<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008djuLpSAIOkta Classic EngineAdministrationAnswered2024-02-20T15:24:09.000Z2018-11-26T09:39:20.000Z2018-12-19T11:05:35.000Z

AlexandreG.58943 (Customer) asked a question.

November 26, 2018 at 9:39 AM
Best practices around AuthZ Servers

Hi,

 

We would like to use the Okta's AuthZ server to handle the API Access Control.

But we would like to know if there are some good practices.

 

Should we create 1 AuthZ server for our API Gateway and handle the Client ID's Scopes assignment using Access Policies? (i.e. this means that we could end up with a LOT of access policies for 1 AuthZ server - Is it an issue? Do you have some advises on the limits of the system)

 

Should we create mulitple AuthZ Servers to distribute the load generated by our API Gateway? Delivering 1 AutZ Server per API segment which will make the design more complex as we will have to duplicate some scopes and API subscriptions will have to be translated into multiple AuthZ Server requests.

 

Thank you in advance for your answer.

  • 3 answers
  • 2.05K views

  • chris.hancock1.4756186399413728E12 (Okta, Inc.)

    Hi Alexandre,

     

    The recommendations are provided as a good grounding for utilising the authorisation server but will not fit all use cases. As such you may wish to review the API Rate limits found here: https://developer.okta.com/docs/api/getting_started/rate-limits. This highlights the rate limits that are applied, 

     

    Authorize request to a custom Authorization Server:

    "/oauth2/{authServerId}/v1/authorize"

     

    This has a rate limit ranges from 100 - 600 calls per minute based on the edition of Okta you are using, as such if you have multiple apps using the same authoirsation server this will be fine as long as the number of auth calls does not exceed that limit.

    If you are able to work out the expected calls being made from your applications and the peak times if any then the above should help in identifying the best approach for your environment. 

    Expand Post
    Selected as Best

  • chris.hancock1.4756186399413728E12 (Okta, Inc.)

    Hi Alexandre,

     

    With regards to the Okta Authorization Servers that comes with the API Access Management we do recommend 1 authorization server per API product. You can find more details around what we would recommend via the two links i provided below, please read through these and let me know if you have any additional questions on this topic.

     

    Authorization Server - Recommendations :- https://developer.okta.com/use_cases/api_access_management/#authorization-server

     

    API Gateway Recommendations :- https://developer.okta.com/use_cases/api_access_management/#api-gateway-optional

     

     

     

    Thanks,

    Chris Hancock

    Expand Post

  • AlexandreG.58943 (Customer)

    Hi Chris,

     

    Thank you for the links and the advice. These was really interesting to read but open additional questions:

     

    1. If the best practice is to create dedicated OAuth 2.0 Clients' Access Policies this means that we could potentially end up with a lot of Policies to enforced on a AuthZ server. (As every API implementation is a oAuth Client) - do you have some figures to share around capacity limits? performance impacts?
    2. Finally, about having 1 AuthZ server per API Product. Is it a technical limitation to distribute the potential load or is it a conceptual split to facilitate the API administration? I am asking that because we are targeting to have multiple API Products with a lot of cross product interactions. In such case, the pain will be on our customer. They will have to generate a Token for each of our API Products to make their calls.

     

    Thank you again for your help,

    Alexandre.

    Expand Post

  • chris.hancock1.4756186399413728E12 (Okta, Inc.)

    Hi Alexandre,

     

    The recommendations are provided as a good grounding for utilising the authorisation server but will not fit all use cases. As such you may wish to review the API Rate limits found here: https://developer.okta.com/docs/api/getting_started/rate-limits. This highlights the rate limits that are applied, 

     

    Authorize request to a custom Authorization Server:

    "/oauth2/{authServerId}/v1/authorize"

     

    This has a rate limit ranges from 100 - 600 calls per minute based on the edition of Okta you are using, as such if you have multiple apps using the same authoirsation server this will be fine as long as the number of auth calls does not exceed that limit.

    If you are able to work out the expected calls being made from your applications and the peak times if any then the above should help in identifying the best approach for your environment. 

    Expand Post
    Selected as Best
This question is closed.
Loading
Best practices around AuthZ Servers