Skip to content

Latest commit

 

History

History
294 lines (223 loc) · 14.6 KB

config.md

File metadata and controls

294 lines (223 loc) · 14.6 KB
Raw

Integrate WSO2 API Manager 3.0.0 with an external IAM using the Okta OAuth Authorization Server

In this guide, we explain how to integrate the WSO2 API Manager with an external Identity and Access Management server (IAM) using the Okta OAuth Authorization Server to manage the OAuth clients and tokens required by WSO2 API Manager. This is a sample client implementation that consumes APIs exposed by Okta OAuth.

Follow the instructions below to configure the third-party Key Manager

Step 1 : Prerequisites

Create an Okta developer account. Get the Instance URL, authorization server ID, API Key and configure the access policy and the rule.

  1. Go to the Okta sign up page. Create an Okta account and get the Okta instance URL.

    E.g., https://dev-735404.okta.com

    alt text

  2. Get the authorization server ID by following the steps below :

    1. Go to the Authorization Servers section in the API tab.

    2. Create a new authorization server. Alternatively, you can use the default server. alt text

    3. Add a default scope. For that select the authorization server (ex: default) and go to the Scopes tab and create a new scope (say default). Select the default tick. alt text

      alt text

  3. Get the API key :

    1. Go to the Authorization Servers section in the API tab and select the Tokens tab.
    2. Click Create Token and provide the name for the token.
    3. After successful token creation, copy the Token value for the further use.

    alt text

  4. Create Access Policies : If you already have at least one access policy in your authorization server, skip the following steps and go to step 1: (5).

    1. In the Okta Developer Dashboard, navigate to API > Authorization Servers.
    2. Choose the name of an Authorization Server.
    3. Choose Access Policies > Add Policy
    4. Provide the requested information. alt text
    5. Click Create Policy to save the policy.

  5. Create Rules for Access Policy : If you already have at least one rule in your access policy, skip the following steps and go to step 1: (6).

    1. In the Okta Developer Dashboard, navigate to API > Authorization Servers.
    2. Choose the name of an authorization server, and select Access Policies.
    3. Choose the name of an access policy, and select Add Rule. alt text
    4. Enter the requested information.
    5. Click Create Rule to save the rule.

  6. Create OAuth application to get credentials to access the introspect api:

    1. Go to the Applications tab and select Add Application button.
    2. Select Web type in the list and select next alt text
    3. Under the Grant type allowed section, tick Client Credentials
    4. Once app is created, note down the Client ID and Client secret under Client Credentials section.

Step 2: Configure WSO2 API Manager

  1. Download latest OKTA-OAuth-Client-2.x.x.jar from here.

  2. Copy that JAR file into the <API-M_HOME>/repository/components/lib directory.

  3. Uncomment or add the following parameters in the <API-M_HOME>repository/conf/deployment.toml file. Change the values based on your third-party API.

    [apim.oauth_config]
set_jwt_as_opaque_token = true

[apim.key_manager]
key_manager_client_impl = "org.wso2.okta.client.OktaOAuthClient"
key_validation_handler_impl = "org.wso2.okta.client.OktaKeyValidationHandler"

[apim.key_manager.configuration]
oktaInstanceUrl = "https://dev-735404.okta.com"
defaultScope = "default"
authorizationServerId = "default"
apiKey = "xxxxxxxxxxxxxxxxxxxx"
client_id = "0oa2b1ir5x9qbp5AS4x6"
client_secret = "xxxxxxxxxxxxxxxxxxx"
    Element Description
    oktaInstanceUrl Url generated in the section 1
    defaultScope Scope defined in the point 3 in section 2
    authorizationServerId Server id which was created in point 2 in section 2
    apiKey Token generated in section 3
    client_id Client id generated from section 6
    client_secret Client secret generated from section 6

Step 3: Run the sample

You have connected WSO2 API Manager with a third-party Okta authorization server. Let's see how WSO2 API Manager creates OAuth clients at Okta OAuth, when applications are registered in the Dev Portal.

  1. Start WSO2 API Manager.

  2. Sign in to the Dev Portal :

    1. Dev Portal UI : Sign in using the SIGN-IN button at the top right corner. alt text
    2. Generate access token to access dev portal apis : follow the steps in here to generate an access token to access dev portal apis.

  3. Create an application :

    1. Dev Portal UI :

      Go to the Dev Portal and click the Applications. Click ADD NEW APPLICATION to create a new application. alt text

    2. cURL command :

      curl -k -X POST \
    -H "Authorization: Bearer e3f6a2f4-1b88-3458-8a39-99e54c7d283a" \
    -H "Content-Type: application/json" \
    -d'{ 
    "name":"OktaAPP",
    "throttlingPolicy":"Unlimited",
    "description":"Okta sample App",
    "tokenType":"OAUTH",
    "groups":null,
    "attributes":{ 

    }
    }' https://localhost:9443/api/am/store/v1/applications

      Note note down the applicationId returned in the response. This will be used in the next step

  4. Generate an Application Key :

    Register an OAuth client in the Okta authorization server and generate the access token.

    1. cURL command :

      You need to send the specific parameters required by the Okta OAuth Server in additionalProperties as shown below.

        curl -k -X POST \
      -H "Authorization: Bearer e3f6a2f4-1b88-3458-8a39-99e54c7d283a" -H "Content-Type: application/json" \
      -d '{
      "keyType":"PRODUCTION",
      "grantTypesToBeSupported":[
          "refresh_token",
          "password",
          "client_credentials",
          "authorization_code",
          "implicit"
      ],
      "callbackUrl":"https://www.wso2.com",
      "validityTime":3600,
      "additionalProperties": "{\"response_types\": \"code,token,id_token\", \"grant_types\": \"refresh_token,authorization_code,implicit,client_credentials,password\",\"token_endpoint_auth_method\": \"client_secret_basic\",\"application_type\": \"web\", \"tokenGrantType\" : \"client_credentials\", \"tokenScope\": \"scope1,scope2\"}"
      }' https://localhost:9443/api/am/store/v1/applications/4f320831-98eb-45a1-99eb-aa4c2b60c03f/generate-keys

      Note additionalProperties element contains the parameters that need to be passed for the Okta.

      Note Response for the above request contains the access token issued by Okta. You could note down this value or you could generate it again using Okta token apis (https://developer.okta.com/docs/reference/api/oidc/#token)

      curl -X POST \
    -H "Content-type:application/x-www-form-urlencoded" \
    "https://dev-735404.okta.com/oauth2/default/v1/token" \
    -d "client_id=<client_id>&client_secret=<secret>&grant_type=client_credentials&scope=default"

  5. Invoke an API

    1. Log in to the Publisher portal and publish an API.
    2. Log in to the Dev portal and subscribe the API to the previously created Application in step 1. alt text
    3. Invoke the api using the previously generated token. You could use the Try Out feature in the Dev Portal to test this alt text

  1. Update grant types :

    Edit the application details in Okta.

    1. cURL command :

      1. Write a JSON string with the required parameters.

        Note : Make sure to include the following parameter in the JSON string . "updateAppInOkta" : "true"

        E.g.,

        {"response_types":"code,token,id_token","grant_types":"refresh_token,authorization_code,implicit","token_endpoint_auth_method": "client_secret_basic","application_type": "web", "updateAppInOkta" : "true"}'

        curl -X PUT
        -H "Content-Type: application/json" -H "Authorization: Bearer e3f6a2f4-1b88-3458-8a39-99e54c7d283a"
        -d'{ "supportedGrantTypes":[ "refresh_token", "authorization_code", "implicit", "client_credentials", "password" ], "callbackUrl":"http://localhost", "keyType":"PRODUCTION", "additionalProperties":"{"response_types":"code,token,id_token","grant_types":"refresh_token,authorization_code,implicit","token_endpoint_auth_method": "client_secret_basic","application_type": "web", "updateAppInOkta" : "true"}" }' -k https://localhost:9443/api/am/store/v1/applications/4f320831-98eb-45a1-99eb-aa4c2b60c03f/keys/PRODUCTION

  2. Delete an OAuth Application :

    To delete an OAuth application in the Okta server, do the following.

    1. Dev Portal UI:

      Go to the Applications page in the WSO2 Dev Portal. Click Delete to delete your application. alt text

    2. cURL command :

      curl -k -X DELETE \
-H "Authorization: Bearer e3f6a2f4-1b88-3458-8a39-99e54c7d283a" \
https://localhost:9443/api/am/store/v1/applications/4f320831-98eb-45a1-99eb-aa4c2b60c03f

  3. Provision an Out-of-Band OAuth Client : Provision an OAuth client created in the Okta server.

    Enable the option to provide out-of-band keys by opening the <API-M_HOME>repository/conf/deployment.toml file and uncommenting the #[apim.devportal] setting to enable_key_provisioning = true.

      [apim.devportal]
  enable_key_provisioning = true

    Prerequisites Create an application in Okta as mentioned in the step 6 in section 1 and get the client id and the client secret.

    1. Dev portal UI :

      After creating an application, go to the Production Keys tab of the Application.

      Go to Provide Keys under Provide Existing OAuth Keys.

      alt text

      Fill out the required parameters and click Save. You will be redirected to the page that has application and access token details.

      alt text

      Note : If you have not provide consumer secret, the access token will not be generated.

      Note : Please make a note of this Consumer Secret and Access Token values, as it will be the only one time that you will be able to view it.

  4. Revoke the token and re-generate the access token from the OAuth Provider :

    1. Replace <ConsumerKey:ConsumerSecret> with the Base64 encoded ConsumerKey:ConsumerSecret of the client application you just created.
         curl -k -d "token=eyJraWQiOiJHTmtDeWd3dklXLTJjV1pGaXNVMkdKa2dXRi1WRk04R2tzeDc4VHZwTU00IiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULm5oNmhlNy0yNm1YZUgxc" -H "Authorization: Basic <ConsumerKey:ConsumerSecret>" -H "Content-Type: application/x-www-form-urlencoded" https://dev-76321439.oktapreview.com/oauth2/default/v1/revoke
    1. Obtain a token from the OAuth Provider. Replace <ConsumerKey:ConsumerSecret> with the Base64 encoded ConsumerKey:ConsumerSecret of the client application you just created.
        curl -k -d "grant_type=client_credentials&scope=test" -H "Authorization: Basic <ConsumerKey:ConsumerSecret>" -H "Content-Type: application/x-www-form-urlencoded" https://dev-76321439.oktapreview.com/oauth2/default/v1/token