Authenticating webMethods.io API Gateway APIs using OKTA as authorization server for OpenID mechanism

Introduction

This article explains how to implement OpenID on API gateway for OKTA authorization server

Audience

It is assumed that readers of this article know how to set up APIs in API gateway.

Prerequisites

• Active tenant subscription on Webmethods.io API Gateway

• Configure the API in API gateway.

• Create Application and associate API with application.

• Refer the link to create API
  GitHub - SoftwareAG/webmethods-api-gateway: Repository hosting developer tutorials, code samples, custom policies, CI/CD scripts and more to enable developers develop faster with API Gateway

• Active account for OKTA

Use Case:

• We configured the API in API Gateway. This API checks the availability of bed in hospitals.
• To invoke this API from API Gateway we have implemented the OpenID connect mechanism.
• In our case, OKTA will be working as authorization server.

What is OpenID?

• OpenID Connect (OIDC) is a thin layer that sits on top of OAuth 2.0 that adds login and profile information about the person who is logged in.

• Establishing a login session is often referred to as authentication, and information about the person logged in (i.e. the Resource Owner) is called identity.

• When an Authorization Server supports OIDC, it is sometimes called an identity provider, since it provides information about the Resource Owner back to the Client.

Grant Types

 OpenID Connect supports the following authentication flows

• The Implicit Flow is required for apps that have no “back end” logic on the web server, like a Javascript app.

• The Authentication (or Basic) Flow is designed for apps that have a back end that can communicate with the IdP away from prying eyes.

• The Resource Owner Password Grant does not have an login UI and is useful when access to a web browser is not possible.

• The Client Credentials Grant is useful for machine to machine authorization.

For More info please follow below link:
An Illustrated Guide to OAuth and OpenID Connect | Okta Developer

Configuration at OKTA (Authorization server)

Create Application

• Login to Okta Account
• Navigate to application, click on create New Application
• Select API services
• Click Next and Save it.

• Copy the Client ID and client secret
• Save the credentials for future use.

Create Authorization server

• Navigate to Security and then select API
• Select Add in Authorization server.

• Create a rule with default settings

Create Token

• Navigate to the security and then select API
• Click on create token
• Name the token as OKTA token
• Copy the token and save it for future use.
• This token will be configured in API GW as SSWS token.

API Used for our Use case at webmethods.io API Gateway

   **API Name:** CheckBedAvailability

Enforce policy

• Open the API CheckBedAvailability.
• Navigate to the policy
• Click on Identify & Access policy.

• Select Identify & Authorize Application.
• Select OpenID connect.
• Save the changes.

Create Scope in API

1. Go to the API in our case it is checkBedAvailablity
2. Navigate to scopes with in the API
3. Create the scope and map the resource with it
4. In our case scope name is CheckBedAvailibiltyScopeV3
5. Add resource name is CheckBedAvailability
6. Click Save.

Before Configuring the Authorization server, we need to understand couple of terminologies

Introspection:

Introspection is the way to authenticate the token. It is sub divided into 2 parts

1. Local introspection
   Validating the token within the gateway. This can be done using the JWKS URI or the public certificate of the issuer. For this the token should necessarily be JWT.
2. Remote introspection: Validating the token with the authorization server. It has introspection endpoint, which is used to validate the token. Along with that we have client id and client secret which we are used to protect the endpoint, so that anonymous users won’t get access to the resource. Underneath to invoke an endpoint we need a user, Gateway user is the one under which we invoke the endpoint.
   Dynamic client registration
   Dynamic client registration is used when you want to create the client automatically in the OAuth2 authorization server when application is created in API Gateway.

Add Authorization Server

• Click on administration tab
• Navigate to Security tab
• From the left-hand tab click on JWT\OAuth\OpenID
• Click on Add authorization server.
• Provide the name as ExternalOktaServer

1. Provide the Discovery URL and click on Discover.

2. This will populate the values on Introspection, Dynamic client registration and in Metadata.
3. Add the scope and save it.

Map Scope OAuth Scopes

1. Click on map Scope
2. Give the authorization server scope , In our case it will be OktaAuthServerScopeMapping

3. Give the API scope name In our case it we have given in CheckBedAvailibiltyScopeV3
4. Click Save.

Create Application

1. Click on create Application and name it as OpenIDApp.
2. Select the API which we want to associate with this application. In our case it will checkBedAvailibility API.
3. Click on Authentication and then click on Create Strategy
4. Select Authentication scheme as OpenID
5. Provide the name for the strategy, In our case we have named it as OktaStrategy
6. Select the authentication server as OktaAuthServer.
7. Provide ClientID
8. Enable the HMAC Algorithm.
9. Provide the client secret
10. Click Save

Test Using postman client

1. Select Authorization as OAuth 2.0
2. Set the below values

Grant Type : Authorization code
Call Back url: https://oauth.pstmn.io/v1/callback
Authorise URL: We can get the from the metadata provided by OKTA
Access Token URL: We can get the from the metadata provided by OKTA
Client ID: We can get the from the metadata provided by OKTA
Client Secret: We can get the from the metadata provided by OKTA
Scope: openid
State: Any random alphanumeric value
Client Authentication: Send Client credentials in Body

3. Click on generate token

4. Click on use token
5. Submit the request

6. Validate the response.