Loading
Salesforce now sends email only from verified domains. Read More

Setup Guide for Okta OIDC with Private Key JWT(Setting up Okta OIDC Client Provider with Private Key JWT using Two App pattern in OKTA Application Console)

Publish Date: Feb 18, 2026
Prerequisite(s)
This knowledge article provides guiding information on setting up Okta OIDC Client Provider with Private Key JWT using the Two App pattern in the OKTA Application Console. It includes steps to verify tokens, update client IDs, enable client deletion, add required scopes, and ensure proper configuration.
Task

How do I set up Okta OIDC Client Provider with Private Key JWT using the Two App pattern in the OKTA Application Console?

1. Architecture: The "Two-App Pattern"

Two distinct Okta applications are required for this integration:

  • App A (The Manager): A "Service" app using Private Key JWT. Used by Anypoint to create and manage client applications.

  • App B (The Inspector): A "Service or Web" app using Client Secret. Used by the API Gateway to validate (introspect) tokens at runtime.

 

Steps

2. Okta Configuration

Step 1: Create "The Manager" (App A)

  1. Create App: Navigate to Applications > Create App Integration > API Services.

  2. Name: MuleSoft-Client-Manager.

  3. Authentication: In the General tab, click Edit on Client Credentials. Select Public key / Private key.

  4. Keys: Click Add key > Generate new key. Save the Private Key (PEM) locally (you will need this for Anypoint). The Public Key is saved in Okta automatically.

  5. Disable DPoP: In General Settings, ensure Require Demonstrating Proof of Possession (DPoP) is unchecked (MuleSoft does not support DPoP).

  6. Permissions (Scopes): Go to the Okta API Scopes tab. Grant the okta.clients.register okta.clients.read (and okta.clients.manage) scope. [If you need client app deletion/secret rotation etc ability for your IDP]

  7. Admin Role: Go to the Admin Roles tab. Assign the Application Administrator role. Note: Custom roles often fail to authorize client creation via API.
    REFERENCE: OKTA SUPPORT DOCS: https://devforum.okta.com/t/dynamic-client-registration-permission-required/28056/8
    Contact Okta Support for more help on this topic. 

Step 2: Create "The Inspector" (App B)

  1. Create App: Navigate to Applications > Create App Integration > OIDC - OpenID Connect > Web Application.

  2. Name: MuleSoft-Token-Introspection.

  3. Authentication: Ensure Client Secret is selected.

  4. Credentials: Note the Client ID and Client Secret.

3. Anypoint Configuration

Navigate to Access Management > Client Providers > Add Client Provider > OpenID Connect Dynamic Client Registration.

A. Provider Identity

  1. Issuer: https://{yourOrg}.okta.com (Use the Org URL, not a custom server).

  2. Client Registration URL: https://{yourOrg}.okta.com/oauth2/v1/clients.

B. Authentication Method

  1. Method: Select Use OAuth2 private key jwt.

  2. Token Client ID: Enter the Client ID of App A (The Manager).

  3. Token Client Private Key: Paste the PEM Private Key generated in Step 1.

  4. Token Client API Scopes: Enter okta.clients.register okta.clients.read (or okta.clients.manage).

C. Token Introspection Client

  1. Client ID: Enter the Client ID of App B (The Inspector).

  2. Client Secret: Enter the Client Secret of App B (The Inspector).

D. OIDC Authorization URLs

  1. Authorize URL: https://{yourOrg}.okta.com/oauth2/v1/authorize.

  2. Token URL: https://{yourOrg}.okta.com/oauth2/v1/token. Crucial: Must use the Org URL to honor the admin scopes.
    https://devforum.okta.com/t/the-authorization-server-id-is-invalid-error-while-trying-api-endpoints-using-postman/19420/5#:~:text=First%20off%2C%20if,own%20management%20endpoints.


  3. https://devforum.okta.com/t/dynamic-client-registration-with-custom-authorization-server/15426/4

  4. Token Introspection URL: https://{yourOrg}.okta.com/oauth2/v1/introspect.

4. Verification

  1. Click Create.

  2. Navigate to Exchange, select an API asset, and click Request Access.

  3. Creates a new application(also, on OKTA side) . If successful, the Client Provider is correctly configured to manage applications in Okta.

5. API Manager Policy Setup

Once the Client Provider is created, you must enforce it on your API.

  1. Navigate to API Manager: Select your specific API instance.

  2. Policies: Click Policies > Add Policy.

  3. Select Policy: Choose OpenID Connect access token enforcement.

  4. Select API Settings: Select the Okta provider you just created. 

    • Click Apply. If you have contracts with previous provider. Best practice to revoke and delete them first and then delete the client apps from exchange as well if needed later. 

     

6. Postman Verification (End-to-End Test)

To verify the setup, we will simulate a developer requesting access and then calling the API.

Step A: Get a Token (Simulating the App) Use the credentials of a client application created via Anypoint Exchange (not the Manager or Inspector apps).

  1. Method: POST

  2. URL: https://integrator-2487462.okta.com/oauth2/aus103lfwgxipichu698/v1/token (Your Custom Auth Server)

  3. Authorization: Basic Auth

    • Username: {Client ID of the App created in Exchange}

    • Password: {Client Secret of the App created in Exchange}

  4. Body (x-www-form-urlencoded):

    • grant_type: client_credentials

    • scope: custom_scope

Step B: Call the MuleSoft API

    1. Method: GET (or POST, depending on your API)

    2. URL: https://{your-mule-api-domain}/api/resource

    3. Headers:

      • Authorization: Bearer {Paste_Access_Token_From_Step_A}

    4. Result: You should receive a 200 OK response.

      • If you get 401: The policy rejected the token (check Introspection URL match).

      • If you get 403: The token is valid, but lacks required scopes.

Additional Resources

Okta OIDC CP, OAuth2 Private Key JWT, Anypoint Platform, Okta Mule App Client Id

Disclaimer:
This article is just for Informational purpose only. This article involves products and technologies which do not form part of the MuleSoft product set. Technical assistance for such products is limited to this article. Contact Vendor Support for further help/assistance setup required on their product directly. 

Summary:
This guide details the configuration of an OIDC Client Provider in MuleSoft Anypoint Platform using the Private Key JWT authentication method. This setup requires the "Two-App Pattern" in Okta to satisfy both the security requirements of the Anypoint Control Plane (Private Key) and the Mule Runtime (Client Secret).

Knowledge Article Number

005315457

 
Loading
Salesforce Help | Article