Do I need API Access Management?
Okta enables customers to accomplish authentication and advanced authorization use cases, depending on whether Single Sign On (SSO) is enabled in their Okta Org or both Single Sign On (SSO) and API Access management are enabled. This document outlines the differences in these features as well as the use cases they enable.
| Authorization server | Enable Authentication for your app | Enable Authorized access to non-Okta APIs used by your App. | Add-on to be purchased | |
|---|---|---|---|---|
| SSO | https://example.okta.com | Yes | No | No |
| API Access Management | https://example.okta.com/oauth2/default | Yes | Yes | Yes |
User Authentication with Single Sign-On (SSO)
Single sign-on enables end users to authenticate into an application and access their account. Okta is a certified OpenID Connect provider and leverages this protocol to enable user authentication and single sign-on (SSO) functionality.
Use Case
-
For developers, SSO enables using Okta as an Identity provider to simply authenticate users on the basis of credentials and optionally MFA. This allows developers to protect their custom applications with application or even group-specific sign on policies.
This use case is powered by the Org Authorization server
The tokens generated by this Org authorization server (AS) are ID tokens, access tokens, and refresh tokens. The ID token is for an app to consume as information about a user's identity. The access token is for the app to send to Okta to interact with OpenID Connect compliant user info endpoint. These access tokens cannot be used for accessing any other APIs, whether they are Okta or your own, as you will not be able to validate them locally on your own server.
Does my Okta org have SSO functionality?
Every Integrator Free Plan org, API Products org, and IT SSO org has Single Sign On supporting OpenID Connect out of the box.
API Access Management
Just like Okta serves as a single point of control for provisioning, sign-on, and deprovisioning for your applications, we can do the same for your APIs with API Access Management.
Okta’s API Access Management allows you to secure your APIs with Custom Authorization Servers, custom scopes and claims, policies, and rules to determine who can access your API resources, and centralized logging regardless of the API gateway, whether they are on-prem or in the cloud, and the languages and frameworks you use.
Use Cases
-
Control API access for a variety of consumers: vendors, employees, and customers, for example.
-
For example, authenticate customers into an energy management app and authorize limited access to the billing API (So users can view only their bill)
-
-
Create Custom Authorization Servers, hosted on Okta. Custom Authorization Servers make it easier to manage sets of API access for multiple client apps across many customer types.
-
Control complex business requirements with policies and rules. You control the ordering and relationships.
-
Manage API access with rules. Specifying the conditions under which actions are taken gives you precise and confident control over your APIs.
-
Create custom scopes and claims. Map your claims to the profiles in your user directory. Tokens are passed instead of credentials. In addition, the JWT tokens carry payloads for user context.
These use cases are powered by Custom Authorization servers, which can be created if API Access Management is enabled in the org.
https://example.okta.com/oauth2/default
The tokens generated by this Custom AS are ID tokens, access tokens, and refresh tokens. As with SSO and the Org Authorization Server, the ID token is for an app to consume as information about a user's identity. The access token issued by this server is to be used by the app to send to a custom resource to interact with custom APIs (non Okta APIs).
Does my Okta org have API Access Management?
API Access Management is included with all Integrator Free Plan Orgs. For all other SKUs, if you intend to use API Access Management in production, you must purchase it as an add-on. You can learn about that more in Plans & pricing.
FAQs
Why does Okta include API Access Management in Integrator Free Plan Orgs?
We included it to allow developers to explore our access management capabilities on their own and through our various developer samples.
Why do Okta tutorials point to the API Access Management Authorization Server?
An API Access Management Authorization Server generates ID tokens for OIDC apps (just like the Org AS with a different issuer), and Access Tokens for Custom APIs. Okta tutorials are designed to emphasize the full functionality available to developers, which includes using API Access Management to protect their custom APIs.
I rely on a preview org to test functionality before going into production. Does API Access Management on my preview org affect my use?
No. Rate limits, user counts, and configurations used within your production or preview org do not influence the other. They are entirely separate in every way.
Where do I go for help?
-
To get started with API Access Management, check out the documentation on developer.okta.com
-
To learn about the underlying standard of OAuth 2.0, check out OAuth.com
-
If you are already planning or building your first API, check our Recommended Practices for API Access Management for design and architecture guidance.
-
If there is a specific issue or struggle, check out our Developer Forums.
