<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D51Y00006iRWbFSAWOkta Classic EngineOkta Integration NetworkAnswered2024-04-15T10:56:10.000Z2019-10-01T07:03:36.000Z2019-10-04T20:17:16.000Z

2lgvg (2lgvg) asked a question.

October 1, 2019 at 7:03 AM
Domain independent OAuth Support for custome Okta webapp

Hello,

 

We are building a multitenant supported application using Okta Directory.

 

All necessary set up mentioned in documentation provided by okta is done and we are able to access apis for our single tenant.

 

Our web app needs offline API access using pair of access_token and refresh_token.

 

We are able to do OAuth for our developer tenant account.

 

But we face a technical challenge when it comes to another organizations OAuth, because, for OAuth authorization url consist of following format.

 

https://{yourOktaDomain}/oauth2/v1/authorize

 

As you can see key yourOktaDomain is very specific to each tenant ( or organization ) 

 

Also, in okta passport js plugin (  http://www.passportjs.org/packages/passport-okta-oauth/ ) the audience key configuration needs to be an organizations okta domain auth url. 

 

The Okta domain is specific per tenant ( or organization ) so we can't do anything about multitenant or multi-domain configuration.

 

So in simple words my organization abc has domain abc.com.

So my Okta domain becomes abc.okta.com and my OAuth url becomes https://abc.okta.com/oauth2/v1/authorize.

Now what if a user from organization xyz.com wants to use my custome Okta web app? His OAuth will need url as https://xyz.okta.com/oauth2/v1/authorize. It will fail.

 

My question is how do I support multitenant or multidomain or multi-organization OAuth under my Okta web application?

 

Is there any comman tenant independent OAuth authorization url ( i.e. like https://common.okta.com/oauth2/v1/authorize )? 

  • 3 answers
  • 1.07K views

  • dragos.gaftoneanu1.5193128389903699E12 (Okta, Inc.)

    Hi Atul,

     

    Thnak you for the detailed use-case. Okta does not provide a generic common issuer url. When integrating an option to authenticate via Okta, each of your customers must have his own tenant inside the application in which they configure the issuer from their Okta tenant in order to retrieve the specific authorization server endpoints.

     

    Dragos Gaftoneanu

    Developer Support Engineer

    Okta Global Customer Care

    Expand Post
    Selected as Best

  • dragos.gaftoneanu1.5193128389903699E12 (Okta, Inc.)

    Hi Atul,

     

    In order to support multi tenant OIDC applications, you must request the issuer from your users, along with the client ID and client secret. To the issuer, you can append "/.well-known/openid-configuration" (eg. https://org.okta.com/.well-known/openid-configuration) and retrieve the relevant endpoints to perform the OIDC flow

     

    - authorization_endpoint

    - token_endpoint

    - userinfo_endpoint

    - jwks_uri

    - introspection_endpoint

     

    With this endpoints, along with the client ID and client secret, your users can get authorized to your application via Okta, provided they have whitelisted the callback endpoint in their OpenID web app, under "General" >> "Login Redirect URIs".

     

    Dragos Gaftoneanu

    Developer Support Engineer

    Okta Global Customer Care

    Expand Post

  • 2lgvg (2lgvg)

    Hi @Dragos Gaftoneanu,

     

    Thank you very much for your response.

     

    The information you have given works with single-tenant, e.g. abc.okta.com coz the web app is configured in that tenant.

    But when the user from other domain visits my web app i.e. a person from xyz.okta.com tries to use my application it does not work because my auth URLs are specific to abc.okta.com.

     

    The flow I want is to have a generic authentication using okta across all domains of tenants. e.g. Even though I have a configured web app on abc.olta.com's dashboard, Any other domain users, e.g. user from xyz.okta.com shall be able to login to my web app.

     

    We are working with Okta User Directory APIs. That functionality is supposed to work with all tenants ( or domains or organizations ) using okta. By enabling `offline-access` in OAuth, OpenID.

     

    Let me give you an example, User directory like Azure AD has two configurations, 1] Tenant-specific, 2] Common ( Works for all tenants or domains ),

     

    1] A tenant-specific authorization URL looks like below, ( Which does NOT work across tenant as it is tenant-specific )

     

    https://login.microsoftonline.com/abc.onmicrosoft.com/v2.0/.well-known/openid-configuration 

     

    2] But if you want a common authorization URL that is as following ( Which works across tenant as it is NOT tenant-specific )

     

    https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration

     

    So I want to ask, Does okta have any such common issuer URL, Where all the tenants ( or domains or organizations ) OAuth OpenID can be done.

     

    Please let me know.

     

    Thanks & Regards,

    _Prashant 

     

    References:

    1] Passport js plugin for AzureAD OAuth https://github.com/AzureAD/passport-azure-ad

    2] I am referring Okta documentation ( Which is more focused on single-tenant use case ) https://developer.okta.com/blog/2018/05/18/node-authentication-with-passport-and-oidc

     

     

    Expand Post

  • dragos.gaftoneanu1.5193128389903699E12 (Okta, Inc.)

    Hi Atul,

     

    Thnak you for the detailed use-case. Okta does not provide a generic common issuer url. When integrating an option to authenticate via Okta, each of your customers must have his own tenant inside the application in which they configure the issuer from their Okta tenant in order to retrieve the specific authorization server endpoints.

     

    Dragos Gaftoneanu

    Developer Support Engineer

    Okta Global Customer Care

    Expand Post
    Selected as Best
This question is closed.
Loading
Domain independent OAuth Support for custome Okta webapp