Overview

Use this policy to authenticate a client by delegating the authentication to an OAuth2 provider. If this policy is applied, it is used to authenticate any request that does not contain credentials for any other authentication policies (such as API Key). The client is redirected to the OAuth provider to start the authentication flow. Once the flow completes, and the access token is obtained, the policy uses it to perform one or more requests to get information about the user, such as the ID and assigned role. Finally, a session cookie is returned to the client, and the client is redirected back to the requested URL. Subsequent requests authenticate based on the session cookie instead of repeating the OAuth flow. This implementation is based on the authorization code flow from Okta.

...