Skip to content

Latest commit

 

History

History

deploy-manually

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 

Manual Deployment

Follow these steps to deploy on AWS using Elastic Beanstalk. For simplicity, we use AWS API Gateway to serve the endpoints over https (Okta Inline Hooks require https) but you can of course use other methods to do this.

Setup a redis cache

Launch a Redis ElastiCache cluster:

  • Use the default Redis Port 6379
  • Tip: Choose a t1.micro node type or get ready to be surprised by your AWS bill.
  • Make sure to deploy in the same VPC as the Elastic Beanstalk application

Elastic Beanstalk

A source bundle of this project oktadelegate.zip is included. Deploy this as a single instance (good enough for testing purposes. Read more about Environment Types) Elastic Beanstalk deployment:

  • From Elastic Beanstalk click [Create New Application]. Provide a name, e.g. oktadelegate and click [Create]
  • Click [Actions] > [Create Environment]
  • Choose "Web server environment" and click [Select]
  • Provide environment name, e.g. oktadelegate-demo
  • Choose Platform = Node.js
  • Upload oktadelegate.zip as the Application code
  • Click [Create environment]

Elastic Beanstalk Configuration

After the environment is done building, add the following Environment Properties:

  • Configuration > Software > click [Modify], and add the following:
NAME VALUE (EXAMPLE) DESCRIPTION
BASE_URL https://dev-666666.oktapreview.com The url of your Okta org
ISSUER https://dev-666666.oktapreview.com/oauth2/default The issuer string of your Authorization Server configured in Okta
CLIENT_ID 0oa4oy6xZjhJ7vWgR1t9 The client_id of the Application configured in Okta
ASSERT_AUD api://oktadelegate The Audience claim string you configured for your Authorization Server
ASSERT_SCOPE groupadmin A custom scope that the Actor is authorized to use. More about this below in the "Okta Setup" section
SSWS 00PEBvZk9M0F3ozG8EWXZnd_0xFQP__zXR Generate an API Key in Okta for calling the OKta Management APIs
ELASTICACHE_CONNECT_STRING oktadelegate-redis.wtdkro.0001.usw2.cache.amazonaws.com The value of the Redis "Primary Endpoint"...exclude the port number. You can find this in the ElastiCache console
CLIENT_USERNAME serviceaccountusername The /delegate/hook/callback endpoint is protected with Basic auth. More about this below in the "Okta Setup" section. Provide a username
CLIENT_PASSWORD password123# The /delegate/hook/callback endpoint is protected with Basic auth. More about this below in the "Okta Setup" section. Provide a password

Configure Security Groups

Update the ElastiCache's (Redis deployed in previous step) Security Group Inbound rules to allow the Elastic Beanstalk app to access port 6379

Exposing https

Okta Inline Hooks requires https. A quick and easy way to serve the Elastic Beanstalk app through https is by setting up a proxy integration using AWS API Gateway.

  • Create a new API
    • Click [+ Create API]
    • Select REST, New API.
    • Provide API name, and Select Endpoint Type = Regional.
  • Create a "HTTP Proxy" resource
    • From the Resources tab, choose Actions > Create Resource
      • Configure as proxy resource = Y
      • Resource Path = {proxy+}
      • Enable API Gateway CORS = Y
      • Click [Create Resource]
  • Configure the resource Integration Request
    • Integration type = HTTP Proxy
    • Use HTTP Proxy integration = Y
    • Endpoint URL = The public url of the Elastic Beanstalk Environment app deployed in previous steps + "/" + "{proxy}" e.g. http://oktadelegate-dev-1.us-west-2.elasticbeanstalk.com/{proxy}
    • Content Handling = Passthrough
  • Deploy the API (you'll see the Public https url after you've successfully deployed)

Okta Setup

Activate Token Inline Hook

Setup Token Inline Hook so that the access_tokens issued by Okta is patched with a callback we deployed in previous steps (i.e. the /delegate/hook/callback endpoint)

  • Register the /delegate/hook/callback endpoint using API (or use the Developer Console):
    • Okta requires the hook callback implement an authentication mechanism, so authScheme is required (in this sample, we use Basic Auth to authenticate: recall in the previous step, you were asked to input a CLIENT_USERNAME and CLIENT_PASSWORD as environment variables to the Elastic Beanstalk App). Configure the Basic auth string:
      • e.g.
      "authScheme" : {
          "type": "HEADER",
          "key": "Authorization",
          "value": "Basic ${Base64(serviceaccountusername:password123#)}"
      }
      
    • In this sample, we simply use Basic Auth but Okta also supports signed requests, which is more secure and recommended in a Production environment
  • Activate the Inline Hook.
    • One of the rules defined in the Custom Authorization Server must be configured to trigger invocation of this hook:
      • Authorization Servers > Access Policies > Select the policy that will trigger the hook > Select or Add Rule > "Use this inline hook" = (select the activated hook)
Actor Setup
  • Make the Actor a Group Admin and assign the groups they can manage.
    • If the Actor is not a Group Admin, /delegate/init will not succeed.
    • If the Target is not in the Group the Actor manages, /delegate/init will not succeed
    • If Actor does not manage any of the Groups the Target is member of, /delegate/init will not succeed
API Access Management Setup
  • The /delegate/init endpoint is protected by asserting that an ASSERT_SCOPE (you were asked to input this value as environment variables to the Elastic Beanstalk App), e.g. groupadmin is present in the list of scopes the Actor is authorized to request. If the scope is not present in the access_token, /delegate/init will not succeed.
    • Add the custom scope to your Authorization Server.
    • Configure Access Policies to allow the Actor to request this scope.