This article provides recommendations and steps for reassigning applications to a different Authorization Server within Okta. This process involves three main scenarios:

• Moving an application from a custom Authorization Server to the org Authorization Server.
• Moving applications from the Org Authorization Server to a custom Authorization Server.
• Moving applications from one custom Authorization Server to another custom Authorization Server.

• Authorization Servers
• Custom Authorization Server
• Org Authorization Server
• Re-assigning Applications
• Okta Classic Engine
• Okta Identity Engine (OIE)

To determine which Authorization Server an application is currently using, check the application's system logs under Reports > System Logs in the Okta Admin Console. Look for events with eventType that start with app.oauth2.as. This shows the Authorization Server used in token requests.

Moving Applications from Custom Authorization Server to Org Authorization Server

1. Migrate Group Claims: Move any existing group claims from the custom Authorization Server to the application level, as the Org Authorization Server does not support custom claims.
2. Check for Custom Scopes/Claims: Verify if the custom Authorization Server uses any custom scopes or claims that are not configurable on the Org Authorization Server. If so, they will not be available after the migration.
3. Update Endpoints: Change the authorization endpoints in the application's source code to match the Org Authorization Server endpoints (for example, https://{OktaOrgUrl}/oauth2/v1/authorize).
4. Remove Application Assignment: Navigate to Security > API > Access Policies on the custom Authorization Server and remove the application's assignment.

Moving Applications from Org Authorization Server to Custom Authorization Server

1. Migrate Group Claims: Move group claims from the application level to the custom Authorization Server's claim rules.
2. Configure Custom Scopes/Claims: Create and configure any necessary custom scopes and claims on the new custom Authorization Server.
3. Update Endpoints: Change the authorization endpoints in the application's source code to match the new custom Authorization Server's endpoints (for example, https://{OktaOrgUrl}/oauth2/{authServerId}/v1/authorize).
4. Add Application to Policy: Navigate to Security > API > Access Policies on the custom Authorization Server and add the application to the relevant policy or choose to apply it to all clients.

Moving Applications from One Custom Authorization Server to Another Custom Authorization Server

1. Migrate Group Claims: Move any existing group claims from the old custom Authorization Server to the new one.
2. Configure Custom Scopes/Claims: Configure any custom scopes and claims on the new custom Authorization Server and then remove them from the old one.
3. Update Endpoints: Change the authorization endpoints in the application's source code to match the new custom Authorization Server's endpoints.
4. Remove Application from Old Server: Navigate to Security > API > Old Authorization Server > Access Policies and remove the application.
5. Add Application to New Server: Navigate to Security > API > New Authorization Server > Access Policies and add the application.

 

Related References

• System Logs
• System logs event types
• Add groups claims to the org authorization server
• Add groups claims to the custom authorization server
• Request a token that contains a custom claim
• Adding custom profile attributes as claims in tokens
• Org authorization server discovery endpoints
• Default custom authorization server discovery endpoints
• Custom authorization server discovery endpoints
• Configure an access policy