Follow these steps to deploy on AWS using Elastic Beanstalk. For simplicity, we use AWS API Gateway to serve the endpoints over https (Okta Inline Hooks require https) but you can of course use other methods to do this.
Launch a Redis ElastiCache cluster:
- Use the default Redis
Port 6379
- Tip: Choose a
t1.micro
node type or get ready to be surprised by your AWS bill. - Make sure to deploy in the same VPC as the Elastic Beanstalk application
A source bundle of this project oktadelegate.zip
is included. Deploy this as a single instance (good enough for testing purposes. Read more about Environment Types) Elastic Beanstalk deployment:
- From Elastic Beanstalk click [Create New Application]. Provide a name, e.g. oktadelegate and click [Create]
- Click [Actions] > [Create Environment]
- Choose "Web server environment" and click [Select]
- Provide environment name, e.g. oktadelegate-demo
- Choose Platform = Node.js
- Upload
oktadelegate.zip
as the Application code - Click [Create environment]
After the environment is done building, add the following Environment Properties:
- Configuration > Software > click [Modify], and add the following:
NAME | VALUE (EXAMPLE) | DESCRIPTION |
---|---|---|
BASE_URL | https://dev-666666.oktapreview.com |
The url of your Okta org |
ISSUER | https://dev-666666.oktapreview.com/oauth2/default |
The issuer string of your Authorization Server configured in Okta |
CLIENT_ID | 0oa4oy6xZjhJ7vWgR1t9 |
The client_id of the Application configured in Okta |
ASSERT_AUD | api://oktadelegate |
The Audience claim string you configured for your Authorization Server |
ASSERT_SCOPE | groupadmin |
A custom scope that the Actor is authorized to use. More about this below in the "Okta Setup" section |
SSWS | 00PEBvZk9M0F3ozG8EWXZnd_0xFQP__zXR |
Generate an API Key in Okta for calling the OKta Management APIs |
ELASTICACHE_CONNECT_STRING | oktadelegate-redis.wtdkro.0001.usw2.cache.amazonaws.com |
The value of the Redis "Primary Endpoint"...exclude the port number. You can find this in the ElastiCache console |
CLIENT_USERNAME | serviceaccountusername |
The /delegate/hook/callback endpoint is protected with Basic auth. More about this below in the "Okta Setup" section. Provide a username |
CLIENT_PASSWORD | password123# |
The /delegate/hook/callback endpoint is protected with Basic auth. More about this below in the "Okta Setup" section. Provide a password |
Update the ElastiCache's (Redis deployed in previous step) Security Group Inbound rules to allow the Elastic Beanstalk app to access port 6379
Okta Inline Hooks requires https. A quick and easy way to serve the Elastic Beanstalk app through https is by setting up a proxy integration using AWS API Gateway.
- Create a new API
- Click [+ Create API]
- Select REST, New API.
- Provide API name, and Select Endpoint Type = Regional.
- Create a "HTTP Proxy" resource
- From the Resources tab, choose Actions > Create Resource
- Configure as proxy resource = Y
- Resource Path =
{proxy+}
- Enable API Gateway CORS =
Y
- Click [Create Resource]
- From the Resources tab, choose Actions > Create Resource
- Configure the resource Integration Request
- Integration type =
HTTP Proxy
- Use HTTP Proxy integration =
Y
- Endpoint URL = The public url of the Elastic Beanstalk Environment app deployed in previous steps + "/" + "{proxy}" e.g.
http://oktadelegate-dev-1.us-west-2.elasticbeanstalk.com/{proxy}
- Content Handling =
Passthrough
- Integration type =
- Deploy the API (you'll see the Public https url after you've successfully deployed)
Setup Token Inline Hook so that the access_tokens issued by Okta is patched with a callback we deployed in previous steps (i.e. the /delegate/hook/callback
endpoint)
- Register the
/delegate/hook/callback
endpoint using API (or use the Developer Console):- Okta requires the hook callback implement an authentication mechanism, so authScheme is required (in this sample, we use Basic Auth to authenticate: recall in the previous step, you were asked to input a CLIENT_USERNAME and CLIENT_PASSWORD as environment variables to the Elastic Beanstalk App). Configure the Basic auth string:
- e.g.
"authScheme" : { "type": "HEADER", "key": "Authorization", "value": "Basic ${Base64(serviceaccountusername:password123#)}" }
- In this sample, we simply use Basic Auth but Okta also supports signed requests, which is more secure and recommended in a Production environment
- Okta requires the hook callback implement an authentication mechanism, so authScheme is required (in this sample, we use Basic Auth to authenticate: recall in the previous step, you were asked to input a CLIENT_USERNAME and CLIENT_PASSWORD as environment variables to the Elastic Beanstalk App). Configure the Basic auth string:
- Activate the Inline Hook.
- One of the rules defined in the Custom Authorization Server must be configured to trigger invocation of this hook:
- Authorization Servers > Access Policies > Select the policy that will trigger the hook > Select or Add Rule > "Use this inline hook" = (select the activated hook)
- One of the rules defined in the Custom Authorization Server must be configured to trigger invocation of this hook:
- Make the Actor a Group Admin and assign the groups they can manage.
- If the Actor is not a Group Admin,
/delegate/init
will not succeed. - If the Target is not in the Group the Actor manages,
/delegate/init
will not succeed - If Actor does not manage any of the Groups the Target is member of,
/delegate/init
will not succeed
- If the Actor is not a Group Admin,
- The
/delegate/init
endpoint is protected by asserting that an ASSERT_SCOPE (you were asked to input this value as environment variables to the Elastic Beanstalk App),e.g. groupadmin
is present in the list of scopes the Actor is authorized to request. If the scope is not present in the access_token,/delegate/init
will not succeed.- Add the custom scope to your Authorization Server.
- Configure Access Policies to allow the Actor to request this scope.