Azure Api Management using Okta to secure using OAuth 2.0
This blog post will cover how to move an existing or new api into Azure API Management and then secure it using Okta.
Okta – “The Okta Identity Cloud provides secure identity management with Single Sign-On, Multi-factor Authentication, Lifecycle Management (Provisioning), and more”.
I had access to a development tenant within Okta which looks something like this:-
I created a new application and called it ‘Azure API Management’ and chose Web as the platform and OpenID Connect as the sign on Method like so: –
So now we have filled this out we can go back and edit it and see the screen which shows us important details including Client ID, Secret and Login redirect URI’s, all of which are important details in order to get this working.
Azure API Management
Within Azure, create a new instance of Azure API Management and once this has been created go down on the left hand menu and under Security select OAuth 2.0 and then select Add, I gave it the name Okta.
The client registration url is important here, you can find yours within your new Application within Okta, under the SignOn tab, look for the section that says OpenID Connect ID Token.
The other details which are very important are as follows (in red)
and further down that screen where you see the ClientID and Client Secret: –
That’s it for Azure, so let’s switch back to Okta.
Now we need to check the Sign On tab and take a note of some important settings
At this stage we haven’t added any API’s to Azure API management, so let’s do that by following this excellent example: – https://docs.microsoft.com/en-us/azure/api-management/import-and-publish
Once you have imported an api you can test it a number of ways including using tools like postman, but you can also use the API Management developer portal which you can launch from your Azure API Management Instance back in Azure seen in the link below: –
Now that we have the Developer Portal open, select API’s from the header and then click on the API you imported in a previous step.
Click the Try it Button
So to check things are talking to Okta to try to get a token, we need to change the drop down under the Authorization section and change it from No auth to Authorization code. This will attempt to go off to Okta and you should see a Login prompt to Okta.
Once you enter details and click Sign in if all is setup correctly you’ll know see something like this:-
Now we have a bit saying when the access token will expire and also at the bottom it shows lots of **** for where the access token is added but hidden.
Other things of note
I had to create/edit an assigment (user) within Okta because I was setup with a username – so under assignments within your Application make sure users have a username setup.
The important part here is that you can access api’s in API management and by default they’ll always just work, the trick is to make them request an Okta token. In bound policies are the magic th
Lastly we need to add whats called an in-bound policy to check the token is valid – otherwise the calls will always succeed with or without using Okta.
To add an in-bound policy go to your Azure API instance within Azure, then the developer portal and select your api and then select All operations (or the api call you wish to secure) and then select Inbound processing like so:-
Here we have several options for the inbound policy and in this example I chose validate JWT and filled it out as below: –
You can read more here on API management policies.
And that is how you go about integrating Okta with Azure API Management.
Feel free to get in touch if you have any questions.