells me how to do this?