A "Proxy Login" function is the application's ability to provide a privileged actor the ability to "impersonate" another subject. The general requirement is to generate tokens – having identity and claims – on behalf of a subject without the subject's interaction.
To avoid confusion, we use the following terminology:
Term | Description |
---|---|
Actor | The privileged user that is authorized to proxy login another user |
Target | The user who is subject to the proxy login event |
Okta provides a set of out-of-the-box tools and functionality; allowing customers to properly implement – with the goals of security and audit-ability in mind – various proxy login use-cases.
The general idea is to allow the application to gain user context (attributes and permissions) of the Target so that it can perform actions on the Target's behalf, but is always aware that the actual user is the Actor. Okta's Group Admin Role functionality provides the data relationship model between Actor and Target. And Okta's Token Inline Hooks functionality provide the mechanism that allows additional context to be injected into OAuth tokens issued by Okta.
This sample Express project provides 2 endpoints that you can add to your Application backend to implement the proxy login flow:
- POST /delegate/init - Authorizes the Actor to Proxy a specific Target. Reads Target information and caches it in session for the callback
- POST /delegate/hook/callback - Updates the access_token with the Target information cached during the /delegate/init call
For illustration, the following diagram shows Okta acting as the Authorization Server to an application using Authorization Code flow. The 2 service endpoints appear as a standalone service oktadelegate
, separate from the Application backend.
- Instructions on how to deploy this project as a standalone is provided below
- Running the service standalone is an option (also good for POCs). Alternatively, expose the 2 endpoints using your own methodology. E.g. refactor the code into the App's server/backend, run them as Lambdas, etc.
Deployment instructions are provided below:
- An application already integrated to use Okta with OpenID Connect or OAuth 2.0
Method | Description |
---|---|
Cloud Formation | TODO |
Manual | Use the AWS Management Console |
Once deployed:
- Provide a way for your App to call
POST /delegate/init
to authorize the Actor to proxy their Target. - If the call is successful, then the App should refresh the access_token.
- And if successful, the access_token will present a
user_context
claim with the Target's info.