Technical Articles
Part 2: Configuring JWT token verification flows for Okta Identity Provider
The JWT policies of SAP Cloud Platform API Management enables you to generate, verify and decode the JWT token. In the Blog Series : JSON Web Tokens (JWT) verification using SAP Cloud Platform API Management we have covered the modeling and configuration of JWT verification policies for various Identity providers like SAP Cloud Platform XS UAA, Okta , Azure Active Directory . In this part of the blog series, we have covered the steps for Configuring the JWT token verification policy for Okta Identity Provider.
Okta supports both offline verification and online verification of JWT token. For Online verification of JWT token Okta provides a Token introspection endpoint, to which an JWT token issued can be passed as query parameters and the response of the endpoint will return if the token is valid or not. While the online JWT token verification guarantees that the incoming access token was not revoked by Okta, it can incur additional network cost to call the token validation endpoint for each incoming client request. Alternatively you can use the offline JWT token verification approach using SAP Cloud Platform API Management to validate if the incoming JWT token issued by Okta is valid or not.
Pre-requisite
- Part 1: Modeling the JWT token verification flows in SAP Cloud Platform API Management
- An OAuth Authorization server in your Okta Identity Provider
- OAuth application flows based on your use-case
Read OAuth Issuer and JWKS URI for your Okta OAuth server
- Logon on to your Okta Identity Provider. Select Authorization Server from the menu item APIs.
- Select your configured OAuth authorization server and click on the Metadata URI. This will launch the OAuth Authorization server metadata information for your selected OAuth server.
- The OAuth authorization server metadata URL contains information about JWKS endpoint for your Okta OAuth Server as well as the Okta issuer. You will need to note down these values and configure it in JWT token verification policies on SAP Cloud Platform API Management.
- From the OAuth authorization server metadata URI , copy the value of issuer and jwks_uri fields.
Configure OAuth Issuer and JWKS URI in SAP Cloud Platform API Management
- Navigate to API Portal service of your SAP Cloud Platform API Management.
- Navigate to Develop tab and select the API Proxy to you have modeled the JWT token verification policies. Refer part 1 of this blog series to model the JWT verification policies for your API Proxy.
- From the selected API Proxy details view, click Policies to open Policy Designer.
- Click Edit on the policy designer, to enter edit mode.
- Select the policy readJWKS policy and replace the URL element with the JWKS_URI element of your Okta OAuth authorization server (metadata URL).
- Select the policy verifyJWT policy and replace the URL element with the Issuer element of your Okta OAuth authorization server (metadata URL).
- Select Update to persist all the policy changes
- Click Save to persist all the API Proxy changes.
Finally testing the JWT token verification flows
- Set the OAuth application on your Okta Identity provider that you can use for fetching JWT token. Details for setting up OAuth application for Okta is covered in here.
- For the testing of this flow, the Resource Owner Password Grant flow was used, simply because it is easier to test it from a test console like Postman.
- Connect to your Okta OAuth token issuer endpoint and pass in your OAuth client id , secret and user details based on your selected OAuth application type. Details for getting OAuth access token from your Okta Identity Provider is covered in here.
- Call your API Proxy endpoint passing in your Okta OAuth access token in HTTP header named authorization in the format Bearer {oauth_access_token}.
- In case of successful JWT token validation, the response from your target server would be returned.
- Passing invalid access token or an empty access token will result in error with HTTP status code set to 401.
Refer Blog Series : JSON Web Tokens (JWT) verification using SAP Cloud Platform API Management for more blogs on JWT verification policies.
Is there any possibility to have 2 client apps installed on Okta Auth Server where JWTs from both apps can be validated in JWT policies.
We have such requirement in Project. I am using above policy code which you have implemented but it is not working for 2 client apps ( different client IDs)
Can anyone suggest?
Whatever the access token I am getting from okta is getting signed off with a different public key and not from the okta JWKS endpoint. Hence my verify JWT is failing. any help if someone can do?