Authenticating webMethods.io API Gateway APIs using OKTA as authorization server for OAuth mechanism

Authenticating webmethods.io API Gateway APIs using OKTA as authorization server for OAuth mechanism

Introduction

This article explains how to implement OAuth 2.0 on the webMethods.io API Gateway for OKTA authorization server

Audience

It is assumed that readers of this article know how to set up API’s on API gateway.

PreRequisites

• Active tenant subscription on webMethods.io API Gateway
• Configure the API at the API Gateway.
• Create an Application and associate API with the application.
• Refer the link to create API.
  GitHub - SoftwareAG/webmethods-api-gateway: Repository hosting developer tutorials, code samples, custom policies, CI/CD scripts and more to enable developers develop faster with API Gateway
• Active account for OKTA

Use Case:

• We configured the API on API Gateway. This API checks the availability of bed in hospitals.
• To invoke this API from API Gateway we have implemented the OAuth 2.0 mechanism.
• In our case we our OKTA will be working as authorization server.

What is OAuth 2.0?

OAuth 2.0 is the industry-standard protocol for authorization. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices.

The OAuth 2.0 spec has four important roles:

• The “authorization server” — The server that issues the access token. In this case Okta is the authorization server.
• The “resource owner” — Normally your application’s end-user that grants permission to access the resource server with an access token
• The “client” — The application that requests the access token from Okta and then passes it to the resource server
• The “resource server” — Accepts the access token and must verify that it’s valid. In this case this is your application

For More info please follow the below link:
https://developer.okta.com/docs/concepts/oauth-openid/

API Used for our Use case:

   **API Name:** CheckBedAvailability

image692×121 22 KB

Enforce policy

• Open the API CheckBedAvailability.
• Navigate to the policy
• Click on Identify & Access policy.

• Select Identify & Authorize Application.
• Select OAuth2 Token.
• Save the changes.

Create Scope in API

1. Go to the API in our case it is checkBedAvailablity
2. Navigate to scopes within the API
3. Create the scope and map the resource with it
4. In our case scope name is CheckBedAvailibiltyScopeV2
5. Add resource name is CheckBedAvailability
6. Click Save.

Before Configuring the Authorization server, we need to understand a couple of terminologies:

Introspection: Introspection is the way to authenticate the token. It is subdivided into 2 parts

1. Local introspection: Validating the token within the gateway. This can be done using the JWKS URI or the public certificate of the issuer. For this, the token should necessarily be JWT.
2. Remote introspection: Validating the token with the authorization server. It has an introspection endpoint, which is used to validate the token. Along with that, we have client id and client secrets which we are used to protect the endpoint so that anonymous users won’t get access to the resource. Underneath to invoke an endpoint we need a user, Gateway user is the one under which we invoke the endpoint.
   Dynamic client registration
   Dynamic client registration is used when you want to create the client automatically in the OAuth2 authorization server when an application is created in API Gateway.

Add Authorization Server

1. Click on the administration tab
2. Navigate to the Security tab
3. From the left-hand tab click on JWT\OAuth\OpenID
4. Click on Add authorization server.
5. Provide the name as OktaAuthServer

6. Provide the Discovery URL and click on Discover.

7. This will populate the values on Introspection, Dynamic client registration and in Metadata.
8. Add the scope and save it.

Map Scope OAuth Scopes

1. Click on map Scope
2. Give the authorization server scope. In our case, it will be OktaAuthServerScopeMapping

3. Give the API scope name In our case we have given it CheckBedAvailibiltyScopeV2
4. Click Save.

Create Application

1. Click on create Application and name it as ExtrenalOAuthServerApp_OkTA.
2. Select the API which we want to associate with this application. In our case it will checkBedAvailibility API.
3. Click on Authentication and then click on Create Strategy
4. Select Authentication scheme as OAuth
5. Provide the name for the strategy, In our case we have named it as ExtrenalOktaStrategy
6. Select the authentication server as OktaAuthServer.
7. Enable the generate the credentials
8. Select application type as Public
9. Application profile as web
10. Select Grant Type as “authorization_code”
11. Select the scope in our case it will be OAuthCheckBedAvailabilityScope
12. Provide the Redirect URI as https://oauth.pstmn.io/v1/callback
13. Provide the Scope in our case it will be CheckBedAvailibiltyScopeV2
14. Click on Add.
15. It will generate the client ID and client credentials, which will be used to generate the access token.
    

Test Using postman client

1. Select Authorization as OAuth 2.0
2. Set the below values

Grant Type: Authorization code
Call Back url: https://oauth.pstmn.io/v1/callback
Authorise URL: We can get the from the metadata provided by OKTA
Access Token URL: We can get the from the metadata provided by OKTA
Client ID: We can get the from the metadata provided by OKTA
Client Secret: We can get the from the metadata provided by OKTA
State: Any random alphanumeric value
Client Authentication: Send Client credentials in Body

3. Click on generate token
   

4. Click on use token

5. Submit the request

6. Validate the response.

Hi Vikash

The article is brilliant. I have a question can the same be implemented using Azure for validating the tokens.

we are able to generate the tokens from Azure but when we add Azure as external authorizer and when we try to validate the APIs it is throwing errors related to token expiry but the token is still valid.

image804×365 79.2 KB

image939×132 15.3 KB

hi @parre.abhijith ,
Only condition we get invalid token is when it is not mapped with the scope .
Can you please verify once again. Scope and API should be mapped. I dint see any other reason for this failure until its valid token

image1857×506 54.1 KB

Regards
Vikash Sharma

We have mapped the scope too. Do i need to select Dynamic client registration in this case and if yes what should be the client registration url ?and in

Application . If i click on generate credentials i get the below error after i click on update. I am not sure where to pass the grant_type in the application.