Whitelisting applications who access OpenID API Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Okta AdminOkta Admin 

Whitelisting applications who access OpenID API

Hello, I'm using Okta to protect a RESTful API using OpenID.  This works well for authenticated users.  I need to take the next step of further protecting the API and restrict consuming applications.

I want to acheive a flow where the calling application must be validated as an approved consumer of the API regardless of a successful authentication of the user.  I can then apply thresholds, CORS policy, etc.

I'm asking in this forum because I'm looking for a best-practices implementation within an Okta eco system (though I do not expect this to be an Okta solution).  My first thought is to implement an application API key that is used in ADDITION TO the bearer token--another header.   Since API keys have received a bad reputation, I want to ensure that there hasn't been a more standard way patterned to acheive this use case.   For instance, 3rd party api modules, api documentation generators, etc-- all these have created solutions based upon assumed standards and I want to conform to those rigid or casual standards if possible.

Again, I basically want to approve the calling application in addition to OpenID.  I would likely implement all the logic to do this in my API (versus any Okta work).  Just looking for a link to or guidance on proper pattern.

Silviu MuraruSilviu Muraru (Okta, Inc.)
Hi, Chris!

API Access Management https://developer.okta.com/use_cases/api_access_management/ feature can be used to secure the Web API. Essentially, an app would request access token along with id token (used for authentication) for a user that will be sent in each request at bearer token in the authorization header. Web API will read access token from response header, validate it https://developer.okta.com/standards/OAuth/#validating-access-tokens and send the response based on the permissions (scopes) in access token.

Silviu Muraru
Technical Support Engineer | Okta