- Home
- >
- Software Development
- >
- Implement Delegated Access with OpenID Connect Authentication for Okta Single Sign on – InApps 2022
Implement Delegated Access with OpenID Connect Authentication for Okta Single Sign on – InApps is an article under the topic Software Development Many of you are most interested in today !! Today, let’s InApps.net learn Implement Delegated Access with OpenID Connect Authentication for Okta Single Sign on – InApps in today’s post !
Read more about Implement Delegated Access with OpenID Connect Authentication for Okta Single Sign on – InApps at Wikipedia
You can find content about Implement Delegated Access with OpenID Connect Authentication for Okta Single Sign on – InApps from the Wikipedia website
Gravitational sponsored this post.
Can you imagine having to give Spotify your Facebook login information for just an email address?!
Virag Mody
Virag joined Gravitational in January of 2020, after co-founding a software code auditing company for Ethereum applications. Having joined Gravitational, Virag continues to learn about trending technologies and produces high quality written and video content. In his free time, Virag enjoys rock climbing, video games and walking his dog.
Of course not. There has to be a better way. The concept we are looking for here is Delegated Access. How can we delegate some degree of access to a third party entity without having to provide login credentials? That’s what OAuth does. But one thing the protocol does not do is communicate identifiable information about who is requesting privileges. There is a profound difference between granting Spotify access to your Facebook account data and letting Spotify make a post as you. By introducing an ID token, OpenID Connect Authentication (OIDC) adds an authentication feature to OAuth’s powerful authorization utility.
By running through a sample OIDC implementation to support Okta Single Sign On (SSO) for Teleport, we will see how the introduction of one additional token does what OAuth could not.
Case Study: Okta SSO for Teleport
OAuth uses different Grants and Flow to determine the sequence of events. We will look at the most common type, the Authorization Code Grant, and go through step by step.
Step 1
Teleport prompts the user to log in via their organization’s SSO provider. In this case, let us use Okta as our IDP.
Step 2
The Teleport user clicks “Log In” and is redirected to Okta’s authorization API endpoint with the following parameters included in the HTTPS request:
authorization_server response_type=code client_id redirect_uri scope state |
What do these parameters mean?
authorization_server
is the URL that Okta is exposed to. All IDPs will provide a URL to redirect to, usually an API. For Okta, this ishttps://${yourOktaDomain}/oauth2/default/v1/authorize
response_type=code
will let the Okta know that Teleport expects an authorization code.client_id
provides a string to Okta, which can check against a registry of authorized clients. IDPs like Okta will require clients to be registered to help identify them. Let’s use12345
as Teleport’s registered ID.redirect_uri
informs Okta which pre-configured URL to direct the Teleport user back to, with all the variables that Teleport needs. For this example, we can take the sample redirect URL provided in the Gravitational documentation ashttps://proxy.example.com:3080/v1/webapi/oidc/callback
scope
defines the limitations in accessing resources. For OAuth, these scopes are internally defined by the resource application. But recall that OIDC was created to standardize the way to get rudimentary identity information. At minimum, we must use the standard claimopenid
and perhaps an additional standard claim,email
, from Figure 6.state
is a string randomly generated by Teleport and passed back and forth with the Okta. By passing this string, both Teleport and Okta know they are speaking to the same device between communications. For this example, let’s say the state string issyl
(my dog’s name).
Putting together all these parameters, the URI a Teleport user is directed to after accepting the login prompt will look like:
https://${yourOktaDomain}/oauth2/default/v1/authorize?response_type=code&client_id=12345&redirect_uri=https://proxy.example.com:3080/v1/webapi/oidc/callback&scope=openid,email&state=syl |
Step 3
Once Okta receives the query, it will verify the client_id
against an internal registry for the Teleport application. Knowing Teleport is expecting an authorization code, Okta will send the user back to the redirect URL with the code and the state parameter that was passed. Our next stop is:
https://proxy.example.com:3080/v1/webapi/oidc/callback?code=pkzdZumQi1&state=syl |
Step 4
After receiving the code, Teleport will automatically query the Okta token endpoint to exchange the code for a token with the code
, redirect_uri
, and client_id
parameters included. Two additional parameters are present:
grant_type=authorization_code
informs Okta the flow isauthorization_code
client_secret
comes from Okta during the client registration process. This string should be secret and not publicly accessible. Because Teleport is hosted on our own infrastructure, which we know to be safe, we feel comfortable passing this parameter. Otherwise, we would use the PKCE extension and hash a generated string. In this case, our secret isgravitational
This exchange happens through a post request that will look something like:
POST https://${yourOktaDomain}/oauth2/default/v1/token grant_type=authorization_code& code=pkzdZumQi1& redirect_uri=https://proxy.example.com:3080/v1/webapi/oidc/callback client_id=12345& client_secret=gravitational |
Using the client_secret
and code
, Okta is able to verify the Teleport client’s request and issues a JSON payload encoded with the bearer token, an expiry time, and perhaps a refresh token. A successful response may look like:
{ “id_token”:“FW6AlBeyalZtDIRXxA0u5XBbZkLzjYzKUQBloxQXSSGPFmRS8eSfDu0A4nS4GF1aQP9PRxQk7gIh9bjaX99aa4vDSzP1E2ajsgIomlNGhNxBqEDV5Exp0xISE9bZ4HUzM91pbzPPj7Bq5ZQUWcSuSVD0NAfkAoG6qDpbQfxPjWRyfthz3pUEXwZe8Cz4eOXOM45UKB4Q0VnVSChVF84MWkeBFKzhrRNXd2dFv0HTlkQr6vXGlYsocMxR06wo38HvGiKjkUmL2YUyPOjZaoUN4ovfwlwdGdjNR2GVcRsXzjxCPszJ9dTXztoL5wo2ycEpuxkkNp57BuZ9YRexoNnRHahFKH76XrFsTvdvAYk3fBVUqrO5vvyxHAFrAIKpV0FvaMiBwKNfaE84oRC6aBXnzS3q4uVyGcHveHQMJB1temgB599rfVH3pBqurUmQCd0tVexRZj4PUkrDocf8Z0QKkCD0eonH0Q1bRpQPY5vATiLkpF8RArU7wyB2FxhB3egtQBvwDgsVjyix7u8Cx4P9oy3IJje6SZfc6Lz61uEQttpVhyqfzgFYUqVoQacw6rocCn3u61dM0moB” “access_token”:“IEZKr6ePPtxZBEd”, “token_type”:“bearer”, “scope”:“read:org”, “expires_in”:3600 } |
The id_token
is issued as a JWT and must be decoded. Given our chosen scopes of openid
and email
, we can expect the JSON payload to read as:
{ “sub”:“virag”, “iss”:“https://${yourOktaDomain}/oauth2/”, “aud”:“client_12345”, “iat”:“1595977376”, “exp”:“1595980976”, “email_verified”:“true” } |
Step 5
Now that we have obtained the access token, all that is left is to make an API request on behalf of the Teleport user and receive the resources desired. We do this by passing the access token as a Bearer credential in the HTTPS authorization header.
Conclusion
There is a simple beauty to how OIDC works on top of OAuth, given the scale of the problem it solves. However, developers must be extremely careful when designing applications that are compatible with OIDC, as it deals with sensitive and private user information.
Feature image via Pixabay.
At this time, InApps does not allow comments directly on this website. We invite all readers who wish to discuss a story to visit us on Twitter or Facebook. We also welcome your news tips and feedback via email: [email protected].
Source: InApps.net
Let’s create the next big thing together!
Coming together is a beginning. Keeping together is progress. Working together is success.