Overview

This knowledge base article will demonstrate the invoking and testing of an OAuth 2.0 secured flow. 

This guide helps you get started with Workflows. Okta support does not assist with custom flow construction using this guide, as it falls outside the scope of standard support. You may need to adjust the flow(s) to meet your needs. For questions, attend community office hours or post on the community forum.

Solution

Secure a flow with OAuth 2.0

Complete the following steps on the Secure with OAuth 2.0 documentation page.

1. Complete the Create an API service integration app steps on the Secure with OAuth 2.0 documentation page.
   • In Step 7, copy the PEM key to your local machine.
     
     

• • Click Edit in the General Settings section.
  • Uncheck Proof of possession.
    
    

2. Complete the Configure your API endpoint settings steps.
   • After the API Endpoint card, add the Return card:
     
     
     
     

• • The Security level is set to Secure with OAuth 2.0 in settings:
    
    

Invoke an OAuth 2.0 secured flow

You need an access token before invoking a flow via an API endpoint. The following section will teach you how to do it. You will use an Okta Workflows flow to generate the access token.

Generate access token

There are two steps to generate the access token. 

1. Build a JWT with a private key (docs).
2. Request the access token (docs).

You will use a Workflows flow to complete steps 1 and 2 (Use doc links for each item to learn how to complete each step without Workflows.)

The following flow generates the access token:

A flow to generate an OAuth 2.0 access token.

The flow has the following steps.

Set the private key

The Compose card sets the private key you saved to your local machine. You can format the key and paste it into the Compose card using a tool such as Visual Studio Code.

Set JWT header

The Construct card sets up the JWT header with the kid value.

kid value.

Set flow fields

The Assign card sets up several flow fields:

• URL: https://${yourOktaDomain}/oauth2/v1/token.
  • If there is 1 Custom Domain set/active for the org, use the custom domain instead of the Okta Default Domain for this field
    • Failure to do so may result in a 401 error when invoking the flow, as seen in this KBA: Error "Failed to authenticate request. Please check your headers" When Trying to Invoke API Endpoint Secured with OAuth 2.0
  • If there is not a Custom Domain, or if there are 2 or more Custom Domains, then use the Okta Default Domain as originally indicated
• Client ID: from the application you created in step 1 of this guide.
• ExpiresIn: time in seconds after which the JWT (JSON Web Token) shouldn’t be accepted.

Sign the JWT token

The JWT – Sign card signs the private key. The card’s result is the client_assertion value.

Signing the private key.

Set request headers

The Construct card sets the request header properties.

Set request body

The second Construct card sets the request body fields. The card sets the following properties:

• grant_type: client_credentials.
• scope: okta.workflows.invoke.manage.
• client_assertion_type: urn:ietf:params:oauth:client-assertion-type:jwt-bearer.
• client_assertion: set to client_assertion from the JWT – Sign card.

Get the access token

In the last step, the API Connector – Post card calls with fields from previous cards. The card’s results have the access token value.

{
  "token_type": "Bearer",
  "expires_in": 3600,
  "access_token": "eyJraWQiOiItdzNpbnY5U2FrRHR2TXB4bHdwRXg4R25rdUtCdGxHTXpTSHdKdFF4YnI4IiwidHlwIjoiYXBwbGljYXRpb25cL29rdGEtaW50ZXJuYWwtYXQrand0IiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULnRTanhQQ1VvZnZXWXItYUdYNDAxQm9oMWlZV1JVOWJxWGpZck1qQWk1WTgiLCJpc3MiOiJodHRwczovL2thdHoub2t0YXByZXZpZXcuY29tIiwiYXVkIjoiaHR0cHM6Ly9rYXR6Lm9rdGFwcmV2aWV3LmNvbSIsInN1YiI6IjBvYTI3ODF5cjdhalVhSmZkMGg4IiwiaWF0IjoxNzI3MzAxMjY2LCJleHAiOjE3MjczMDQ4NjYsImNpZCI6IjBvYTI3ODF5cjdhalVhSmZkMGg4Iiwic2NwIjpbIm9rdGEud29ya2Zsb3dzLmludm9rZS5tYW5hZ2UiXX0.gVWLWK4FhFUzX2LbSoxXyb4Dnsk7ORByHU1eLHXskopcUVkJpgBpx3yawJISJHkuW58Ll9f-54ELIeeJyCiu63IcvcE4tPFIsF-HJsCl8qFHrUjTbUeZDr4ysgYjngkScPPaudwebHfnRVNMapd34hHOd4ghd5chMGNrrW4_wX-flFwMHCehwORoaDDwLKid8w0PszwkBCeCyVvDbOo6ievjx864zwJ6tNiFi6DU_Fk7T9CB2FWTDxHlgMDMCZNMO2QVv8MEErmhE0dCEFnBitd3Sj-a_NfN1Hh5fPo_cG8NS_2eZvAzuuTgi3RFlROS_7VWXrHvTC4ct2A1GP83ag",
  "scope": "okta.workflows.invoke.manage"
}

Invoke flow

To invoke an OAuth 2.0 secured flow, you can use Postman and Workflows.

Invoke with Postman

1. Open the flow you created in step 2 of this guide.
2. Copy the Invoke URL from the Endpoint settings.

Endpoint settings.

3. In Postman:
   • Set the method to Post.
   • Paste the endpoint URL.
   • Select Bearer Auth for Auth Type and paste the access token.
   • Click Send.

Invoking a flow in Postman.

Invoke with Workflows

The following flow calls the OAuth 2.0 secured flow:

Calling an OAuth 2.0 secured flow.

Flow execution shows the result:

Result calling an OAuth 2.0 secured flow.

Flow template

Download and set up this flow template in your Workflows.

Related References

• Understanding Okta Workflows Connectors
• Four Ways to Call an API in Workflows