By using Token Inline Hooks, we can be easily extend Okta to model the OAuth 2.0 On-Behal-Of flow.
When an API "A" requires a token to access API "B" (under the On-behalf-of flow), it can request the token using client_credentials flow; The request also passes the "assertion" (API "A"'s own JWT, JWT-A) as a query parameter. The inline hook:
- Re-validates the assertion.
- This sample is written in Node.js, so we use Okta's Node.js jwt verifier
- Performs custom policy evauation logic
- And if valid, patches the result back to the Auth Server's callback. The
com.okta.access.patch
command instructs Okta to extend the client_credentials' JWT with JWT-A's claims.
The diagram below describes the inline hook interaction:
- Clone this repo, then
npm install
- Run
npm run zip
. This generates a zip file in the/dist
folder. We will need it later. - In the AWS Lambda Console:
- Click Create Function
- Select Author From Scratch
- Runtime = Node.js
- Click Create Function (let it automatically create an AMI role, or choose a pre-configured one)
- In Code entry type, select Upload a .zip file
- Upload the
.zip
file in the/dist
folder generated in previous step.
- The Lambda uses Okta's jwt verifier library, which requires 2 variables (passed into the Lambda as Environment Variables)... Provide values for 2 environment variables (get these from your Okta configuration):
Variable | Value |
---|---|
ISSUER | Issuer String of the Authorization Server configured for API "B" (API "A" makes a client_credentials request to this auth server) e.g. https://example.okta.com/oauth2/default |
AUDIENCE | "Audience" configured in the Authorization Server e.g. api://default |
Expose the Lambda Function using Amazon API Gateway:
- From the Amazon API Gateway Console/UI, click Create API
- Accept all defaults, and provide a name for API name
- Click Create API
- On the next screen, click Actions > Create Resource and provide following values:
- Resource name = inline-hook
- Resource Path = /inline-hook
- Click Create Resource
- Click Create Method
- Integration Type = Lambda Function
- Use Lambda Proxy Integration = Y
- Lambda Function = The Lambda function we just created
- Click Save
Follow this guide to complete the Okta Inline Hook setup.