Cross App Access (XAA) for Resource Applications Beta

Connecting third-party apps and AI agents in an enterprise creates two key problems: poor IT visibility into data sharing and repetitive consent flows for users.

Cross App Access (XAA) addresses these challenges by allowing IT admins to centrally define access controls for how SaaS applications, like AI agents, connect on a user's behalf. Admins manage these connections in a central dashboard, like the Okta Admin Console, which eliminates disruptive OAuth consent prompts for end-users. The result is improved organizational security, governance, and user experience.

XAA implements the Identity Assertion Authorization Grant, an in-progress OAuth extension that allows an AI agent or application (Requesting App) to obtain a secure token through the enterprise IdP. This token enables the Requesting App to call the APIs of another application (Resource App) on the end-user’s behalf. To learn more, read How it works.

Key benefits

XAA delivers key benefits for every role in your enterprise ecosystem:

  • For Enterprise IT administrators: Centralized control, visibility, and policy enforcement over application access to enterprise and user data.

  • For SaaS providers and developers: Standardized and secure integration for enterprise AI to foster ecosystem growth.

  • For end-users: Streamlined and frictionless connections between applications, eliminating complex OAuth consent flows. 

Use cases

Common use cases for XAA include:

  • Connect AI agents to enterprise applications: An employee uses an AI agent to read from their calendar app and post an update about their availability in the enterprise messaging app. Instead of requiring the employee to go through redirection flows and consent prompts, the AI agent uses XAA to obtain an access token from the enterprise IdP to securely call the APIs of both the calendar and messaging app, if approved by the enterprise access policy.

  • Connect SaaS applications: In our previous example, the enterprise calendar and messaging app both support XAA. Employees can seamlessly connect the messaging app to access the calendar app’s API without user redirection or consent while following enterprise access policies.

How it works

The XAA flow involves the following actors:

  • Requesting App: The application or AI agent that needs to access a resource.

  • Resource App: The application that owns the protected resource and exposes it via an API

  • Enterprise IdP: The IdP, such as Okta, that authenticates employees.

After the end-user authenticates with the enterprise IdP, the Requesting App contacts the enterprise IdP to request access to the Resource App on the user's behalf. After applying its access policy to check if this cross-app connection is permitted, the enterprise IdP generates an assertion called an ID-JAG, which the Requesting App then presents to the Resource App to get an access token for API consumption. 

In the following diagram, Acme is the enterprise customer whose employees authenticate with their enterprise IdP, such as Okta, to access the Requesting App (Agent0) and the Resource App (Todo0):

Prerequisites

With our Acme example in mind, the XAA flow has the following prerequisites:

  • The Resource App (Todo0) Authorization Server is federated with the enterprise IdP through OIDC so that it can generate access tokens for end-users authenticated by that IdP.

  • The Requesting App (Agent0) is registered with the Resource App Authorization Server as an OAuth 2.0 client with a valid client_id and credentials to request access tokens from the Resource App Authorization Server.

  • The Acme IT admin has defined XAA access controls between Agent0 and Todo0.

End-to-end XAA flow

With our Acme example in mind, the end-to-end XAA flow has the following steps:

  1. The Acme employee logs into the Requesting App (Agent0) using SSO with the enterprise IdP. The Requesting App obtains an ID token to verify the Acme employee’s identity.

  2. The Requesting App makes a token exchange request to the IdP to exchange the ID token for a cross-domain Identity Assertion JWT Authorization Grant, also known as ID-JAG. The IdP validates the request and checks the XAA policy defined by the Acme IT Admin.

  3. If the XAA policy allows for it, the IdP returns the ID-JAG to the Requesting App.

  4. The Requesting App makes a token request using the ID-JAG to the Resource App (Todo0) Authorization Server.

  5. The Resource App Authorization Server validates the ID-JAG using the public key it also uses for its OpenID Connect flow with the IdP. If valid, the authorization server returns an access token.

  6. The Requesting App makes a request with the access token to the Resource App’s API.

Leveraging the XAA flow, Acme’s IT admin policies govern access from Agent0 to Todo0, requiring no end-user redirection or interaction.

Set up the end-to-end test environment for the Resource App

This section explains how to set up the end-to-end test environment for the Resource App. By configuring your Auth0 tenant as the Resource App Authorization Server, your SaaS application can start accepting incoming ID-JAG requests without requiring any code changes. This enables your SaaS API to generate access tokens in response to these requests, allowing AI agents and other applications to seamlessly consume your API.

To set up your end-to-end test environment for the Resource App:

  • Configure and register your Resource App: This includes configuring your Auth0 tenant and registering your SaaS application as a Resource App with Okta. To learn more, read Resource App setup.

  • Configure the Requesting App to test the end-to-end: This includes registering a test Requesting App in your Auth0 tenant and updating Okta to link it with your Resource App. To learn more, read Requesting App setup.

  • Configure how your Auth0 tenant federates with your customer’s enterprise IdP: In our test environment, the enterprise IdP will be your Okta test tenant, representing one of your enterprise customers. To learn more, read Federate with the enterprise IdP and Organization configuration.

  • Manage Cross App Access in Okta: Configure agent-to-app and app-to-app connections in the Okta Admin Console. To learn more, read Manage Cross App Access in Okta.

The following image maps the responsibilities of the different personas in a production-ready XAA flow: 

Create and configure your Okta tenant

To set up your end-to-end test environment for the Resource App, you need to create and configure your Okta tenant for Cross App Access.

  • On the Okta Developer website, sign up for an Okta Integrator Free Plan. Once you sign up, you should be redirected to your new Okta tenant.

  • In the Okta Admin Console, navigate to Settings > Features. Under Early access features, enable Cross App Access.

Resource App setup

To set up your Resource App, you need to:

Create the API in Auth0

In the Auth0 Dashboard, register a custom API representing your SaaS API in your Auth0 tenant.

After you’ve created the API, you can optionally set its audience as the Default Audience for your Auth0 tenant under Tenant Settings.

You can also use API Access Policies for Applications to granularly control which applications are granted access to your API for which scopes.

Create the Resource App in Auth0

In the Auth0 Dashboard, create an application, such as a regular web app, SPA, or native app, that serves as the primary interface for end-users to access your SaaS application functionality.

Register the Resource App in Okta

You must register your SaaS application in the Okta Integration Network (OIN) for it to be considered a valid Resource App. 

To register your SaaS application as a Resource App in Okta, you have two options:

  • For a quick test setup, we recommend using the Todo0 application that is already registered in the OIN. In the Okta Admin Console, go to Applications > Applications > Browse App Catalog and search for Todo0.  Select it and add the integration. 

  • You can also request the registration of a new application in the OIN from your Okta tenant. To learn more, read the Submission process for SSO and SCIM integrations. To accelerate the registration process, contact your Auth0 or Okta representative.

Additionally, you must provide Okta with the issuer URL of your Auth0 tenant, which is associated with your Resource App. Requesting Apps use the issuer URL to request connecting to your Resource App. To learn more, read Test the end-to-end XAA flow.

Requesting App setup

To set up your Requesting App, you need to:

Create the Requesting App in Auth0

To test the end-to-end environment, create and register an application that behaves as the Requesting App. The application should be a confidential client that can store client secrets, such as a web application. 

To create an application representing the Requesting App in your Auth0 tenant:

  • Navigate to Applications > Applications and click Create Application.

  • Enter a name and select Regular Web Application.

  • Once you’ve created the application, scroll to Settings and enable the Cross App Access toggle.

Once you’ve created and configured your application, you must provide Okta with the application’s client_id and the issuer URL of your Auth0 tenant. This enables the connection between the Requesting App, identified by the client_id, and the Resource App, identified by the issuer URL. To learn more, read Test the end-to-end XAA flow.

Register the Requesting App in Okta

You must register the application in the Okta Integration Network (OIN) for it to be considered a valid XAA Requesting App when using Okta as the enterprise IdP. 

To register the Requesting App in Okta, you have two options:

  • For a quick test setup, we recommend using the Agent0 application that is already registered in the OIN. In the Okta Admin Console, go to Applications > Applications > Browse App Catalog and search for Agent0.  Select it and add the integration.

Since the Requesting App authenticates enterprise employees with Okta, you need to configure the application’s sign-on policy in Okta. 

In the Okta Admin Console: 

  1. Go to Applications > Applications and select the application (e.g. Agent0).

  2. Under Sign On, click Edit and add the Requesting App’s callback URL in the Redirect URI field. Adjust the Redirect URI’s value depending on the testing application you want to use. To learn more, read Test the end-to-end XAA flow.

  3. Click Save.

Finally, allow your test user to log into the Requesting App in Okta.

In the Okta Admin Console:

  1. Navigate to Applications and select the application (e.g. Agent0).

  2. Click  Assign > Assign to People and select your test user.

  3. Click Save.

Federate with the enterprise IdP and Organization configuration

You must federate your Auth0 tenant, acting as the authorization server for your Resource App, with your enterprise customer's Okta tenant. This federation establishes cryptographic trust, allowing your application to validate and accept signed assertions (ID-JAGs) issued by the customer's IdP.

To test the end-to-end XAA flow for multiple enterprise customers connected to your Resource App, you can repeat the steps in this section for multiple Okta Workforce Enterprise connections in your Auth0 tenant. Each connection maps to a different Okta test tenant, where each tenant represents a different enterprise customer.

Configure an Okta Workforce Enterprise connection

Use your Resource App’s client_id and client_secret to create an Okta Workforce Enterprise connection in your Auth0 tenant. 

When creating the Okta Workforce Enterprise connection, activate the Cross App Access - Resource Application role. This enables your Resource App to accept ID-JAGs issued by the enterprise IdP associated with that connection, in this case, your Okta tenant.

After creating the Okta Workforce Enterprise connection, copy the callback URL provided by Auth0 in the connection's settings. You need the callback URL to configure the sign-on policies of the Resource App in your Okta tenant.

In the Okta Admin Console:

  1. Navigate to Applications > Applications and select the application (e.g. Todo0).

  2. Under Sign On settings, click Edit and add the callback URL in the Redirect URI field.

  3. Click Save.

To test the Okta Workforce Enterprise connection, create a test user and give it permission to log into the Requesting App.

In the Okta Admin Console:

  • Navigate to Applications and select the application (e.g. Agent0).

  • Click Assign > Assign to People and select your test user.

  • Click Save.

In the Auth0 Dashboard:

  • Navigate to Authentication > Enterprise > Okta Workforce:

    • Enter the Okta Workforce Enterprise connection you created and click the Applications tab. Then, enable the Requesting App you created for the connection.

    • Go back to the list of Okta Workforce connections. Click the three dots on the right for your connection and click Try. You will be redirected to authenticate in your Okta tenant to complete the login with your test user.

Configure an Organization

Optionally, if you want an enterprise customer to use Organizations, create an Organization and enable the Okta Workforce Enterprise connection for that Organization. This automatically associates access tokens generated using XAA, in the scope of this connection, to the corresponding org_id if the target user is a member of the Organization.

You can also configure the Requesting App’s Organization behavior to set whether it is required or allowed to use Organizations. We recommend that you start testing with Both, which allows users to log in as an Organization member or sign up with a personal account.

Manage Cross App Access in Okta

Once you've finished setting up your end-to-end test environment, you can manage how valid XAA applications can connect to each other in the Okta Admin Console. 

In the Okta Admin Console: 

  1. Navigate to Applications > Applications and select your Resource App (e.g. Todo0).

  2. Under the Manage Connections tab, add:

  • Requesting Apps: applications that can connect to your SaaS application

  • Resource Apps: applications your SaaS application can connect to

For the end-to-end test environment, add Agent0, or the application you want to use for testing, as an authorized Requesting App.

Test the end-to-end XAA flow

To test the end-to-end XAA flow, you need to verify that your Auth0 tenant can accept the JWT-Bearer requests sent by the Requesting App. Auth0 handles that for you out of the box.

Before you can test the end-to-end XAA flow, make sure you:

  • Update the Redirect URI field to the callback URL of your testing application that acts as your Requesting App in your Okta tenant, as explained in Register the Requesting App in Okta.

  • Provide your Okta representative with the following information:

    • The issuer URL of your Auth0 tenant. Your Resource App is associated with the issuer URL in the Okta Integration Network (OIN), enabling Requesting Apps to refer to it when requesting ID-JAGs.

    • The Auth0 client_id that maps to each Requesting App in the OIN.

To get the issuer URL and the client ID within your Auth0 tenant, navigate to Applications, select your application, and click Settings:

Field Instructions Example
Issuer URL Copy your Auth0 domain, prefix it with https://, and add a trailing slash. https://tenant.region.auth0.com/ or if your customers are using a custom domain, https://custom-domain.com/.
client_id Copy the application's client ID. ovBLQycaVq6I0Xyuhq84pwDVyJeXWLyx

Exchange the ID token for an ID-JAG

First, you need to log in to your Requesting App with your Okta test tenant. When you successfully log in and grant consent, Okta redirects the browser back to your Requesting App with an authorization code. Your Requesting App then securely exchanges the authorization code for an Okta access token and ID token.

To exchange the Okta ID token for an ID-JAG, the Requesting App makes a token exchange request to the /token endpoint of your Okta test tenant with the following parameters: 

POST /oauth2/v1/token HTTP/1.1
Host: {{YOUR_TENANT}}.okta.com
Content-Type: application/x-www-form-urlencoded

grant_type=urn:ietf:params:oauth:grant-type:token-exchange
&requested_token_type=urn:ietf:params:oauth:token-type:id-jag
&audience={{YOUR_AUTH0_TENANT_ISSUER_URL}}
&resource={{YOUR_AUTH0_TENANT_API_AUDIENCE}}
&subject_token={{OKTA_ID_TOKEN}}
&subject_token_type=urn:ietf:params:oauth:token-type:id_token
&client_id={{REQUESTING_APP_CLIENT_ID_IN_OKTA}}
&client_secret={{REQUESTING_APP_CLIENT_SECRET_IN_OKTA}}

Was this helpful?

/

Parameter Description
grant_type The grant type. Set to the token exchange grant type: urn:ietf:params:oauth:grant-type:token-exchange.
requested_token_type The type of token the client wants to receive back from the authorization server. Set to the Identity Assertion Authorization Grant, or ID-JAG: urn:ietf:params:oauth:token-type:id-jag.
audience The intended recipient of the final token. Set to your Auth0 tenant issuer URL, or your Resource App whose authorization server is located at that specific URL.
resource Optional. The Resource App's API that the client wants to access. When the authorization server issues the final access token, it includes this resource in the token's aud claim, which the Resource App's API will use for validation.

If you don’t specify a resource parameter, the default audience you set for your tenant is used in the next request to get an access token. If you specify a resource that does not match a valid API audience in your Auth0 tenant, the token exchange request does not fail and you still receive an ID-JAG in return. However, the subsequent request to get an access token with the ID-JAG will be rejected by your Auth0 tenant.
subject_token The token the client is exchanging. For XAA, the subject token is the “proof” or “assertion” of the user’s identity. Set to the Okta ID token that the IdP will use to verify the user’s identity.
subject_token_type The type of token provided in the subject_token parameter. For XAA, it specifies that an ID token is being presented to the authorization server.
client_id The client ID of the Requesting App within the enterprise IdP that is making the token exchange request.
client_secret The client secret that that Requesting App uses to authenticate itself with the enterprise IdP.

XAA Beta does not support passing scopes to Okta’s /token endpoint. You can set the scopes in the next request to Auth0’s /token endpoint once the Requesting App receives the ID-JAG.

In a production environment, the Requesting App makes the token exchange request to the /token endpoint of your customer’s Okta tenant.

Send ID-JAG to Auth0's /token endpoint

Once the Requesting App gets an ID-JAG, it sends an access token request to the /token endpoint of your Auth0 tenant:

POST https://{{YOUR_AUTH0_TENANT_DOMAIN}}/oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
&client_id={{REQUESTING_APP_CLIENT_ID_IN_AUTH0}}
&client_secret={{REQUESTING_APP_CLIENT_SECRET_IN_AUTH0}}
&scope=scope1%20scope2%20
&assertion={{ID_JAG}}

Was this helpful?

/

Parameter Description
grant_type The grant type. It tells the Authorization Server to expect a JSON Web Token (JWT) as the primary credential in the request.
client_id The client ID of the Requesting App within the Resource App Authorization Server making the API call.
client_secret The client secret of the Requesting App within the Resource App Authorization Server making the API call.
scope The set of permissions the Requesting App is requesting for the access token.
assertion The ID-JAG or JSON Web Token (JWT) that acts as the bearer of the identity assertion.

After the Auth0 Authorization Server validates the ID-JAG to verify the user’s identity, it issues an access token to consume the target API audience of your Auth0 tenant. The access token also includes the scopes you requested that are allowed by RBAC and other policies set in your Auth0 tenant.

The Auth0 Authorization Server does not issue refresh tokens in response to ID-JAG token exchanges. As a result, the Requesting App needs to get a new ID-JAG from the enterprise IdP, and undergo the applicable access controls, to get a new access token via XAA.

Beta limitations

XAA Beta has the following limitations: 

  • The Requesting App must be a confidential client and a first-party app in your Auth0 tenant. Public clients, such as SPAs and Native Apps, are not supported.

  • Delegated administration is not supported. The enterprise customer cannot directly configure SSO connections on your Auth0 tenant. Self-Service SSO support is planned for a later release.

  • There can only be one XAA-enabled connection per upstream IdP issuer. The same Okta tenant can’t be used for more than one XAA-enabled enterprise connection.   

  • Organization support is limited:

    • A connection has a 1:1 assignment with an Organization. Multiple Organizations cannot map to the same connection for XAA access. 

    • When the Requesting App is configured to require the use of Organizations, users must already be members of the target organization.

  • If the resource parameter is not specified in the ID-JAG request, the target API is determined by the tenant.default_audience.

  • No dynamic user creation: The user must have previously logged into your Resource App using the configured Okta connection. Otherwise, the request to exchange the ID-JAG assertion for an access token will fail with a User not found error.

Rate limits

In XAA Beta, ID-JAG exchanges on the /token endpoint of your Auth0 tenant will be rate-limited to 5 RPS.