Restrict OAuth Scopes to Okta Apps using Auth Server Access Policies & Rules

This article describes how you can restrict the use of certain OAuth scopes to certain Okta apps by adding access policies with access rules to the authorization server.

Step 1 — Create Auth Server

Go to https://<your-okta-admin-domain>/admin/oauth2/as & create an auth server:

Step 2 — Create Access Policy

Open the auth server, go to the Access Policies tab & create a policy for the Okta app for which you want to restrict OAuth scopes:

Step 3 — Create Access Rule

Create an access rule within this access policy & mention just the scopes that you want the app to be able to use:

Henceforth, the Okta app won’t be able to use any scopes except the ones listed above.