MarkH.03024 (Customer) asked a question.
I'm setting up a SCIM integration between Okta and my downstream system. I have a lightweight Proxy (Spring Boot) to handle the SCIM translation.
To secure this integration, I would prefer to use an Oauth2 bearer token. On paper, this looks like the most secure option. This integration is purely server-to-server.
However, the SCIM integration setup screen simply takes a static bearer token (copy/pasted at setup time) and sends it with each request. It appears that the Okta SCIM integration has no way to refresh this token. As far as I can determine, the access token is expected to never expire. I'm basing these comments on the conversation at:
Not having an access token expire seems like a massive security concern, but I think that's what we're stuck with.
Questions:
- For this SCIM integration, am I correct in concluding that we can only use a non-expiring token, or at least a token with a long expiry time?
- Who is expected to issue the access token? Can I use my own existing Okta Authorization server to do this (by asking for an access token via client_credentials)? I've made some attempts, but there doesn't seem to be a way to get Okta to issue non-time-limited access tokens (it refuses to issue a token with a timeout of longer than one day)
- or am I supposed to stand up my own Authorization Server in the client app (or proxy service) and have it issued non-time limited tokens?
- or should I be instead using one of the other auth options (Basic or custom header). I am admittedly slight confused on this, but it does look like sending a custom header to my SCIM endpoints for auth is just as secure as having a non-expiring Oauth bearer token (?)
Hi Mark,
1. For this SCIM integration, am I correct in concluding that we can only use a non-expiring token, or at least a token with a long expiry time?
If you are setting up the SCIM server details through a SCIM template, then Okta will require only a valid access token to perform the SCIM requests. The SCIM template is used to pre-configure provisioning for an OIN application; once you confirm requests are successful, you can submit it on https://oinmanager.okta.com and have it published inside our Okta Integration Network. During the submission, you have the option to configure the authorization server details in order for Okta to request an access token from the authorization server.
Once the application is submitted in Okta Integration Network, when a mutual customer would add the application in their Okta tenant, under Provisioning tab, they would see a button to authenticate with <name of your application>. After clicking on the button, Okta will perform an authorization code flow against the authorization server and retrieve an access token that will be used for further communicating with the SCIM server.
If you are setting up the SCIM server details through an application created with Application Integration Wizard (Admin >> Applications >> Add Application >> Create New App >> SWA or SAML), once you enable SCIM provisioning from the General tab, you will be able to configure the authorization server details under Provisioning tab in order to request the access token from Okta.
2. Who is expected to issue the access token? Can I use my own existing Okta Authorization server to do this (by asking for an access token via client_credentials)? I've made some attempts, but there doesn't seem to be a way to get Okta to issue non-time-limited access tokens (it refuses to issue a token with a timeout of longer than one day)
The issuer of the access token is the authorization server that is added in the application's configuration details. From Okta's side, we are supporting only authorization code flow requests to retrieve an access token.
If you would like to use Okta to generate an access token, the best solution would be to set up the /authorize URL (if using Application Integration Wizard app) in the form of "https://{your_subdomain}.okta.com/oauth2/{authorization_server}/v1/authorize?scope=offline_access" in order to tell Okta to retrieve also a refresh token and refresh the current access token that is used for SCIM provisioning.
3. or am I supposed to stand up my own Authorization Server in the client app (or proxy service) and have it issued non-time limited tokens?
This is also an option if you prefer to not use Okta as an authorization server. In this case, the authorization server used would need to support authorization code flow as specified in RFC 6749.
4. or should I be instead using one of the other auth options (Basic or custom header). I am admittedly slight confused on this, but it does look like sending a custom header to my SCIM endpoints for auth is just as secure as having a non-expiring Oauth bearer token (?)
If you would want to use a static header, then this is possible and it's an easier integration to perform, however, from a security point of view, it's less secure because, if someone would find the header used, he will be able to access and perform actions on the SCIM server.
If you have any additional questions, please feel free to reach out through an email to developers@okta.com.
Dragos Gaftoneanu
Developer Support Engineer
Okta Global Customer Care
@dragos.gaftoneanu1.5193128389903699E12 (Okta, Inc.) I realize this thread is old but we are in similar situation with a similar set of questions. The difference is, our SCIM deployment is not going to be exposed to anyone outside of our organization. We will utilize it to manage users between our family of applications. We were told we don't have to submit to for OIN review in this case.
Currently all our applications are using tokens issued by our org Okta instance acting as authorization server. We have configured SCIM application within this same Okta instance as SWA app (not using SCIM template) and configured Provisioning -> Integration section to use header authentication. The token is a JWT long lived token. We are able to hit SCIM endpoints and everything works well. However, when we hit a SCIM endpoint we would like to turn around and call one of our legacy user management APIs that is protected by Okta. For that we would need to pass an access token issued by Okta. We are unsure how to configure SCIM to use authorization or any other flow, so that it could request access tokens from the same Okta instance that is hosting SCIM integration. The documentation doesn't describe this case well. We would appreciate any pointers!
Thank you for your extensive reply Dragos. I appreciate it.