API Access Management

Speaker 1:  Now I'd like to show you something unique about Okta. With the rise of the API economy, there's been a panic trying to figure out how to properly and reliably manage access to APIs. In many ways, it's entirely new territory, introducing brand new concepts and approaches. At the same time, the fundamental use case, providing appropriate access to employees, partners, and customers is similar to what we already know and manage.

Towards that goal, our API access management offering applies our existing authentication and access management system to APIs. To do this, we split the problem in half. The first, or internal half, is based on the universal directory, multifactor authentication, and access policies we already have. The second or external half uses the OAuth protocol.

I don't mean OAuth like OAuth friendly, but the actual OAuth protocol that teams have already invested time, training, and tooling to support. To get started, you first configure the client or the interface that developers will use. Generally these clients are going to be partner-specific, but they can be reused depending on your requirements.

After you create a client, you can choose which OAuth grant types you allow. We support the implicit or hybrid flow common in mobileapps or single page JavaScript applications. We support the authorization code flow, which is what you've probably seen when you've used a social auth provider.

We optionally support refresh tokens to give long-term control. That's the developer facing side. For the internal half, you can set the rules and policies that apply to your authentication process. Since this is based on Okta's Universal Directory, you can build rules to add custom scopes or permissions based on group membership or even which flow a user visits with.

For example, a bank may not allow wire transfer access via mobile device. You'll appreciate that the next time you lose your phone. Probably the subtly most powerful aspect of all this is the OAuth client's API behind the scenes. Once you configure the perfect rules and policies for your partners and customers, you can use the API to read and duplicate or even manage those policies long-term.

Those two halves make up API access management and take what used to be a scary problem, governing access to this new API economy, and brings it back to the realm that we know, understand, and can maintain now and into the future. Enough talk. Let's see it in action. A user API could hit an interface like this to negotiate the OAuth flow. As you can see, it redirects me to my Okta domain and I can log in.

Any additional factors such as Okta Verify or even just SMS verification could be enabled here with just a few clicks. During the authentication process, the rules and policies from my authorization server are being applied. If I've authenticated properly, I'll get my OAuth access token, which can be decoded here and here are the results.