yyy8v (yyy8v) asked a question.
We have the following requirement for securing our API's (API's that are used by a a clients server)
1) Register a new client (With certain scopes) and provide them with an API key for our API
2) Client sends our server the API key , we make a token request to okta and return a short lived access token to the client
3) The client uses the token for any API requests , we verify that the JWT is signed and check that the scopes match that listed for the endpoint
None of the examples I have come accross sofar satisfies this need. Because this will be used for server to server authentication the login page -> redirect with code , flow won't work.
Is there any way that we can implement the above type flow or something similar using okta?
Basically we just need a simple way of generating an API key for a new client, place them in a grouo with certain scopes and allow them to use that API key to get an access token for our endpoints...
Any help will be much appreciated.
Regards
Hi @yyy8v (yyy8v),
I've escalated your question to our Customer Support team. They will respond to you shortly here.
Thanks!
Tim
Okta, Inc.
Hi @yyy8v (yyy8v) ,
The easiest solution to implement this functionality would be the following:
1. user enrolls for the API key
2. the application generates an API key, a reference ID for it, saves them in the database and then sends the request to Okta to create a client credentials application like the following:
curl --location --request POST 'https://example.okta.com/api/v1/apps' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: SSWS api-token-here' \
--data-raw '{
"name": "oidc_client",
"label": "App api-key-ref-id",
"signOnMode": "OPENID_CONNECT",
"credentials": {
"oauthClient": {
"token_endpoint_auth_method": "client_secret_basic",
"client_id": "api-key-ref-id",
"client_secret": "api-key-for-user"
}
},
"settings": {
"oauthClient": {
"client_uri": null,
"logo_uri": null,
"redirect_uris": [],
"response_types": [
"token"
],
"grant_types": [
"client_credentials"
],
"application_type": "service"
}
}
}'
3. the user sends the API key to your server
4. the server receives the API key, checks it against the database, retrieves the reference ID for it and then sends an API call to Okta:
curl --request POST \
--url https://example.okta.com/oauth2/default/v1/token \
--header 'accept: application/json' \
--header 'authorization: Basic MG9hY...' \
--header 'cache-control: no-cache' \
--header 'content-type: application/x-www-form-urlencoded' \
--data 'grant_type=client_credentials&scope=scope1 scope2 scope3'
where:
- the authorization header is calculated based on the formula base64-encode(api-key-ref-id + ":" + api-key), provided the client ID is the reference ID and the client secret is the API key which were set up during step 2
- "scope1 scope2 scope3" are the specific scopes created on the authorization server under Admin >> Security >> API >> Authorization Servers >> your authorization server >> Scopes (or Admin >> API >> Authorization Servers >> your authorization server >> Scopes if using the development administrative console)
5. Okta will return an access token for the user
Dragos Gaftoneanu
Developer Support Engineer
Okta Global Customer Care