In this guide, we explain how to integrate the WSO2 API Manager with an external Identity and Access Management server (IAM) using the Okta OAuth Authorization Server to manage the OAuth clients and tokens required by WSO2 API Manager. This is a sample client implementation that consumes APIs exposed by Okta OAuth.
Create an Okta developer account. Get the Instance URL, authorization server ID, API Key and configure the access policy and the rule.
-
Go to the Okta sign up page. Create an Okta account and get the Okta instance URL.
E.g., https://dev-735404.okta.com
-
Get the authorization server ID by following the steps below :
-
Go to the Authorization Servers section in the API tab.
-
Create a new authorization server. Alternatively, you can use the default server.
-
Add a default scope. For that select the authorization server (ex: default) and go to the Scopes tab and create a new scope (say default). Select the default tick.
-
-
Get the API key :
- Go to the Authorization Servers section in the API tab and select the Tokens tab.
- Click Create Token and provide the name for the token.
- After successful token creation, copy the Token value for the further use.
-
Create Access Policies : If you already have at least one access policy in your authorization server, skip the following steps and go to
step 1: (5).- In the Okta Developer Dashboard, navigate to API > Authorization Servers.
- Choose the name of an Authorization Server.
- Choose Access Policies > Add Policy
- Provide the requested information.
- Click Create Policy to save the policy.
-
Create Rules for Access Policy : If you already have at least one rule in your access policy, skip the following steps and go to
step 1: (6).- In the Okta Developer Dashboard, navigate to API > Authorization Servers.
- Choose the name of an authorization server, and select Access Policies.
- Choose the name of an access policy, and select Add Rule.
- Enter the requested information.
- Click Create Rule to save the rule.
-
Create OAuth application to get credentials to access the introspect api:
- Go to the Applications tab and select Add Application button.
- Select Web type in the list and select next
- Under the Grant type allowed section, tick Client Credentials
- Once app is created, note down the Client ID and Client secret under Client Credentials section.
-
Download latest OKTA-OAuth-Client-2.x.x.jar from here.
-
Copy that JAR file into the
<API-M_HOME>/repository/components/libdirectory. -
Uncomment or add the following parameters in the
<API-M_HOME>repository/conf/deployment.tomlfile. Change the values based on your third-party API.[apim.oauth_config] set_jwt_as_opaque_token = true [apim.key_manager] key_manager_client_impl = "org.wso2.okta.client.OktaOAuthClient" key_validation_handler_impl = "org.wso2.okta.client.OktaKeyValidationHandler" [apim.key_manager.configuration] oktaInstanceUrl = "https://dev-735404.okta.com" defaultScope = "default" authorizationServerId = "default" apiKey = "xxxxxxxxxxxxxxxxxxxx" client_id = "0oa2b1ir5x9qbp5AS4x6" client_secret = "xxxxxxxxxxxxxxxxxxx"
Element Description oktaInstanceUrl Url generated in the section 1 defaultScope Scope defined in the point 3 in section 2 authorizationServerId Server id which was created in point 2 in section 2 apiKey Token generated in section 3 client_id Client id generated from section 6 client_secret Client secret generated from section 6
You have connected WSO2 API Manager with a third-party Okta authorization server. Let's see how WSO2 API Manager creates OAuth clients at Okta OAuth, when applications are registered in the Dev Portal.
-
Start WSO2 API Manager.
-
Sign in to the Dev Portal :
- Dev Portal UI :
Sign in using the SIGN-IN button at the top right corner.
- Generate access token to access dev portal apis : follow the steps in here to generate an access token to access dev portal apis.
- Dev Portal UI :
Sign in using the SIGN-IN button at the top right corner.
-
Create an application :
-
Dev Portal UI :
Go to the Dev Portal and click the Applications. Click ADD NEW APPLICATION to create a new application.
-
cURL command :
curl -k -X POST \ -H "Authorization: Bearer e3f6a2f4-1b88-3458-8a39-99e54c7d283a" \ -H "Content-Type: application/json" \ -d'{ "name":"OktaAPP", "throttlingPolicy":"Unlimited", "description":"Okta sample App", "tokenType":"OAUTH", "groups":null, "attributes":{ } }' https://localhost:9443/api/am/store/v1/applicationsNote note down the applicationId returned in the response. This will be used in the next step
-
-
Generate an Application Key :
Register an OAuth client in the Okta authorization server and generate the access token.
-
cURL command :
You need to send the specific parameters required by the Okta OAuth Server in
additionalPropertiesas shown below.curl -k -X POST \ -H "Authorization: Bearer e3f6a2f4-1b88-3458-8a39-99e54c7d283a" -H "Content-Type: application/json" \ -d '{ "keyType":"PRODUCTION", "grantTypesToBeSupported":[ "refresh_token", "password", "client_credentials", "authorization_code", "implicit" ], "callbackUrl":"https://www.wso2.com", "validityTime":3600, "additionalProperties": "{\"response_types\": \"code,token,id_token\", \"grant_types\": \"refresh_token,authorization_code,implicit,client_credentials,password\",\"token_endpoint_auth_method\": \"client_secret_basic\",\"application_type\": \"web\", \"tokenGrantType\" : \"client_credentials\", \"tokenScope\": \"scope1,scope2\"}" }' https://localhost:9443/api/am/store/v1/applications/4f320831-98eb-45a1-99eb-aa4c2b60c03f/generate-keysNote
additionalPropertieselement contains the parameters that need to be passed for the Okta.Note Response for the above request contains the access token issued by Okta. You could note down this value or you could generate it again using Okta token apis (https://developer.okta.com/docs/reference/api/oidc/#token)
curl -X POST \ -H "Content-type:application/x-www-form-urlencoded" \ "https://dev-735404.okta.com/oauth2/default/v1/token" \ -d "client_id=<client_id>&client_secret=<secret>&grant_type=client_credentials&scope=default"
-
-
Invoke an API
- Log in to the Publisher portal and publish an API.
- Log in to the Dev portal and subscribe the API to the previously created Application in step 1.
- Invoke the api using the previously generated token. You could use the Try Out feature in the Dev Portal to test this
-
Update grant types :
Edit the application details in Okta.
- cURL command :
-
Write a JSON string with the required parameters.
Note : Make sure to include the following parameter in the JSON string . "updateAppInOkta" : "true"
E.g.,
{"response_types":"code,token,id_token","grant_types":"refresh_token,authorization_code,implicit","token_endpoint_auth_method": "client_secret_basic","application_type": "web", "updateAppInOkta" : "true"}'curl -X PUT
-H "Content-Type: application/json" -H "Authorization: Bearer e3f6a2f4-1b88-3458-8a39-99e54c7d283a"
-d'{ "supportedGrantTypes":[ "refresh_token", "authorization_code", "implicit", "client_credentials", "password" ], "callbackUrl":"http://localhost", "keyType":"PRODUCTION", "additionalProperties":"{"response_types":"code,token,id_token","grant_types":"refresh_token,authorization_code,implicit","token_endpoint_auth_method": "client_secret_basic","application_type": "web", "updateAppInOkta" : "true"}" }' -k https://localhost:9443/api/am/store/v1/applications/4f320831-98eb-45a1-99eb-aa4c2b60c03f/keys/PRODUCTION
-
- cURL command :
-
Delete an OAuth Application :
To delete an OAuth application in the Okta server, do the following.
-
Dev Portal UI:
Go to the Applications page in the WSO2 Dev Portal. Click Delete to delete your application.
-
cURL command :
curl -k -X DELETE \ -H "Authorization: Bearer e3f6a2f4-1b88-3458-8a39-99e54c7d283a" \ https://localhost:9443/api/am/store/v1/applications/4f320831-98eb-45a1-99eb-aa4c2b60c03f
-
-
Provision an Out-of-Band OAuth Client : Provision an OAuth client created in the Okta server.
Enable the option to provide out-of-band keys by opening the
<API-M_HOME>repository/conf/deployment.tomlfile and uncommenting the#[apim.devportal]setting toenable_key_provisioning = true.[apim.devportal] enable_key_provisioning = truePrerequisites Create an application in Okta as mentioned in the step 6 in section 1 and get the client id and the client secret.
-
Dev portal UI :
After creating an application, go to the Production Keys tab of the Application.
Go to Provide Keys under Provide Existing OAuth Keys.
Fill out the required parameters and click Save. You will be redirected to the page that has application and access token details.
Note : If you have not provide consumer secret, the access token will not be generated.
Note : Please make a note of this Consumer Secret and Access Token values, as it will be the only one time that you will be able to view it.
-
-
Revoke the token and re-generate the access token from the OAuth Provider :
- Replace
<ConsumerKey:ConsumerSecret>with theBase64 encoded ConsumerKey:ConsumerSecretof the client application you just created.
curl -k -d "token=eyJraWQiOiJHTmtDeWd3dklXLTJjV1pGaXNVMkdKa2dXRi1WRk04R2tzeDc4VHZwTU00IiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULm5oNmhlNy0yNm1YZUgxc" -H "Authorization: Basic <ConsumerKey:ConsumerSecret>" -H "Content-Type: application/x-www-form-urlencoded" https://dev-76321439.oktapreview.com/oauth2/default/v1/revoke- Obtain a token from the OAuth Provider.
Replace
<ConsumerKey:ConsumerSecret>with theBase64 encoded ConsumerKey:ConsumerSecretof the client application you just created.
curl -k -d "grant_type=client_credentials&scope=test" -H "Authorization: Basic <ConsumerKey:ConsumerSecret>" -H "Content-Type: application/x-www-form-urlencoded" https://dev-76321439.oktapreview.com/oauth2/default/v1/token - Replace
