Okta 3-legged OAuth 2.0 API Security Profile¶

Introduction¶

Within a security profile, you can configure Okta as an OAuth 2.0 identity provider to provide API consumers access to an API using Okta authentication.

This page shows how to configure and use Okta authentication with a Jitterbit Custom, OData, or Proxy API by following these steps:

1. Configuring Okta as an Identity Provider
   Configure the Okta instance as an identity provider and obtain the Okta client ID and client secret that you will need to use as input for configuring a security profile in API Manager.
2. Configuring a Security Profile in API Manager
   Configure and test Okta as the identity provider in API Manager. You will need to use the client ID and client secret obtained in the previous step.
3. Assigning a Security Profile in API Manager
   Assign the security profile to one or more Jitterbit Custom, OData, or Proxy APIs.
4. Accessing an API with Okta Authentication
   API consumers are then able to use Okta authentication to consume Jitterbit Custom, OData, or Proxy APIs that the security profile is assigned to.

For additional information, see the Okta documentation OAuth 2.0 and OpenID Connect Overview.

For Okta 2-legged OAuth security profile configuration, see Okta 2-legged OAuth 2.0 API Security Profile.

1. Configuring Okta as an Identity Provider¶

1. Log in to the Okta Developer Console as a user with administrative privileges.

2. In Okta's Developer Console, navigate to Applications > Applications, then click the Create App Integration button.

3. In the Sign-in Method step of the Create a New App Integration page, select OIDC - OpenID Connect. For the Application type, select Web Application and then click Next.

   

4. In the General Settings step of the New Web App Integration page, configure the credentials for the security profile:

   

   1. Enter an App Integration Name (for example, Jitterbit API Manager APIs).

   2. Under Grant type:

      1. If you will be configuring 2-legged OAuth in the security profile (by using the setting 2-legged OAuth Flow), select Client Credentials under Client acting on behalf of itself.
      2. Select Refresh Token under Client acting on behalf of a user.

   3. Enter the three Sign-in redirect URIs appropriate for your Harmony organization and region:

      1. Enter the two URI values copied from the security profile configuration screen (the image below is cropped to show the relevant areas):

         

         

      2. Enter the swagger-ui URI value appropriate for your region (see Finding My Region):

         • NA: https://apps.na-east.jitterbit.com/api-manager/swagger-ui/oauthredirect
         • EMEA: https://apps.emea-west.jitterbit.com/api-manager/swagger-ui/oauthredirect
         • APAC: https://apps.apac-southeast.jitterbit.com/api-manager/swagger-ui/oauthredirect

   4. Clear the Sign-out redirect URIs.

   5. Under Trusted Origins, clear the Base URIs.

   6. Under Assignments, assign the group that you want (if you set Group Assignments for your app) or leave the Everyone default. For instructions on how to assign the app integration to individual users and groups, see Assign app integrations in the Okta product documentation.

5. After clicking Save, the Client ID and Client secret are displayed in the General tab under Client Credentials. Retain these for later use, as they will be required when configuring the security profile:

   

2. Configuring a Security Profile in API Manager¶

Follow the instructions for Configuring a Security Profile in Security Profile Configuration.

During configuration, select OAuth 2.0 as the authentication Type and Okta as the OAuth Provider:

Enter the OAuth Client ID and the OAuth Client Secret values obtained in the previous section, Configuring Okta as an Identity Provider:

Edit the OAuth Authorization URL, the OAuth Token URL, and the User Info URL to replace the placeholder domain (yourOktaDomain) and the placeholder authorization server ID (yourAuthServerId) with those for your Okta instance:

• yourOktaDomain: Replace with the Okta domain, also called the Okta URL. See Find your Okta domain.
• yourAuthServerId: Replace with the Okta authorization server ID. See Create an authorization server.

For example, when configured, the field input should be similar to that shown here:

3. Assigning a Security Profile in API Manager¶

To use the security profile with an API, follow the instructions for configuring a Custom API, OData Service, or Proxy API and select the security profile configured with Okta OAuth 2.0 authentication.

4. Accessing an API with Okta Authentication¶

Once you have saved and published a Custom API, OData Service, or Proxy API, its API is accessible by URL in the application calling the API using the configured authentication method.

To consume the API, use the link to Copy URL and use it within the calling application:

If the API supports GET, you can also paste the URL into a web browser to consume the API manually.

When 3-legged OAuth 2.0 is being used, the browser redirects to the native login interface for Okta. Provide your credentials to authenticate with Okta.

If the authentication is successful, the expected payload is displayed in the web browser.