SSO for Native Apps

1

User

Initiate authorization code flow with PKCE. Include device_sso and offline_access scopes to receive a device_secret.

/oauth2/default/v1/authorize

Configuration

Okta Domain

Authorization Server

/oauth2/default/v1/

Client ID (App 1)

Client Secret (App 1) (optional)

Client ID (App 2)

Client Secret (App 2) (optional)

Redirect URI

Scopes (device_sso and offline_access required)

Configure Okta Domain and Authorization Server to load scopes

cURL Command

Explain cURL | regenerate curl

Response

2

CLIENT APP

Exchange the device_secret and id_token from App 1 to obtain new tokens for App 2 using the token exchange grant.

/oauth2/default/v1/token grant_type=urn:ietf:params:oauth:grant-type:token-exchange

cURL Command

Explain cURL | regenerate curl

Response

3

CLIENT APP Optional

Test the App 2 access token by making an authenticated API request to a resource server.

Request Body (optional)

cURL Command

Explain cURL | regenerate curl