The Org Authorization Server supports basic authentication use cases, where the OpenID Connect application only needs to receive user profile information via the ID Token, and receive Access Tokens that can be used against Okta's Admin API endpoints.
Custom Authorization Servers support more complex authorization use cases, where the OpenID Connect/OAuth application may need to receive specific claims and scopes in the Access Token, and this Access Token is used to secure a 3rd party resource server/API endpoint. Use of Custom Authorization Servers (including the one named "Default") is available in orgs licensed with the API Access Management SKU.
.
- OpenID Connect (OIDC) Applications
- OAuth 2.0 applications
- Single-Sign On (SSO)
- API Access Management
- Machine-to-Machine (M2M)
- Okta Classic Engine
- Okta Identity Engine (OIE)
Review the following table to determine when to use an Org Authorization Server vs a Custom Authorization Server in Okta.
| Org Authorization Server | Custom Authorization Server | |
|
Use Cases | ||
|
Basic SSO, OIDC Authentication use cases. | X | X |
|
More complex OAuth Authorization use cases. | X | |
|
Scopes | ||
|
Standard OIDC scopes and grant type-specific scopes. | X | X |
|
Pre-configured "groups" scope and resulting groups claim. | X | |
Okta Admin Management API scopes (for example, okta.users.read). | X | |
|
MyAccounts scopes (for example, | X | X (but scopes may need to be created manually) |
| Custom scopes granted to the Access Token. | X | |
|
Claims | ||
|
Standard OIDC claims (tied to the standard OIDC scopes): | X | X |
|
Custom claims added to the ID Token/Userinfo endpoint using Federated claims. | X | X |
|
Custom claims added to the ID Token/Userinfo endpoint using Application Profile attributes, or the Legacy groups claim. | X | |
| Custom claims added to Access Tokens and/or ID Tokens. | X | |
| Grant Types | ||
| Client Credentials to get Access Tokens to use against Okta's APIs. | X | |
| Client Credentials to get Machine-to-Machine Tokens to use against 3rd party APIs. | X | |
| On-Behalf-Of-Token Exchange. | X | |
| AI Agent Token Exchange. |
X( Okta for AI Agents (O4AA) SKU also needed) | |
| Other functionality | ||
| Used by applications in the Okta Integration Network. | X | |
| Custom Access and Refresh Token lifetimes using Access Policies and Rules. | X | |
| Use of Token Inline Hooks (which also allow for changing the ID token lifetime). | X | |
| Prompting for user consent. | X | |
| Local Access Token validation. | X | |
NOTE: Use of the Custom Authorization Server can impact licensing; the Okta Account Team can assist with questions relating to cost or adding API Access Management or M2M licenses to the contract.
Related References
- What’s the Difference Between OAuth, OpenID Connect, and SAML? | Okta
- API Access Management with Okta | Okta Developer
- Authorization Servers | Okta Developer
- Okta API Access Management | Okta Support Center
- Custom Authorization Server Tab Is Missing from the API Menu | Okta Support Center
- Validation Failed on Access Token Issued by the Org Authorization Server | Okta Support Center
- Difference Between Well-Known OpenID Configuration and OAuth Authorization Server Endpoints | Okta Support Center
- How to Review System Logs for OpenID Connect Applications to Verify if They Use a Custom Authorization Server | Okta Support Center
