Whitelisting applications who access OpenID API Skip to main content
https://support.okta.com/help/answers?id=9062a000000xzsyqaw&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Okta AdminOkta Admin 

Whitelisting applications who access OpenID API

Hello, I'm using Okta to protect a RESTful API using OpenID.  This works well for authenticated users.  I need to take the next step of further protecting the API and restrict consuming applications.

I want to acheive a flow where the calling application must be validated as an approved consumer of the API regardless of a successful authentication of the user.  I can then apply thresholds, CORS policy, etc.

I'm asking in this forum because I'm looking for a best-practices implementation within an Okta eco system (though I do not expect this to be an Okta solution).  My first thought is to implement an application API key that is used in ADDITION TO the bearer token--another header.   Since API keys have received a bad reputation, I want to ensure that there hasn't been a more standard way patterned to acheive this use case.   For instance, 3rd party api modules, api documentation generators, etc-- all these have created solutions based upon assumed standards and I want to conform to those rigid or casual standards if possible.

Again, I basically want to approve the calling application in addition to OpenID.  I would likely implement all the logic to do this in my API (versus any Okta work).  Just looking for a link to or guidance on proper pattern.

Silviu MuraruSilviu Muraru (Okta, Inc.)
Hi, Chris!

API Access Management https://developer.okta.com/use_cases/api_access_management/ feature can be used to secure the Web API. Essentially, an app would request access token along with id token (used for authentication) for a user that will be sent in each request at bearer token in the authorization header. Web API will read access token from response header, validate it https://developer.okta.com/standards/OAuth/#validating-access-tokens and send the response based on the permissions (scopes) in access token.

Silviu Muraru
Technical Support Engineer | Okta