In our second Kong and Okta tutorial, we'll go through the authorization code flow applied to user authentication processes. This series will show you how to implement service authentication and authorization for [Kong Konnect](https://konghq.com/kong-konnect)Kong Konnect and [Okta](https://www.okta.com)Okta using the [OpenID Connect](https://konghq.com/blog/openid-connect-api-gateway)OpenID Connect ([OIDC](https://docs.konghq.com/hub/kong-inc/openid-connect)OIDC) plugin. Parts 1, 3 and 4 cover:
The Konnect control plane creates new APIs and policies and publishes them to the data plane running as a Docker container in an AWS EC2 instance.
The authorization code flow goes through the following steps:
In Konnect's ServiceHub, I have a service created already. Follow along in our [Getting Started with Konnect](https://konghq.com/blog/getting-started-konnect)Getting Started with Konnect tutorial to learn how to create a service and routes.
My service has two routes defined already. I used the first service in the previous Kong and Okta tutorial to show the client credentials flow. In this tutorial, I'll use the second service to apply the OIDC plugin utilizing the authorization code flow.
In Okta, I prepared an application to implement the authorization flow already. In the Kong authorization code application, we’re going to use the configured OIDC plugin in addition to the client ID and client secret.
The app has the authorization code option turned on and the signing redirect URI set with the route available in my data plane. That means the authorization code is accepted for this URI only.
Any user is free to consume the route right now since there's no policy to control it.
Just like we did for the client credentials flow tutorial, let’s go back to the Konnect control plane to apply the OIDC plugin and then implement the authorization code flow.
If we try to consume the route again, Kong redirects us to Okta’s user interface to present our credentials.
Once we have presented our correct credentials, Okta authenticates and redirects us back to the API gateway. At this time, we’ll consume the API because we got the identity token injected inside our request.
Then we go to [jwt.io](http://jwt.io)jwt.io to check the token.
[Start a free trial](https://konghq.com/kong-konnect)Start a free trial, or [contact us](https://support.konghq.com/support/s/?_ga=2.220853277.461335063.1619442427-852472749.1605808164)contact us if you have any questions as you're getting set up.
Once you've set up Konnect and Okta authorization code flow for user authentication, you may find these other tutorials helpful:
Kong Konnect is a powerful SaaS-based API lifecycle management platform that provides a fast path for people looking to get started with Kong API Gateway. For existing users of Kong’s open-source gateway, it offers a way to rapidly take advantage of
[](https://konghq.com/blog/engineering/how-and-why-to-migrate-from-kong-open-source-to-kong-konnect)
Traditional agreement processes were slow and heavily manual. Documents were often created in office tools, shared through email, printed, signed physically, and stored across multiple systems. Tracking the status of agreements required manual follo
[](https://konghq.com/blog/engineering/automating-agreement-workflows-kong-konnect-and-docusign-for-developers)
How OAuth 2.0 Token Exchange Reshapes Trust Between Services — and Why the API Gateway Is Exactly the Right Place to Enforce It Modern applications don’t run as a single monolithic. They are composed of services — frontend APIs, backend microservi
[](https://konghq.com/blog/engineering/token-exchange-at-the-gateway)
Architecture Overview A multicloud DCGW architecture typically contains three main layers. 1\. Konnect Control Plane The SaaS control plane manages configuration, plugins, and policies. All gateways connect securely to this layer. 2\. Dedicated C
[](https://konghq.com/blog/engineering/dedicated-cloud-gateways-managed-redis-multi-cloud)
Tool discovery for AI agents In early agent implementations, tools are often statically configured inside the agent. For example: { "mcpServers": { "weatherServer": { "command": "uv", "args": "run", "weather_serv
[](https://konghq.com/blog/engineering/mcp-registry-dynamic-tool-discovery)
In today's digital landscape, APIs are the backbone of modern applications, and AI is the engine of innovation. As organizations increasingly rely on microservices and AI-powered features, the API gateway has become the critical control point for man
[](https://konghq.com/blog/engineering/prisma-airs-kong-ai-gateway)
The goal of Integration Platform as a Service (iPaaS) is to simplify how companies connect their applications and data. The promise for the first wave of iPaaS platforms like Mulesoft and Boomi was straightforward: a central platform where APIs, sys
[](https://konghq.com/blog/engineering/kong-and-polyapi)