This article clarifies how to configure an IP allowlist for an Okta Open Authorization (OAuth) API service app.

• OAuth API Service App
• Okta Identity Engine (OIE)
• Network Zones
• Access Policies

1. In the Admin Console, go to Security > Networks.
2. Click Add Zone > IP Zone.
3. Enter a name for the zone.
4. Enter the specific IP addresses of the API service.
5. Go to Applications > Applications and select the OAuth service application.
6. Select the General tab.
7. In the General Settings section, select Edit.
8. In the Allowed Grant Types section, ensure Client Credentials is selected.
9. In the Client IP Restriction section, configure the application to trust the proxy if applicable. If the application is calling directly, this step ensures the IP address is correctly evaluated in the next step. 
10. Go to Security > Authentication > Sign On.
11. Select the Global Session Policy tab (or Okta Sign-On Policy).
12. Create a new policy.
13. Assign this policy to the group that contains the service account.

14. Create a rule with the following settings:

    • Rule Name: Enter a name for the rule.

    • User's IP: Select In Zone and select the network zone created earlier.

    • Access: Select Allowed or Prompt for Factor.