Use API Access Management, Okta’s implementation of the OAuth 2.0 standard, to secure your APIs. API Access Management is integrated with Okta’s implementation of OpenID Connect for authentication; OpenID Connect is also available separately. Similarly, Okta provides a client management API for onboarding, monitoring, and deprovisioning client apps.
API Access Management is an Early Access feature.
When do you use API Access Management and when do you use OpenID Connect?
In general, use OpenID Connect to sign users into apps, and use API Access Management to secure your APIs: create one or more Custom Authorization Servers, define scopes and claims, and create policies and rules to determine who can access your API resources.
You can also specify authorization servers in your OpenID Connect API calls. Every OpenID resource is also available in a version that lets you specify an authorization server that you created in Okta. See OAuth 2.0 and OpenID Connect for details.
Centralizing the management of your APIs makes it easier for others to consume your API resources. Using Okta’s OAuth-as-a-Service feature, API Access Management, provides many benefits:
Note: In some places we have implemented stricter requirements or behaviors for additional security.
The following is a high-level look at the basic components of API Access Management. We use the same terms as the OpenID Connect and OAuth 2.0 spec. For complete explanations, read those specs.
The two biggest security benefits of OAuth are using tokens instead of passing credentials and restricting the scope of tokens. Both of these measures go a long way toward mitigating the impact of a security compromise.
Okta helps you manage ID Tokens (OpenID Connect) and Access Tokens (OAuth 2.0).
The JWT extension to the OAuth Framework lets you include custom claims in ID and Access Tokens. You can design tokens to disclose the information you want to share depending on the client and the scope of the tokens. For example, a shopping site might have one set of claims for customers while they browse, but another claim for admin functions like changing their personal information.
Custom claims also help you by reducing the number of lookup calls required to retrieve user information from the identity provider (IdP). This benefit depends, of course, on the level of security your apps require.