- OIDC role-based — for an
LLMconsumer whose routing is chosen from the token’sgroupsclaim (roles). - OAuth2 for MCP — for an
MCPconsumer gated by a custom scope.
Everything below uses Okta’s custom authorization server (the
/oauth2/{authServerId}
path). The default custom auth server ships in every Okta org, including the free
Integrator Free Plan org — ideal for a POC. In production Workforce orgs the custom
authorization server feature is the API Access Management product.Prerequisites
- An Okta org — note your domain, e.g.
dev-123456.okta.com. - Admin access to Security → API and Applications.
- A group you can route on (e.g.
TrustGate-Engineering) under Directory → Groups.
The values you will collect
1. Authorization server
All steps happen in the Okta Admin Console at
https://<your-org>-admin.okta.com
(the admin console, not the end-user dashboard). Use the left sidebar to navigate.1
Open the authorization servers list
In the left sidebar go to Security → API, then open the Authorization Servers
tab.
2
Pick or create the server
Use the row named
default, or click Add Authorization Server (top right) and
fill:- Name:
trustgate - Audience:
api://trustgate - Description: anything.
3
Record the issuer and audience
Open the server and read the Settings tab. Copy the Issuer URI
(
https://{okta_domain}/oauth2/{okta_auth_server_id}) and the Audience — you will
paste both into the TrustGate credential. The keys endpoint is the issuer plus
/v1/keys:2. Add a custom scope (for MCP)
Stay in Security → API → Authorization Servers → your server; the tabs below are on that server’s detail page.1
Create the scope
Open the Scopes tab → click Add Scope:
- Name:
mcp.access - Display phrase:
MCP access - Tick Include in public metadata.
2
Add an access policy
Open the Access Policies tab → click Add Policy:
- Name:
trustgate - Assign to clients: All clients (or select your app once it exists).
3
Add a rule to the policy
On the policy you just created click Add Rule:
- Rule name:
m2m - Grant type: tick Client Credentials (also tick Authorization Code if you want an interactive user flow).
- Scopes requested: Any scopes (or The following scopes →
mcp.access).
3. Add a groups claim (for role-based routing)
For OIDC role-based routing, the token must carry the claim you match roles on.1
Create a group (if you don't have one)
In the left sidebar go to Directory → Groups → Add Group. Name it
TrustGate-Engineering, save, then open it and use Assign people to add users.2
Add the claim
Back in Security → API → Authorization Servers → your server, open the Claims
tab → Add Claim:
- Name:
groups - Include in token type:
Access Token→Always(repeat forID Tokenif you also send ID tokens) - Value type:
Groups - Filter:
Matches regex.*(orStarts withTrustGate-to scope it)
3
Verify
After you mint a token (below), decode it and confirm the
groups array carries the
user’s group names.4. OIDC role-based credential (LLM)
This credential is attached to arole_based LLM consumer. The token’s groups claim
is matched against each role’s oidc_mapping.
1
Create the auth credential
2
Attach to a role-based consumer
Create an
LLM consumer with routing_mode: role_based, then attach this credential
and one or more roles. A role’s oidc_mapping matches the
groups claim:5. OAuth2 credential (MCP)
This credential is attached to anMCP consumer. Access is gated by required_scopes.
1
Create the client app
In the left sidebar go to Applications → Applications → click Create App
Integration. Choose API Services (this is the client-credentials app type) →
Next.
- App integration name:
trustgate-mcp
mcp.access scope.2
Create the auth credential
6. Get a test token
access_token and confirm:
iss=https://dev-123456.okta.com/oauth2/defaultaud=api://defaultscp=["mcp.access"]
Troubleshooting
Next: Entra ID.