Prepare an OIDC integration
Okta uses a multi-tenant local credential system for OIDC. Each instance of your app integration inside a customer org has a separate set of OIDC client credentials that are used to access your application.
For example, consider a scenario where your app integration is added to 10 separate customer orgs. Seven of those customers create a single instance of your app integration. However, the other three customers each create two separate instances of your app integration so they can use different configuration options. This creates a total of 13 (7 + (3*2)) sets of client credentials for your application that you need to track.
This multi-tenant approach is different from other IdPs that use a global credential system, where a given application has the same customer credentials across all orgs.
Before you create a new OIDC integration in Okta:
- Based on the type of application that you have built, determine the correct OAuth 2.0 flow that is required below the OIDC identity layer.
Note: For OIDC app integrations intended for publication in the OIN, you must use a Web (server-side) platform with an authorization code flow.
- Determine the login redirect URIs on your system. A redirect URI is where Okta sends the authentication response and ID token during the sign-in flow. You can specify more than one URI if required.
- Your application must support automatic credential rotation. For more information, see the
/keys section in the OpenID Connect & OAuth 2.0 API reference.