Skip to Content

Okta 2-legged OAuth 2.0 API security profile in Jitterbit API Manager

Introduction

Within a security profile, you can configure Okta as an OAuth 2.0 identity provider to provide API consumers access to an API using Okta authentication.

This page shows how to configure and use Okta 2-legged authentication with a Jitterbit custom, OData, or proxy API by following these steps:

  1. Configure Okta as an identity provider
    Configure the Okta instance as an identity provider and obtain the Okta Audience and Scope to use as input for configuring a security profile in API Manager.
  2. Configure a security profile in API Manager
    Configure Okta as the identity provider in API Manager.
  3. Assign a security profile in API Manager
    Assign the security profile to one or more Jitterbit custom, OData, or proxy APIs.
  4. Access an API with Okta authentication
    API consumers are then able to use Okta authentication to consume Jitterbit custom, OData, or proxy APIs that the security profile is assigned to.

For additional information, see the Okta documentation OAuth 2.0 and OpenID Connect Overview.

For Okta 3-legged OAuth security profile configuration, see Okta 3-legged OAuth 2.0 API security profile.

1. Configure Okta as an identity provider

  1. Log in to the Okta Developer Console as a user with administrative privileges.

  2. In the Okta's Developer Console's sidebar, navigate to Applications > Applications, then click the Create App Integration button.

  3. In the Sign-in Method section of the Create a New App Integration page, select API Services and then click Next.

    attachment

  4. In the General Settings section of the New API Services App Integration page, enter an App integration name and click Save:

    attachment

  5. After clicking Save, the Client ID and a generated cient secret are displayed in the General tab under Client Credentials. Retain these for later use, as they will be required when generating an OAuth token in step 4.

    attachment

  6. In the General tab under General Settings, click Edit, disable Require Demonstrating Proof of Possession (DPoP) header in token requests, and click Save:

    attachment

  7. Follow these steps to create a scope:

    1. In the Okta's Developer Console's sidebar, navigate to Security > API > Authorization Servers and select the appropriate server. Retain the server's Issuer URI for later use.

    2. In the server's Scopes tab, click Add Scope.

    3. In the Add Scope dialog, enter a Name (such as CustomScope) and complete the optional fields as desired. Retain the Name that you enter for later use, as it will be required when configuring the security profile. Under Metadata, select Include in public metadata. Click Create:

      attachment

  8. Follow these steps to create an access policy and rule:

    1. Navigate back to the same authorization server used when creating a scope.

    2. In the server's Access Policies tab, click Add Policy if one does not already exist.

    3. In the Add Policy dialog, enter a Name (such as CustomPolicy) and complete the optional fields as desired. Click Create Policy:

      attachment

    4. Click Add rule.

    5. In the Add Rule dialog, enter a Rule Name (such as CustomRule) and complete the optional fields as desired. The default values work with Jitterbit. Click Create rule:

      attachment

2. Configure a 2-legged OAuth flow 2.0 API security profile

Configure these fields for a security profile:

okta 2-legged

  • Auth type: Select OAuth 2.0.

  • OAuth provider: Select Okta.

  • 2-legged OAuth Flow: Use the toggle to enable this field.

  • OAuth scope: Enter the name of the scope you specified when configuring the scope in Okta. See Configure Okta as an identity provider for more information.

  • Authorized domains: Leave this field empty.

  • OAuth client ID: Optionally enter the client ID from step 1 for testing.

  • OAuth client secret: Optionally enter the client secret from step 1 for testing.

  • OpenID discovery URL: Replace {{SUBDOMAIN}} and yourAuthServerId with the Okta subdomain and server ID from the chosen Okta authentication server's Issuer URI from step 1. For example, https://example-1234.okta.com/oauth2/default becomes https://example-1234.okta.com/oauth2/default/.well-known/openid-configuration.

  • Audience: Enter the Okta audience. It can be found under Security > API under the authorization server's Settings tab.

  • OAuth authorization URL: Replace {{SUBDOMAIN}} and yourAuthServerId with the Okta subdomain and server ID from the chosen Okta authentication server's Issuer URI from step 1. For example, https://example-1234.okta.com/oauth2/default becomes https://example-1234.okta.com/oauth2/default/v1/authorize.

  • OAuth token URL: Replace {{SUBDOMAIN}} and yourAuthServerId with the Okta domain and server ID from the chosen Okta authentication server's Issuer URI from step 1. For example, https://example-1234.okta.com/oauth2/default becomes https://example-1234.okta.com/oauth2/default/v1/token.

  • User information URL: Replace {{SUBDOMAIN}} and yourAuthServerId with the Okta subdomain and server ID from the chosen Okta authentication server's Issuer URI from step 1. For example, https://example-1234.okta.com/oauth2/default becomes https://example-1234.okta.com/oauth2/default/v1/userinfo.

  • Test connectivity: Click to validate the authentication token.

3. Assign a security profile in API Manager

To use the security profile with an API, follow the instructions for configuring a custom API, OData service, or proxy API and select the security profile configured with Okta OAuth 2.0 authentication.

4. Access an API with Okta authentication

Once you have saved and published a custom API, OData service, or proxy API, its API is accessible by URL in the application calling the API using the configured authentication method.

Using 2-legged OAuth 2.0 is a two-step process:

  1. Generate an OAuth token either by passing the Okta client ID and client secret obtained above in step 1 in an RFC6749 Client Credentials Access Token Request to the new 2-legged OAuth Token URL link displayed on the Security Profiles page or by obtaining the OAuth token directly from Okta.

  2. Send the OAuth token in the API header using the "bearer" token type defined in RFC6750.

To consume the API, use the link to Copy URL and use it within the calling application:

copy url

If the API supports GET, you can also paste the URL into a web browser to consume the API manually.

When 2-legged OAuth Flow is being used, the API gateway fetches the access token and authentication takes place automatically.

If the authentication is successful, the expected payload is displayed in the web browser.