Retrieving the x5c Parameter for Microsoft External Authentication Methods Apps in Okta
Last Updated:
Overview
Microsoft External Authentication Methods (EAM) applications require the x5c parameter from the keys endpoint. By default, Okta does not return the x5c parameter for standard applications. Append the specific application client ID to the keys endpoint URL to retrieve this parameter.
Applies To
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Microsoft External Authentication Methods (EAM)
- OpenID Connect (OIDC)
Solution
Retrieve the application client ID from the Okta Admin Console and append it to the authorization server keys endpoint URL to expose the x5c parameter.
- Navigate to Applications > Applications in the Okta Admin Console.
- Select the Microsoft EAM application.
- Copy the client ID from the application URL.
-
Append the copied client ID to the standard keys endpoint URL using the
client_idquery parameter -Standard Authorization Server:
https://<okta-domain>/oauth2/v1/keys?client_id=<client_id>Custom Authorization Server:
https://<okta-domain>/oauth2/<authorization_server_id>/v1/keys?client_id=<client_id>
NOTE: Okta only returns the x5c parameter for EAM applications when using this specific query parameter. Standard applications do not receive the x5c parameter in the keys endpoint response.
