Authenticating API Gateway APIs using OKTA as authorization server for OAuth mechanism

Authenticating API Gateway APIs using OKTA as authorization server for OAuth mechanism


This article explains how to implement OAuth 2.0 on the API Gateway for OKTA authorization server


It is assumed that readers of this article know how to set up API’s on API gateway.


Use Case:

  • We configured the API on API Gateway. This API checks the availability of bed in hospitals.
  • To invoke this API from API Gateway we have implemented the OAuth 2.0 mechanism.
  • In our case we our OKTA will be working as authorization server.

What is OAuth 2.0?

OAuth 2.0 is the industry-standard protocol for authorization. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices.

The OAuth 2.0 spec has four important roles:

  • The “authorization server” — The server that issues the access token. In this case Okta is the authorization server.
  • The “resource owner” — Normally your application’s end-user that grants permission to access the resource server with an access token
  • The “client” — The application that requests the access token from Okta and then passes it to the resource server
  • The “resource server” — Accepts the access token and must verify that it’s valid. In this case this is your application

For More info please follow the below link:

API Used for our Use case:

   **API Name:** CheckBedAvailability

Enforce policy

• Open the API CheckBedAvailability.
• Navigate to the policy
• Click on Identify & Access policy.


  • Select Identify & Authorize Application.
  • Select OAuth2 Token.
  • Save the changes.


Create Scope in API

  1. Go to the API in our case it is checkBedAvailablity
  2. Navigate to scopes within the API
  3. Create the scope and map the resource with it
  4. In our case scope name is CheckBedAvailibiltyScopeV2
  5. Add resource name is CheckBedAvailability
  6. Click Save.


Before Configuring the Authorization server, we need to understand a couple of terminologies:

Introspection: Introspection is the way to authenticate the token. It is subdivided into 2 parts

  1. Local introspection: Validating the token within the gateway. This can be done using the JWKS URI or the public certificate of the issuer. For this, the token should necessarily be JWT.
  2. Remote introspection: Validating the token with the authorization server. It has an introspection endpoint, which is used to validate the token. Along with that, we have client id and client secrets which we are used to protect the endpoint so that anonymous users won’t get access to the resource. Underneath to invoke an endpoint we need a user, Gateway user is the one under which we invoke the endpoint.
    Dynamic client registration
    Dynamic client registration is used when you want to create the client automatically in the OAuth2 authorization server when an application is created in API Gateway.

Add Authorization Server

  1. Click on the administration tab
  2. Navigate to the Security tab
  3. From the left-hand tab click on JWT\OAuth\OpenID
  4. Click on Add authorization server.
  5. Provide the name as OktaAuthServer


  1. Provide the Discovery URL and click on Discover.


  1. This will populate the values on Introspection, Dynamic client registration and in Metadata.
  2. Add the scope and save it.


Map Scope OAuth Scopes

  1. Click on map Scope
  2. Give the authorization server scope. In our case, it will be OktaAuthServerScopeMapping


  1. Give the API scope name In our case we have given it CheckBedAvailibiltyScopeV2
  2. Click Save.


Create Application

  1. Click on create Application and name it as ExtrenalOAuthServerApp_OkTA.
  2. Select the API which we want to associate with this application. In our case it will checkBedAvailibility API.
  3. Click on Authentication and then click on Create Strategy
  4. Select Authentication scheme as OAuth
  5. Provide the name for the strategy, In our case we have named it as ExtrenalOktaStrategy
  6. Select the authentication server as OktaAuthServer.
  7. Enable the generate the credentials
  8. Select application type as Public
  9. Application profile as web
  10. Select Grant Type as “authorization_code”
  11. Select the scope in our case it will be OAuthCheckBedAvailabilityScope
  12. Provide the Redirect URI as
  13. Provide the Scope in our case it will be CheckBedAvailibiltyScopeV2
  14. Click on Add.
  15. It will generate the client ID and client credentials, which will be used to generate the access token.

Test Using postman client

  1. Select Authorization as OAuth 2.0
  2. Set the below values

Grant Type: Authorization code
Call Back url:
Authorise URL: We can get the from the metadata provided by OKTA
Access Token URL: We can get the from the metadata provided by OKTA
Client ID: We can get the from the metadata provided by OKTA
Client Secret: We can get the from the metadata provided by OKTA
State: Any random alphanumeric value
Client Authentication: Send Client credentials in Body


  1. Click on generate token

  2. Click on use token

  3. Submit the request


  1. Validate the response.

Hi Vikash

The article is brilliant. I have a question can the same be implemented using Azure for validating the tokens.

we are able to generate the tokens from Azure but when we add Azure as external authorizer and when we try to validate the APIs it is throwing errors related to token expiry but the token is still valid.

hi @parre.abhijith ,
Only condition we get invalid token is when it is not mapped with the scope .
Can you please verify once again. Scope and API should be mapped. I dint see any other reason for this failure until its valid token

Vikash Sharma

We have mapped the scope too. Do i need to select Dynamic client registration in this case and if yes what should be the client registration url ?and in

Application . If i click on generate credentials i get the below error after i click on update. I am not sure where to pass the grant_type in the application.