Restricting application from use with the Okta org authorization server

Loading

Skip to Navigation Skip to Main Content

Search

Search

Select Language

0D51Y00006PIeFySALOkta Classic EngineAdministrationAnswered2024-04-15T10:05:02.000Z2019-07-02T22:07:18.000Z2019-07-17T04:55:48.000Z

fagiz (fagiz) asked a question.

July 2, 2019 at 10:07 PM

Restricting application from use with the Okta org authorization server

When creating an oauth application, it's possible to restrict it from use in a given custom authorization server by setting up policy rules for the custom authorization server. However, there doesn't seem to be a way to prevent using the application with the "Okta org as an authorization server" - the one with urls like https://example.okta.com/oauth/v1/token, rather than https://example.okta.com/oauth/aus.../v1/token or https://example.okta.com/oauth/default/v1/token.

Is there any way to restrict this accesss? We have some applications for using password grant against test auth servers, or for client credentials grant, and it seems like these should not be useable witht he "Okta org an an authorization server". Even if that server is only for authentication as opposed to authorization, it still feels like a potential security vulnerability.

Top Rated Answers

sergiu.Costea1.5343792916171697E12 (Vendor Management)
7 years ago
Hi Ian,

Thank you for posting on the Okta community case.

You can configure Access Policies for your Okta Authorization Server to define which Client can use the Authorization Server for authentication , the Grant Type etc.

Please find more information in the below KB's:
https://developer.okta.com/docs/guides/customize-authz-server/overview/
https://support.okta.com/help/s/article/Difference-Between-Okta-as-An-Authorization-Server-vs-Custom-Authorization-Server

If you'll have any questions or require assistance, please open a case with Okta Customer Support.
Kind regards,

Sergiu Costea
Technical Support Engineer
Okta Global Customer Care

Expand Post
Selected as Best

All Answers

molly.masterson1.5499146976511477E12 (Okta)
7 years ago
Thanks for your question! I've raised this to our Support team who should be reaching out shortly. In the meantime, are there any experts on the Community who can help Ian out?
Expand Post
sergiu.Costea1.5343792916171697E12 (Vendor Management)
7 years ago
Hi Ian,

Thank you for posting on the Okta community case.

You can configure Access Policies for your Okta Authorization Server to define which Client can use the Authorization Server for authentication , the Grant Type etc.

Please find more information in the below KB's:
https://developer.okta.com/docs/guides/customize-authz-server/overview/
https://support.okta.com/help/s/article/Difference-Between-Okta-as-An-Authorization-Server-vs-Custom-Authorization-Server

If you'll have any questions or require assistance, please open a case with Okta Customer Support.
Kind regards,

Sergiu Costea
Technical Support Engineer
Okta Global Customer Care

Expand Post
Selected as Best

This question is closed.

Recommended content

Forum

How to use organization level authorization server in OKTA with spring boot application

Forum

Integrate Web Application with Okta OIDC and Authorization Server

Forum

How can I create an application to get access_token from another authorization server (auth_uri)

Forum

Application is using the ORG token server and not the custom Auth Server

Loading

Restricting application from use with the Okta org authorization server