Passer au contenu principal
Cross App Access (XAA) is currently in Beta. By using this feature, you agree to the applicable Free Trial terms in Okta’s Master Subscription Agreement. To learn more about Auth0’s product release cycle, read Product Release Stages. To participate in this program, contact Auth0 Support or your Technical Account Manager.
To test the end-to-end XAA flow, you need to verify that your Auth0 tenant can accept the JWT-Bearer requests sent by the Requesting App. Auth0 handles that for you out of the box. Before you can test the end-to-end XAA flow, make sure you:
  • Update the Redirect URI field to the callback URL of your testing application that acts as your Requesting App in your Okta tenant, as explained in Register the Requesting App in Okta.
  • Provide your Okta representative with the following information:
    • The issuer URL of your Auth0 tenant. Your Resource App is associated with the issuer URL in the Okta Integration Network (OIN), enabling Requesting Apps to refer to it when requesting ID-JAGs.
    • The Auth0 client_id that maps to each Requesting App in the OIN.
To get the issuer URL and the client ID within your Auth0 tenant, navigate to Applications, select your application, and select Settings:

Exchange the ID token for an ID-JAG

First, you need to log in to your Requesting App with your Okta test tenant. When you successfully log in and grant consent, Okta redirects the browser back to your Requesting App with an authorization code. Your Requesting App then securely exchanges the authorization code for an Okta access token and ID token. To exchange the Okta ID token for an ID-JAG, the Requesting App makes a token exchange request to the /token endpoint of your Okta test tenant with the following parameters:
XAA Beta does not support passing scopes to Okta’s /token endpoint. You can set the scopes in the next request to Auth0’s /token endpoint once the Requesting App receives the ID-JAG. In a production environment, the Requesting App makes the token exchange request to the /token endpoint of your customer’s Okta tenant.

Send ID-JAG to Auth0’s /token endpoint

Once the Requesting App gets an ID-JAG, it sends an access token request to the /token endpoint of your Auth0 tenant:
After the Auth0 Authorization Server validates the ID-JAG to verify the user’s identity, it issues an access token to consume the target API audience of your Auth0 tenant. The access token also includes the scopes you requested that are allowed by RBAC and other policies set in your Auth0 tenant. The Auth0 Authorization Server does not issue refresh tokens in response to ID-JAG token exchanges. As a result, the Requesting App needs to get a new ID-JAG from the enterprise IdP, and undergo the applicable access controls, to get a new access token via XAA.