API Token - Access Restriction Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Pascal DemersPascal Demers 

API Token - Access Restriction

We have integrated OKTA authentication in our own JAVA web application (using SAML). 

We also needed to do username/password verification from within our application (certain operation require user confirmation/signature). We did so using the AuthApiClient which, from our understanding, requires an API Token. That being said, a customer of ours that is using OKTA had some concerns because it seems that, upon conversation with OKTA, once a Token is created, it could be used to access any of it's app.  Is this a valid concern? If so, is there a way to work around it?

From my understanding, a token gets the permissions based on the user that has created it. Could this help with the current situation? Would there be a way to limit what this token could access (only user authentication mainly) with this, or with some rules or policies from within OKTA? 

Thomas KirkThomas Kirk (Okta, Inc.)

First, the Authentication API does not require an API Token. If you are looking for a customizable HTML form option, then you should take a look at the Okta Sign-In Widget, a JS/HTML based Okta Authentication API solution. It is a lightweight library that quickly can be used to authenticate users against your Okta org. See here: http://developer.okta.com/code/javascript/okta_sign-in_widget.html

Second,  just for clarification, the API token does take on the permissions of the user that created it. If a SU creates an API token, then the token will have SU permissions. If an App Admin creates a token it will have SU permissions.


Pascal DemersPascal Demers

Thanks for the answer.

Sorry if I sounded "lost", I'm not the person who originally worked on the project and I'm trying to piece it all together.  From what I can see, we are using SAML for the authentication between OKTA and our JAVA Web Application.  This works fine (and does not seem to require the API Token).

Where we are using the token is for the user authentication that have to be done for specific operations from within our application (user have to confirm the operation by entering their username/pwd which needs to be validated in order for the operation to be completed). 

For this, we have used the com.okta.sdk.clients.AuthApiClient java object. An ApiClientConfiguration object (that requires a base url and an api token) is sent to the AuthApiClient's constructor and user authentication is done by calling authClient.authenticate(...). 

Would the AuthApiClient be able to authenticate the users without the need for the API Token?

Or, assuming this could not be changed, would there be a simple way to prevent the token to have access to other apps (with rules or policies or a very specific user created solely for this purpose and who would then create the API Token )? What would you recommend?