Okta Oauth 2.0 Provider
We have too many configuration examples of leveraging the light-oauth2 or the kafka-oauth for security. One of our customers is using Okta cloud for hundreds of services, and we have learned a lot of configuration variations on different light-4j products. This tutorial will show you how to use the Okta cloud OAuth 2.0 provider for security.
Single Okta JWK
This is the setup for a light-4j service or the http-sidecar to verify the incoming JWT token by downloading the JWK from the same OAuth server instance on the cloud. I am assuming you are using REST API with the light-rest-4j framework.
To use the JwtVerifyHandler, we need to register it in the handlers section in handler.yml and also put the alias into the default chain.
handlers: . . . - [email protected] . . . chains: default: - exception - metrics - traceability - correlation - specification - security . . .
In the openapi-security.yml section in values.yml, we need to enable the security to verify the JWT token and also the scopes in the token against the specification. To load the JWK during the server startup, we must set up the bootstrap from the JWK server to true. We also need to change the keyResolver to JsonWebKeySet.
In the client.yml section, we need to define the tokenKeyServerUrl and tokenKeyUri so that the server knows where to load the JWK.
# openapi-security.yml openapi-security.enableVerifyJwt: true security.enableVerifyScope: true security.keyResolver: JsonWebKeySet security.bootstrapFromKeyService: true # client.yml client.tokenKeyServerUrl: https://networknt.oktapreview.com client.tokenKeyUri: /oauth2/aus133d83gC9EXGoS1d7/v1/keys
With the above configuration, you can get a JWT token from Okta from the token endpoint https://networknt.oktapreview.com//oauth2/aus133d83gC9EXGoS1d7/v1/token and put it into the request Authorization header. The request will be verified by the server with the JWK downloaded from the same Okta instance.
Automatically Retrieve JWT Token
This is normally used in the http-sidecar or light-proxy-client to retrieve a JWT token and inject it into the outgoing request.
Multiple OAuth Providers
This is used in a light-gateway instance to verify JWT tokens from multiple JWK instances and retrieve JWT from multiple JWT token servers.