DEV Community

Mariela Dimitrova for Software AG Tech Community

Posted on • Originally published at tech.forums.softwareag.com on

Authenticating webMethods.io API Gateway APIs using OKTA as authorization server for OpenID mechanism

Introduction

This article explains about how to implement OpenID on API gateway for OKTA authorization server

Audience

It is assumed that readers of this article know how to setup API’s in API gateway.

Pre-Requisites

• Active tenant subscription on Webmethods.io API Gateway

• Configure the API in API gateway.

• Create Application and associate API with application.

• Refer the link to create API

GitHub - SoftwareAG/webmethods-api-gateway: Repository hosting developer tutorials, code samples, custom policies, CI/CD scripts and more to enable developers develop faster with API Gateway

• Active account for OKTA

Use Case:

• We configured the API in API Gateway. This API checks the availability of bed in hospitals.

• To invoke this API from API Gateway we have implemented the OpenID connect mechanism.

• In our case, OKTA will be working as authorization server.

What is OpenID?

• OpenID Connect (OIDC) is a thin layer that sits on top of OAuth 2.0 that adds login and profile information about the person who is logged in.

• Establishing a login session is often referred to as authentication, and information about the person logged in (i.e. the Resource Owner) is called identity.

• When an Authorization Server supports OIDC, it is sometimes called an identity provider, since it provides information about the Resource Owner back to the Client.

image

Grant Types

 OpenID Connect supports the following authentication flows

Enter fullscreen mode Exit fullscreen mode

• The Implicit Flow is required for apps that have no “back end” logic on the web server, like a Javascript app.

• The Authentication (or Basic) Flow is designed for apps that have a back end that can communicate with the IdP away from prying eyes.

• The Resource Owner Password Grant does not have an login UI and is useful when access to a web browser is not possible.

• The Client Credentials Grant is useful for machine to machine authorization.

For More info please follow below link:

An Illustrated Guide to OAuth and OpenID Connect | Okta Developer

Configuration at OKTA (Authorization server)

Create Application

• Login to Okta Account

• Navigate to application, click on create New Application

• Select API services

• Click Next and Save it.

image

• Copy the Client ID and client secret

• Save the credentials for future use.

image

Create Authorization server

• Navigate to Security and then select API

• Select Add in Authorization server.

image

• Create rule with default settings

image

Create Token

• Navigate to the security and then select API

• Click on create token

• Name the token as okta token

• Copy the token and save it for future use.

• This token will be configured in API GW as SSWS token.

API Used for our Use case at webmethods.io API Gateway

   **API Name:** CheckBedAvailability

Enter fullscreen mode Exit fullscreen mode

image

Enforce policy

• Open the API CheckBedAvailability.

• Navigate to the policy

• Click on Identify & Access policy.

image

• Select Identify & Authorize Application.

• Select OpenID connect.

• Save the changes.

image

Create Scope in API

  1. Go to the API in our case it is checkBedAvailablity
  2. Navigate to scopes with in the API
  3. Create the scope and map the resource with it
  4. In our case scope name is CheckBedAvailibiltyScopeV3
  5. Add resource name is CheckBedAvailability
  6. Click Save.

image

Before Configuring the Authorization server, we need to understand couple of terminologies

Introspection :

Introspection is the way to authenticate the token. It is sub divided into 2 parts

  1. Local introspection Validating the token within the gateway. This can be done using the JWKS URI or the public certificate of the issuer. For this the token should necessarily be JWT.
  2. Remote introspection : Validating the token with the authorization server. It has introspection endpoint, which is used to validate the token. Along with that we have client id and client secret which we are used to protect the endpoint, so that anonymous users won’t get access to the resource. Underneath to invoke an endpoint we need a user, Gateway user is the one under which we invoke the endpoint. Dynamic client registration Dynamic client registration is used when you want to create the client automatically in the OAuth2 authorization server when application is created in API Gateway.

Add Authorization Server

• Click on administration tab

• Navigate to Security tab

• From the left-hand tab click on JWT\OAuth\OpenID

• Click on Add authorization server.

• Provide the name as ExternalOktaServer

image

  1. Provide the Discovery URL and click on Discover. image
  2. This will populate the values on Introspection, Dynamic client registration and in Metadata.
  3. Add the scope and save it. image

Map Scope OAuth Scopes

  1. Click on map Scope
  2. Give the authorization server scope , In our case it will be OktaAuthServerScopeMapping image
  3. Give the API scope name In our case it we have given in CheckBedAvailibiltyScopeV3
  4. Click Save. image

Create Application

  1. Click on create Application and name it as OpenIDApp.
  2. Select the API which we want to associate with this application. In our case it will checkBedAvailibility API.
  3. Click on Authentication and then click on Create Strategy
  4. Select Authentication scheme as OpenID
  5. Provide the name for the strategy, In our case we have named it as OktaStrategy
  6. Select the authentication server as OktaAuthServer.
  7. Provide ClientID
  8. Enable the HMAC Algorithm.
  9. Provide the client secret
  10. Click Save

image

Test Using postman client

  1. Select Authorization as OAuth 2.0
  2. Set the below values Grant Type : Authorization code Call Back url : https://oauth.pstmn.io/v1/callback Authorise URL : We can get the from the metadata provided by OKTA Access Token URL : We can get the from the metadata provided by OKTA Client ID : We can get the from the metadata provided by OKTA Client Secret : We can get the from the metadata provided by OKTA Scope : openid State : Any random alphanumeric value Client Authentication : Send Client credentials in Body image
  3. Click on generate token image
  4. Click on use token
  5. Submit the request image
  6. Validate the response.

Read full topic

Top comments (0)