Okta Authentication Flows

Interactive simulators for OAuth 2.0 and OpenID Connect flows

⚠️ Demonstration & Learning Tool Only
This application is intended for demonstration and learning purposes only. It intentionally exposes security secrets (tokens, keys, assertions) that would typically not be accessible to clients. All secrets should be cycled after use to ensure proper security measures are maintained.

Agentic Flows

These are the current supported Protecting AI Agent flows.

Agentic Token Exchange Flow

Demonstrates the invocation of our User to AI Agent delegation using ID-JAG tokens.

OAuth 2.0 RFC 8693 ID-JAG Bearer Secret Service Account

Standards Based Authentication Grant Flows

Standard OAuth 2.0 and OpenID Connect grant type simulators.

Authorization Code Flow - Web

Standard OAuth 2.0 Authorization Code flow with Client ID/Secret for secure authentication in web applications.

OAuth 2.0 OIDC

Device Authorization Grant

OAuth 2.0 Device Authorization Grant for input-constrained devices like smart TVs, CLI tools, and IoT devices. Users authorize on a secondary device.

RFC 8628 OAuth 2.0 Device Flow

Native to Web SSO

Transfer authentication from a native app to a web app. Password auth with interclient_access scope, token exchange, and web session creation.

Interclient Token Exchange Web SSO

Device SSO for Native Apps

Device SSO flow: authorize with PKCE to get device_secret, then exchange tokens for a second native app without re-authentication.

Device SSO PKCE Token Exchange
Pending

On-Behalf-Of Token Exchange

Authorize with PKCE, exchange code for tokens, then perform an on-behalf-of token exchange for a downstream API.

RFC 8693 On-Behalf-Of Token Exchange
Pending

CIBA (Backchannel Auth)

Client-Initiated Backchannel Authentication. The client requests authentication via a backchannel, and the user approves on a separate device.

CIBA Backchannel Push
Pending

Client Credentials (M2M)

Machine-to-machine authentication using client credentials. The application authenticates with its own identity to access APIs without user involvement.

OAuth 2.0 RFC 6749 M2M
Pending

SAML 2.0 Assertion

Exchange a SAML 2.0 assertion for an OAuth 2.0 access token. Bridges SAML-based identity providers with OAuth 2.0 resource servers.

SAML 2.0 RFC 7522 Assertion
Pending

Direct Authentication Grants

Direct authentication grants, device SSO, and backchannel authentication (API Authentication) flows.

OTP (Primary Factor)

Passwordless authentication using a one-time passcode as the primary factor. User provides login hint and OTP to receive tokens directly.

OIE OTP Passwordless
Pending

OTP (MFA)

Two-step authentication: password first, then OTP as a second factor. Demonstrates the MFA challenge-response pattern.

OIE OTP MFA
Pending

Okta Verify Push (Primary)

Passwordless authentication using Okta Verify push notification. Initiate OOB authentication and poll for user approval.

OIE Okta Verify Push
Pending

Okta Verify Push (MFA)

Password authentication followed by Okta Verify push as second factor. Three-step flow with challenge and polling.

OIE Okta Verify MFA
Pending

Phone (Primary Factor)

Passwordless authentication via SMS or voice call. Initiate OOB authentication, then submit the received verification code.

OIE SMS Voice
Pending

Phone (MFA)

Password authentication followed by SMS or voice call as second factor. Three-step flow with challenge and OTP verification.

OIE Phone MFA
Pending

Resource Owner Password

Direct username and password authentication grant. Simple single-step flow that exchanges credentials for tokens.

OAuth 2.0 Password Grant

IDX Pipeline

Demonstrates the Okta Identity Engine Interaction Code Flow with PKCE, dynamic remediation paths, and ION protocol.

OAuth 2.0 OIDC PKCE OIE
Educational Only

Token Tools

Standalone APIs that leverage Okta tokens such as userinfo, introspect, revoke, and logout.

Token Tools

Paste an access token to use Okta's token APIs: UserInfo, Introspect, Revoke, and Logout endpoints.