-
Notifications
You must be signed in to change notification settings - Fork 665
[OKTA-1166344] OIDC and SAML guides #6231
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
thomascavanagh-okta
wants to merge
7
commits into
master
Choose a base branch
from
tc-okta-1166344-oag-offline-app-guide
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from 6 commits
Commits
Show all changes
7 commits
Select commit
Hold shift + click to select a range
05f9375
First draft and structure of guides.
thomascavanagh-okta 6ecdfbd
Update OIDC configure client section: fix issuer step, add endpoint d…
thomascavanagh-okta 861d45e
Edits
thomascavanagh-okta 48ffad3
Edits based on API spec feedback
thomascavanagh-okta f877685
SME edits
thomascavanagh-okta 07e6b63
Acrolinx and other small edits
thomascavanagh-okta 8ed058a
Apply suggestions from code review
thomascavanagh-okta File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
9 changes: 9 additions & 0 deletions
9
packages/@okta/vuepress-site/docs/guides/oag-configure-apps-offline-mode/index.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| --- | ||
| title: Add an app for Access Gateway offline mode | ||
| meta: | ||
| - name: description | ||
| content: Learn how to create a SAML or OIDC app for use with Access Gateway offline mode. | ||
| layout: Guides | ||
| sections: | ||
| - main | ||
| --- |
53 changes: 53 additions & 0 deletions
53
...s/@okta/vuepress-site/docs/guides/oag-configure-apps-offline-mode/main/index.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| --- | ||
| title: Add an app for Access Gateway offline mode | ||
| meta: | ||
| - name: description | ||
| content: Learn how to create a SAML or OIDC app for use with Access Gateway offline mode. | ||
| layout: Guides | ||
| --- | ||
|
|
||
| <ApiLifecycle access="ea" /> | ||
|
|
||
| This guide explains how to create an app for use with Access Gateway offline mode. | ||
|
|
||
| > **Note:** The Access Gateway APIs used in this guide are available in a Limited Early Access program and may be updated or changed based on feedback. | ||
|
|
||
| --- | ||
|
|
||
| #### Learning outcomes | ||
|
|
||
| <StackSnippet snippet="learningoutcomes" /> | ||
|
|
||
| #### What you need | ||
|
|
||
| * Offline mode configured for Access Gateway. See [Configure offline mode for Access Gateway](/docs/guides/oag-offline-mode/main/). | ||
| * An identity provider (IdP) in your Access Gateway instance with failover mode set to `AUTOMATIC`. | ||
| * <StackSnippet snippet="wun" /> | ||
|
|
||
| --- | ||
|
|
||
| ## Learn about offline mode apps | ||
|
|
||
| By default, apps behind Access Gateway require a connection to Okta to authenticate users. If Okta is unreachable, authentication fails and users can't access the app. | ||
|
|
||
| Offline mode apps are configured with a local directory as a fallback authentication source. When Access Gateway detects that Okta is unavailable, it switches to offline mode and authenticates users against the local directory instead. From the user's perspective, the sign-in flow looks the same regardless of whether Okta is reachable. | ||
|
|
||
| Offline mode apps require the authentication service and directory sync to be configured before you create the app. See [Configure offline mode for Access Gateway](/docs/guides/oag-offline-mode/main/). | ||
|
|
||
| ## Overview | ||
|
|
||
| <StackSnippet snippet="overview" /> | ||
|
|
||
| ## What to know before creating the app | ||
|
|
||
| <StackSnippet snippet="requirements" /> | ||
|
|
||
| ## Create the app | ||
|
|
||
| <StackSnippet snippet="procedure" /> | ||
|
|
||
| ## See also | ||
|
|
||
| * [Configure offline mode for Access Gateway](/docs/guides/oag-offline-mode/main/) | ||
| * [Access Gateway API documentation](https://developer.okta.com/docs/api/openapi/oag/guides/overview) | ||
| * [Okta Access Gateway documentation](https://help.okta.com/okta_help.htm?type=oag&id=ext_oag_main) | ||
1 change: 1 addition & 0 deletions
1
...-site/docs/guides/oag-configure-apps-offline-mode/main/openidconnect/apptype.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| OIDC |
2 changes: 2 additions & 0 deletions
2
...s/guides/oag-configure-apps-offline-mode/main/openidconnect/learningoutcomes.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| * Create an OpenID Connect (OIDC) app in Access Gateway using the Access Gateway API | ||
| * Configure your client app using the Access Gateway OIDC discovery document |
10 changes: 10 additions & 0 deletions
10
...site/docs/guides/oag-configure-apps-offline-mode/main/openidconnect/overview.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| When the connection to Okta is unavailable, users can still sign in through Access Gateway and access OIDC apps. Access Gateway uses an embedded OIDC provider to issue tokens and falls back to local directory authentication when Okta is unreachable. | ||
|
|
||
| OIDC tokens issued by Access Gateway have the `iss` claim set to the Access Gateway authorization server domain, not your Okta tenant domain. Configure your client app to expect tokens from Access Gateway. For an overview of OIDC, see [OAuth 2.0 and OpenID Connect overview](/docs/concepts/oauth-openid/). | ||
|
|
||
| This is the typical flow to configure an OIDC app in Access Gateway: | ||
|
|
||
| 1. Create the app, specifying the app type, redirect URIs, and client credentials. See [Create the app](#create-the-app). | ||
| 1. Configure your client app to use Access Gateway as the OIDC provider. Retrieve the discovery document from Access Gateway to get the endpoint URLs that your client needs. See [Configure your client app](#configure-your-client-app). | ||
|
|
||
| OIDC apps in Access Gateway can only be created and configured using the Access Gateway API. You can view OIDC apps in the Access Gateway UI console, but you can't add or edit them there. | ||
|
thomascavanagh-okta marked this conversation as resolved.
Outdated
|
||
150 changes: 150 additions & 0 deletions
150
...ite/docs/guides/oag-configure-apps-offline-mode/main/openidconnect/procedure.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,150 @@ | ||
| In this example, create a web app that supports the authorization code with PKCE flow and refresh tokens. | ||
|
|
||
| Before you begin, have your `clientId` and `clientSecret` ready. You define these values when you set up your OIDC client app. Access Gateway doesn't generate them. Store the `clientSecret` securely before you make the request. | ||
|
|
||
| 1. Create the OIDC app in Access Gateway by sending a `POST` request to the Create an application [endpoint](https://developer.okta.com/docs/api/openapi/oag/oag/tags/applications/other/createapplication). Use the following [request example](#request-example) as a template. | ||
| 1. In the request body, set the following values for your app: | ||
| 1. Set `label` as the display name for the app. | ||
| 1. Set `clientId` as a unique identifier for your client app. | ||
| 1. Set `clientSecret` to the value you defined before making this request. | ||
|
thomascavanagh-okta marked this conversation as resolved.
Outdated
|
||
| 1. Set `redirectUris` as your client app's callback URL. | ||
| 1. For `allowedScopes`, include any combination of `openid`, `profile`, `email`, and `offline_access`. This determines which scopes the app can request. | ||
| 1. For `accessTokenLifetime` and `refreshTokenLifetime`, set the desired values in seconds. These determine how long tokens issued for this app are valid. | ||
| [[style="list-style-type:lower-alpha"]] | ||
| 1. Send the POST request. | ||
|
|
||
| ### Request example | ||
|
|
||
| ```bash | ||
| curl -i -X POST \ | ||
| 'https://{oaghostname}/api/v2/apps' \ | ||
| -H 'Authorization: Bearer <YOUR_JWT_HERE>' \ | ||
| -H 'Content-Type: application/json' \ | ||
| -d '{ | ||
| "type": "OAG_OIDC", | ||
| "label": "Test OIDC App - Auth Code", | ||
| "description": "OIDC application using authorization code flow with PKCE", | ||
|
thomascavanagh-okta marked this conversation as resolved.
Outdated
|
||
| "applicationType": "web", | ||
| "clientId": "<client-id>", | ||
| "clientSecret": "<client-secret>", | ||
| "redirectUris": [ | ||
| "https://example.com/callback" | ||
| ], | ||
| "responseTypes": [ | ||
| "code" | ||
| ], | ||
| "grantTypes": [ | ||
| "authorization_code", | ||
| "refresh_token" | ||
| ], | ||
| "tokenEndpointAuthMethod": "client_secret_post", | ||
| "pkceRequired": true, | ||
| "allowedScopes": [ | ||
| "openid", | ||
| "profile", | ||
| "email", | ||
| "offline_access" | ||
| ], | ||
| "accessTokenLifetime": 3600, | ||
| "refreshTokenLifetime": 86400 | ||
| }' | ||
| ``` | ||
|
|
||
| ### Response example | ||
|
|
||
| ```json | ||
| { | ||
| "id": "app-oidc-123", | ||
| "type": "OAG_OIDC", | ||
| "label": "Test OIDC App - Auth Code", | ||
| "description": "OIDC application using authorization code flow with PKCE", | ||
|
thomascavanagh-okta marked this conversation as resolved.
Outdated
|
||
| "applicationType": "web", | ||
| "status": "ACTIVE", | ||
| "clientId": "<client-id>", | ||
| "redirectUris": [ | ||
| "https://example.com/callback" | ||
| ], | ||
| "responseTypes": [ | ||
| "code" | ||
| ], | ||
| "grantTypes": [ | ||
| "authorization_code", | ||
| "refresh_token" | ||
| ], | ||
| "tokenEndpointAuthMethod": "client_secret_post", | ||
| "pkceRequired": true, | ||
| "allowedScopes": [ | ||
| "openid", | ||
| "profile", | ||
| "email", | ||
| "offline_access" | ||
| ], | ||
| "accessTokenLifetime": 3600, | ||
| "refreshTokenLifetime": 86400, | ||
| "deviceFlowEnabled": false, | ||
| "clientCredentialsEnabled": false, | ||
| "_embedded": { | ||
| "session": { | ||
| "maxIdleTimeMinutes": 60 | ||
| }, | ||
| "behavior": { | ||
| "reAuthenticateOnAccessDenied": false | ||
| }, | ||
| "healthCheck": { | ||
| "enabled": true | ||
| } | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
| ## Configure your client app | ||
|
|
||
| After you create the app in Access Gateway, configure your client to use Access Gateway as its OIDC provider. | ||
|
|
||
| Your client app must be pointed at Access Gateway, not your Okta tenant, for authentication to work. Use the OIDC discovery document to configure your client's OIDC settings. It's a JSON file that's served at `/.well-known/openid-configuration` on your Access Gateway authorization server. It contains all the endpoint URLs that your client needs. | ||
|
thomascavanagh-okta marked this conversation as resolved.
Outdated
|
||
|
|
||
| 1. Retrieve your `idpId` by using the List all IdPs [endpoint](https://developer.okta.com/docs/api/openapi/oag/oag/tags/idps/other/listidps). Select the IdP that has failover mode set to `AUTOMATIC`. | ||
| 1. Use the Retrieve the OpenID Connect discovery document [endpoint](https://developer.okta.com/docs/api/openapi/oag/oag/tags/oidc/other/getopenidconnectdiscovery) with your `idpId` as the path parameter. | ||
| 1. In the response from the discovery document endpoint, note the endpoint URLs that are returned. See the following [response example](#oidc-discovery-document-response-example). | ||
| 1. Use the endpoint URLs to configure your client's OIDC settings. The document includes the following endpoints: | ||
| 1. `authorization_endpoint`: Where the client sends the user to sign in | ||
| 1. `token_endpoint`: Where the client exchanges an authorization code for tokens | ||
| 1. `userinfo_endpoint`: Where the client retrieves claims about the signed-in user | ||
| 1. `introspection_endpoint`: Where the client checks whether a token is still valid | ||
| 1. `revocation_endpoint`: Where the client invalidates a token on sign-out | ||
|
thomascavanagh-okta marked this conversation as resolved.
Outdated
|
||
| [[style="list-style-type:lower-alpha"]] | ||
| 1. Set your client's issuer to the `issuer` value from the discovery document. Your client uses this value to validate the `iss` claim in tokens it receives. | ||
|
thomascavanagh-okta marked this conversation as resolved.
Outdated
|
||
|
|
||
| > **Note:** Access Gateway sets the `iss` claim to its own authorization server domain, not your Okta tenant domain. If your client is configured to validate tokens from Okta, update the issuer to the Access Gateway domain. | ||
|
|
||
| ### OIDC discovery document response example | ||
|
|
||
| ```json | ||
| { | ||
| "issuer": "https://oag.example.com/realms/{idpId}", | ||
| "authorization_endpoint": "https://oag.example.com/realms/{idpId}/protocol/openid-connect/auth", | ||
| "token_endpoint": "https://oag.example.com/realms/{idpId}/protocol/openid-connect/token", | ||
| "userinfo_endpoint": "https://oag.example.com/realms/{idpId}/protocol/openid-connect/userinfo", | ||
| "jwks_uri": "https://oag.example.com/realms/{idpId}/protocol/openid-connect/certs", | ||
| "introspection_endpoint": "https://oag.example.com/realms/{idpId}/protocol/openid-connect/token/introspect", | ||
| "revocation_endpoint": "https://oag.example.com/realms/{idpId}/protocol/openid-connect/revoke", | ||
| "scopes_supported": [ | ||
| "openid", | ||
| "profile", | ||
| "email", | ||
| "offline_access" | ||
| ], | ||
| "response_types_supported": [ | ||
| "code" | ||
| ], | ||
| "grant_types_supported": [ | ||
| "authorization_code", | ||
| "refresh_token", | ||
| "client_credentials" | ||
| ], | ||
| "token_endpoint_auth_methods_supported": [ | ||
| "client_secret_post", | ||
| "client_secret_basic" | ||
| ] | ||
| } | ||
| ``` | ||
41 changes: 41 additions & 0 deletions
41
.../docs/guides/oag-configure-apps-offline-mode/main/openidconnect/requirements.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| Before you create the app, ensure that you have the following information: | ||
|
|
||
| * The redirect URI for your client app. | ||
| * The `applicationType` for your client app (`web`, `native`, or `spa`). This determines which OAuth 2.0 flows are supported and whether a client secret is required. | ||
|
|
||
| Review the following sections to understand the requirements for your app and how to configure the app settings in Access Gateway when you create it. | ||
|
|
||
| ### Scopes and claims | ||
|
|
||
| Access Gateway supports the `openid`, `profile`, `email`, and `offline_access` scopes. Include `offline_access` in `allowedScopes` when you create the app to enable refresh tokens. | ||
|
|
||
| The following claims are included in tokens based on the granted scopes: | ||
|
|
||
| | Claim | Scope | Description | | ||
| | --- | --- | --- | | ||
| | `sub` | `openid` | Subject identifier | | ||
| | `name` | `profile` | Full name of the user | | ||
| | `email` | `email` | Email address of the user | | ||
|
|
||
| Include the `offline_access` scope in `allowedScopes` to enable refresh tokens. Without this scope, Access Gateway doesn't issue a refresh token. When a mode transition occurs, existing refresh tokens are invalidated and users must re-authenticate. | ||
|
|
||
| ### Token lifetimes and behavior | ||
|
|
||
| You can configure access token and refresh token lifetimes per app using `accessTokenLifetime` and `refreshTokenLifetime` in the request body when you create the app. If you omit these fields, the following default settings apply: | ||
|
|
||
| | Token | Default lifetime | | ||
| | --- | --- | | ||
| | Access token | 15 minutes | | ||
| | Refresh token | 7 days | | ||
|
|
||
| Also note that refresh tokens are mode-specific. A refresh token that's issued in online mode can't be used after Access Gateway switches to offline mode. When a mode transition occurs, users must re-authenticate. | ||
|
|
||
| ### Types of OIDC apps | ||
|
|
||
| You can create three different types of OIDC apps. The `applicationType` determines which OAuth 2.0 flows are supported and whether a client secret is required. | ||
|
|
||
| | App type | Supported flows | Client secret | | ||
| | --- | --- | --- | | ||
| | `web` (server-side web apps) | Authorization Code + PKCE, client credentials, refresh token | Required | | ||
| | `native` (mobile or desktop apps) | Authorization Code + PKCE, refresh token; device grant optional | Optional | | ||
| | `spa` (single-page apps) | Authorization Code + PKCE only | Not used | |
1 change: 1 addition & 0 deletions
1
...ress-site/docs/guides/oag-configure-apps-offline-mode/main/openidconnect/wun.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| An OIDC client app and its redirect URI |
1 change: 1 addition & 0 deletions
1
...vuepress-site/docs/guides/oag-configure-apps-offline-mode/main/saml2/apptype.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| SAML |
2 changes: 2 additions & 0 deletions
2
...site/docs/guides/oag-configure-apps-offline-mode/main/saml2/learningoutcomes.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| * Create a SAML app in Access Gateway using the Access Gateway API | ||
| * Configure your Service Provider (SP) using the IdP metadata returned by Access Gateway |
9 changes: 9 additions & 0 deletions
9
...uepress-site/docs/guides/oag-configure-apps-offline-mode/main/saml2/overview.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| When the connection to Okta is unavailable, users can still sign in through Access Gateway and access SAML apps. Access Gateway uses the authentication service to authenticate users against your offline directory and issues a SAML assertion to the SP. For background on SAML, see [Understanding SAML](/docs/concepts/saml/). | ||
|
|
||
| Configuring a SAML app involves establishing a mutual trust between Access Gateway, which acts as the IdP, and your client app, which acts as the SP. This is the typical flow when you configure a SAML app in Access Gateway: | ||
|
|
||
| 1. You provide the SP's entity ID and certificate to Access Gateway when you create the app. See [Create the app](#create-the-app). | ||
| 1. You define attributes to specify what user data Access Gateway includes in the SAML assertion it sends to the SP. See [Create attributes and configure the client app](#create-attributes-and-configure-the-client-app). | ||
|
thomascavanagh-okta marked this conversation as resolved.
Outdated
|
||
| 1. Access Gateway returns its own IdP metadata for you to configure in the SP. See [Configure your client app with Access Gateway IdP metadata](#configure-your-client-app-with-access-gateway-idp-metadata). | ||
|
|
||
| SAML apps in Access Gateway can only be created and configured using the Access Gateway API. You can view SAML apps in the Access Gateway UI console, but you can't add or edit them there. | ||
|
thomascavanagh-okta marked this conversation as resolved.
Outdated
|
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.