Network Restrictions for OAuth Token Endpoint
Last Updated:
Overview
This article explains the functionality of the Network Restrictions for OAuth Token Endpoint feature. When this feature is enabled, it enables a network zone restriction on a per-application basis that applies to the OAuth2.0 token endpoints and all Okta Management API endpoints.
Applies To
- Okta Identity Engine (OIE)
- Network Zones
- OAuth 2.0
- OpenID Connect (OIDC)
Solution
Authentication Policies are used to control access to applications based on the user's network at the time of login. However, the network restrictions for these Authentication Policies are by default applied only to user flows, but not token-related endpoints such as /token or /introspect.
By enabling the Network Restrictions for OAuth Token Endpoint feature (from Accounts > Features), it is possible to configure network zones for OAuth2.0/OIDC applications, which will apply network zone restrictions when:
- Requesting tokens from the /token endpoint for the configured application
- Sending tokens to the /introspect or /revoke endpoints for the configured application
- Using an Access Token issued to the configured application as Authorization against the /userinfo or Okta Management API endpoints
After enabling that feature, it should be possible to apply a Network IP from within the application settings:
