Prepare an OIDC integration
Okta uses a multi-tenant local credential system for OIDC. Each instance of your app integration inside a customer org has a separate set of OIDC client credentials that are used to access your application.
For example, consider a scenario where your app integration is added to 10 separate customer orgs. Seven of those customers create a single instance of your app integration. However, the other three customers each create two separate instances of your app integration so they can use different configuration options. This scenario creates a total of 13 sets of client credentials for your application that you need to track.
This multi-tenant approach is different from other IdPs that use a global credential system, where a given application has the same customer credentials across all orgs.
Before you create a new OIDC integration in Okta:
Based on the type of application that you have built, determine the correct OAuth 2.0 flow that is required below the OIDC identity layer.
For OIDC applications destined for the OIN, you can create either of the following:
- A Web application with a dedicated server-side back-end that is capable of securely storing a Client Secret and exchanging information with an authorization server through trusted back-channel connections. Okta recommends using the Authorization Code flow with an exchange of the client credentials (Client ID and Client Secret) for controlling the access between your application and the resource server.
- A Single Page Application (SPA) that uses an Authorization Code flow with a Proof Key for Code Exchange (PKCE). Okta recommends this method to control the access between your SPA application and a resource server.
Determine the sign-in redirect URIs on your system. A redirect URI is where Okta sends the authentication response and ID token during the sign-in flow. You can specify more than one URI if required.
Your application must support automatic credential rotation. For more information, see the
/keys section in the OpenID Connect & OAuth 2.0 API reference.