How to integrate Okta with AWS API Gateway JWT Authorizer?
HTML-код
- Опубликовано: 7 дек 2021
- This video explains how to generate a JWT Access Token using Okta and use that token to Authorize API endpoints hosted in AWS API Gateway.
Refer this blog / part-3-securing-aws-ap... for step-by-step instructions
#aws #amazonwebservices #openid #okta #authentication #iam #identity #apigateway #api #security - Наука
Please subscribe to this channel for regular updates ruclips.net/channel/UCEEayyyCrJO94FYlzF0NLTg
Thank You for the support.
if anyone is getting "The DPoP proof JWT header is missing" error in postman, go to the application you created in OKTA -> general settings and deselect "Proof of possession" option.
Thanks for sharing this info!!
Really nice walkthrough :)
Thank You!
Doesn't this technically use custom authorization servers, which are a paid feature as part of the "API Access Management" package in a prod environment?
Is there any way to do this or something similar without buying add-ons?
This video uses Okta which is a commercial product. You can build a custom Authorization server which can generate a JwT token and use that JwT token to authorize the API calls. Please note that this Authorization server should support OAuth 2.0 or OpenID connect protocol. Refer this document for more details docs.aws.amazon.com/apigateway/latest/developerguide/http-api-jwt-authorizer.html
Very useful.. Thanks a lot!! How would you integrate with an enterprise application using saml sso which requires to query an AWS Redshift behinds an AWS API Gateway with Okta?? The browser of the client(power bi) is already using a claim and the idea is to query a data warehouse (okta is storing the ClientID, secretID) without re-authenticate the users ??
Using SAML token for authorizing API calls is not recommended. This video talks about using a OAuth 2.0 JwT Access Token. AWS API gateway has a built-in JwT authorizer to validate a JwT token and allow or deny access. My recommendation is to integrate the enterprise application with Okta using OpenID Connect instead of SAML.
Hi, any idea how to get the token if the Okta app is "OIDC - OpenID Connect" instead of "API Services"? We only have access to OIDC app and it seems the token is not being passed back to the API Gateway. Thank you
I assume the client app is integrated with Okta using Authorization code grant flow. If that is the case, Okta will return ID Token, Access Token as part of token API call. You should be able to extract the Access Token and pass it in header to the API calls.
Hi, Could u plz let me know if we can cache this token somehow and reduce the no of hits to okta for validation till the token is valid.?
Yes. It depends on how the client application is implemented. Client application which gets the token from Okta can cache it until the expiry. In fact, client app doesn't have to validate the token with Okta because it is a JWT token with a exp attribute. AWS API Gateway itself should verify the exp attribute and return an error when token expires. You can test this scenario by reducing the expiry time in Okta.
How do you integrate with spa and take that token and validate it in Gateway?
This video uses OAuth2 client_credentials grant for getting the token. If you want to integrate a SPA web application where users can login, you should use Authorization Code grant flow with PKCE. That is a totally different use case. But, once the access token is generated for the user, remaining flows are exactly same.
how add other scopes like jwtreadt to the jwt token generated?
Please refer this documentation developer.okta.com/docs/guides/implement-grant-type/clientcreds/main/#create-custom-scopes
I believe the api gateway layout does not allow this jwt token option anymore
It is still available. It is supported only for HTTP APIs and not REST APIs.
Refer docs.aws.amazon.com/apigateway/latest/developerguide/http-api-jwt-authorizer.html
Refer "To configure API authorization" section in aws.amazon.com/blogs/security/how-to-secure-api-gateway-http-endpoints-with-jwt-authorizer/ - The screenshots are slightly old. But, you should be able to figure out in the AWS Console based on this blog