OKTA Key manager is not working with WS02 API Manager 3.2.0

0
votes

Description: Key Manager OKTA doesn't work when API is subscribed to application other than Default Application in DevPortal of WSO2 APIM 3.2.0

Steps to reproduce:

  1. Login to admin portal using admin credentials.
  2. Register OKTA key manager by details collected from OKTA. Ensure the steps mentioned in documentation is followed.
  3. Keep Token Generation, Out Of Band Provisioning, Oauth App Creation options enabled.
  4. Login to Publisher Portal using admin credentials.
  5. Deploy the PizzaShack API.
  6. Go to Run time configurations, Under application security, Keep only OKTA Key manager allowed for API.
  7. Save and Publish the API.
  8. Login to Developer Portal using admin credentials.
  9. Create a new Application for OKTA exactly as mentioned here https://apim.docs.wso2.com/en/latest/administer/key-managers/configure-okta-connector/.
  10. Subscribe the PizzaShack API to the new application.
  11. Generate the access token for a OKTA end user directly via okta API.

OKTA end user is not available in WSO2 user store. And not using wso2 devportal to generate the acces token.

  1. Make a request to pizzashack api using the generated access token.
  2. WSO2 returns below error
<ams:fault xmlns:ams="http://wso2.org/apimanager/security">
    <ams:code>900908</ams:code>
    <ams:message>Resource forbidden </ams:message>
    <ams:description>User is NOT authorized to access the Resource. API Subscription validation failed.</ams:description>
</ams:fault>
  1. Go to devportal and unsubscribe the PizzaShack from new application.
  2. Subscribe the PizzaShack API to default application and save.
  3. Make a request to pizzashack api using the earlier generated access token.
  4. WSO2 respond with API result.
1
wso2wso2iswso2-amwso2carbonokta-api

1 Answers

0
votes

Our front end application was using SPA OKTA application to generate the access token. How ever registering this as OKTA key manager was not supported. We followed below steps and made it working.

  • Create a new OKTA application under same authorization server of type web. Generate API Key, Client ID and Client secret.
  • Add the OKTA key manager using above details. Disable Oauth App Creation option, as it is not required.
  • Go to devportal, add a new application. Under OKTA key manager, select "Provide Existing Auth keys".
  • Enter the client ID generated for SPA app in OKTA. Keep the consumer secret empty and save.
  • Subscribe to PizzaShack API an invoke the API using access token generated from SPA OKTA space.
  • WSO2 accepts the request and respond with the result.

Since the consumer key attached within the access token is used to identify the subscribed application, it is mandatory to provide the consumer key as client id in the respective section.