-
Create an OIDC application
Note: If you have a standard Okta account you must first navigate to your Okta Org's admin portal (step 1). Developer accounts can skip to Step 2.
- Go to your org and click
Admin
in the top right corner to access the admin portal - Select
Applications
- Select
Add Application
- Choose
Web
andOpenID Connect
. Then clickCreate
. - Give it a name, enter the URL of your
$AESproductName$ load balancer inBase URIs
and the callback URL{AMBASSADOR_URL}/.ambassador/oauth2/redirection-endpoint
as theLogin redirect URIs
- Go to your org and click
-
Copy the
Client ID
andClient Secret
and use them to fill in theClientID
andSecret
of you Okta OAuthFilter
. -
Get the
audience
configuration- Select
API
andAuthorization Servers
- You can use the default
Authorization Server
or create your own. - If you are using the default, the
audience
of your Okta OAuthFilter
isapi://default
- The value of the
authorizationURL
is theIssuer URI
of theAuthorization Server
- Select
Configure your OAuth Filter
and FilterPolicy
with the following:
---
apiVersion: getambassador.io/v2
kind: Filter
metadata:
name: okta-filter
namespace: default
spec:
OAuth2:
authorizationURL: https://{OKTA_DOMAIN}.okta.com/oauth2/default
audience: api://default
clientID: CLIENT_ID
secret: CLIENT_SECRET
protectedOrigins:
- origin: https://datawire-ambassador.com
---
apiVersion: getambassador.io/v2
kind: FilterPolicy
metadata:
name: httpbin-policy
namespace: default
spec:
rules:
- host: "*"
path: /httpbin/ip
filters:
- name: okta-filter ## Enter the Filter name from above
arguments:
scope:
- "openid"
- "profile"
Note: Scope values openid
and profile
are required at a
minimum. Other scope values can be added to the Authorization Server
.