Authenticating webMethods.io API Gateway APIs using OKTA as authorization server for OAuth mechanism

Authenticating webmethods.io API Gateway APIs using OKTA as authorization server for OAuth mechanism

Introduction

This article explains how to implement OAuth 2.0 on the webMethods.io API Gateway for OKTA authorization server

Audience

It is assumed that readers of this article know how to set up API’s on API gateway.

PreRequisites

Use Case:

  • We configured the API on API Gateway. This API checks the availability of bed in hospitals.
  • To invoke this API from API Gateway we have implemented the OAuth 2.0 mechanism.
  • In our case we our OKTA will be working as authorization server.

What is OAuth 2.0?

OAuth 2.0 is the industry-standard protocol for authorization. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices.

The OAuth 2.0 spec has four important roles:

  • The “authorization server” — The server that issues the access token. In this case Okta is the authorization server.
  • The “resource owner” — Normally your application’s end-user that grants permission to access the resource server with an access token
  • The “client” — The application that requests the access token from Okta and then passes it to the resource server
  • The “resource server” — Accepts the access token and must verify that it’s valid. In this case this is your application

For More info please follow the below link:
https://developer.okta.com/docs/concepts/oauth-openid/

API Used for our Use case:

   **API Name:** CheckBedAvailability

Enforce policy

• Open the API CheckBedAvailability.
• Navigate to the policy
• Click on Identify & Access policy.

image

  • Select Identify & Authorize Application.
  • Select OAuth2 Token.
  • Save the changes.

image

Create Scope in API

  1. Go to the API in our case it is checkBedAvailablity
  2. Navigate to scopes within the API
  3. Create the scope and map the resource with it
  4. In our case scope name is CheckBedAvailibiltyScopeV2
  5. Add resource name is CheckBedAvailability
  6. Click Save.

image

Before Configuring the Authorization server, we need to understand a couple of terminologies:

Introspection: Introspection is the way to authenticate the token. It is subdivided into 2 parts

  1. Local introspection: Validating the token within the gateway. This can be done using the JWKS URI or the public certificate of the issuer. For this, the token should necessarily be JWT.
  2. Remote introspection: Validating the token with the authorization server. It has an introspection endpoint, which is used to validate the token. Along with that, we have client id and client secrets which we are used to protect the endpoint so that anonymous users won’t get access to the resource. Underneath to invoke an endpoint we need a user, Gateway user is the one under which we invoke the endpoint.
    Dynamic client registration
    Dynamic client registration is used when you want to create the client automatically in the OAuth2 authorization server when an application is created in API Gateway.

Add Authorization Server

  1. Click on the administration tab
  2. Navigate to the Security tab
  3. From the left-hand tab click on JWT\OAuth\OpenID
  4. Click on Add authorization server.
  5. Provide the name as OktaAuthServer

image

  1. Provide the Discovery URL and click on Discover.

image

  1. This will populate the values on Introspection, Dynamic client registration and in Metadata.
  2. Add the scope and save it.

image

Map Scope OAuth Scopes

  1. Click on map Scope
  2. Give the authorization server scope. In our case, it will be OktaAuthServerScopeMapping

image

  1. Give the API scope name In our case we have given it CheckBedAvailibiltyScopeV2
  2. Click Save.

image

Create Application

  1. Click on create Application and name it as ExtrenalOAuthServerApp_OkTA.
  2. Select the API which we want to associate with this application. In our case it will checkBedAvailibility API.
  3. Click on Authentication and then click on Create Strategy
  4. Select Authentication scheme as OAuth
  5. Provide the name for the strategy, In our case we have named it as ExtrenalOktaStrategy
  6. Select the authentication server as OktaAuthServer.
  7. Enable the generate the credentials
  8. Select application type as Public
  9. Application profile as web
  10. Select Grant Type as “authorization_code”
  11. Select the scope in our case it will be OAuthCheckBedAvailabilityScope
  12. Provide the Redirect URI as https://oauth.pstmn.io/v1/callback
  13. Provide the Scope in our case it will be CheckBedAvailibiltyScopeV2
  14. Click on Add.
  15. It will generate the client ID and client credentials, which will be used to generate the access token.
    image

Test Using postman client

  1. Select Authorization as OAuth 2.0
  2. Set the below values

Grant Type: Authorization code
Call Back url: https://oauth.pstmn.io/v1/callback
Authorise URL: We can get the from the metadata provided by OKTA
Access Token URL: We can get the from the metadata provided by OKTA
Client ID: We can get the from the metadata provided by OKTA
Client Secret: We can get the from the metadata provided by OKTA
State: Any random alphanumeric value
Client Authentication: Send Client credentials in Body

image

  1. Click on generate token
    image

  2. Click on use token

  3. Submit the request

image

  1. Validate the response.