This article clarifies the requirements for implementing the OAuth 2.0 On-Behalf-Of (OBO) token exchange grant type and configuring custom authorization servers.

• API Access Management (API AM)
• OAuth 2.0
• OpenID Connect (OIDC)
• Custom Authorization Servers

The inability to configure the OBO token exchange grant type or create custom authorization servers typically occurs when an Okta tenant lacks an active API Access Management (API AM) license.

To use the On-Behalf-Of Token Exchange grant type and create Custom Authorization Servers, the Okta tenant must have the API Access Management (API AM) license enabled. If this feature is not currently active, Okta administrators should reach out to their Okta Account Executive to discuss adding API Access Management to their subscription plan.

Once the API AM license is active, administrators can configure the necessary trust relationships. The On-Behalf-Of token exchange setup strictly requires creating two custom authorization servers and establishing a trust bond between them.

Related References

• Set up token exchange
• Configuring Trusted Servers