Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

headless access (machine to machine) use case #115

Closed
monde opened this issue Jul 25, 2023 · 3 comments
Closed

headless access (machine to machine) use case #115

monde opened this issue Jul 25, 2023 · 3 comments
Labels
triaged triaged into Okta's Jira backlog v2-headless will be addressed in v2 headless release

Comments

@monde
Copy link
Collaborator

monde commented Jul 25, 2023
edited
Loading

The initial implementation of okta/okta-aws-cli is making use of an OIE organization with an OIDC Native Application paired to an Okta AWS Federation integration application. The Okta AWS Fed App makes use of a feature we call Web SSO token that is based on a device grant and user authentication. This use case is human and web browser oriented.

I have a proof of concept to implement a headless access use case in okta/okta-aws-cli. This makes use of an Okta Custom Authorization server paired with an IAM OIDC based IdP. This feature has existed in Okta for two or three years. Additionally, an Okta Service app is paired with the Okta custom authorization server via an authentication policy. Okta service apps allow for authentication with a secret provided by Okta, a private key provided by Okta, or a private key that is provisioned by the administrator of the Okta service app.

The POC's auth flow to receive temporary IAM credentials is as follows: an access token is requested for the service app , the request is signed with the secret key the operator controls. The Okta authorization server responds with a token if the request is valid. The Okta access token is then presented to AWS STS for temporary IAM creds using the AWS AssumeRoleWithWebIdentity mechanism. On AWS's back end, it communicates with the Okta custom authorization server in the OpenID Connect standard. These abilities between AWS and Okta exist today and the next step is to encapsulate them within the runtime of the okta-aws-cli so the operator doesn't have write shell scripts and do it on their own.

@jefftaylor-okta will be flushing out the interface and behavior details on how we expose this in the okta-aws-cli . This pinned issue can give the community an opportunity to give feedback on the feature as well.
@monde monde pinned this issue Jul 25, 2023
@monde monde mentioned this issue Aug 29, 2023
Closed
@monde
Copy link
Collaborator Author

monde commented Aug 29, 2023

Okta internal reference https://oktainc.atlassian.net/browse/OKTA-642709

@monde monde added triaged triaged into Okta's Jira backlog v2-headless will be addressed in v2 headless release labels Aug 29, 2023
@monde
Copy link
Collaborator Author

monde commented Sep 29, 2023

First beta release https://github.com/okta/okta-aws-cli/releases/tag/v2.0.0-beta.0

Instructions in the README on the M2M feature branch https://github.com/okta/okta-aws-cli/tree/m2m_feature

@monde
Copy link
Collaborator Author

monde commented Feb 14, 2024

pure OIDC m2m released in v2.0.0

@monde monde closed this as completed Feb 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triaged triaged into Okta's Jira backlog v2-headless will be addressed in v2 headless release
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@monde