Welcome to the lab on Apigee Integration with Okta!

The goal of this lab is to walk you through configuring and using the Apigee Identity Facade to integrate with Okta and authenticate users.

We assume the basic knowledge of Apigee platform and you will get the most from this hackathon if you do.

Ideally you will have completed the Coursera Apigee Design, Development and Security Courses.

Alternatively, completing the Apigee API Jam will cover the same topics in less depth.

Lets get started!

Tools

Here are the tools needed to complete the tasks:

Retrieve Apigee URL

The URL configured in the Apigee Environment group is needed so Okta can be configured with the correct redirection setting.

Use Apigee UI

  1. Open the Apigee Portal
  2. Expand Admin - Environments and click on Groups
  3. Copy the Hostname(s)
    • Note that eval organization have a default hostname of {publicip}.nip.io. ex: 34.149.2.239.nip.io

Eval Hostname

Create Okta User

  1. Sign into your Okta developer portal
  2. In the left hand side navigate to the directory - People
  3. Click on Add person
    • A valid email is not needed if the Password is set by Admin
    Create user
  4. Click Save

Create Okta App

  1. In the left hand side navigate to Applications - Applications
  2. Click on Create App Integration
  3. In the window that opens, select OIDC - OpenID Connect and Web Application and click Next to create the AppCreate App
  4. In the next screen, configure the following
    • App integration name: Apigee App
    • Sign-in redirect URIs:
      https://{env group hostname}/v1/oauth20/callback
      
    • example:
      https://34.149.2.239.nip.io/v1/oauth20/callback
      
    • This url points to the idp facade that will be deployed to Apigee
    • Controlled access: Allow everyone
    App NameRedirectAssignments
  5. Click Save to be taken to the properties of the Okta app just createdApp Properties
  6. Save the client ID, client secret, and Okta domain as environment variables
    export TEST_IDP_APIGEE_CLIENT_ID={Client ID above}]
    export TEST_IDP_APIGEE_CLIENT_SECRET={Client Secret above}
    export IPD_HOSTNAME={Okta domain above}
    
  1. In a command line, clone the devrel repo
    git clone https://github.com/apigee/devrel.git
    
  2. Navigate to the identity facade directory
    cd devrel/references/identity-facade
    
  3. Run the following commands to set the environment variables required for the setup
    export IDP_DISCOVERY_DOCUMENT="https://$IPD_HOSTNAME/.well-known/openid-configuration"
    export APIGEE_X_ORG={your org name}
    export APIGEE_X_ENV={Apigee environment name. Default is eval}
    export APIGEE_X_HOSTNAME={your Apigee hostname ex:34.149.2.239.nip.io)
    
  4. Verify the variables have been set correctly
    echo $IDP_DISCOVERY_DOCUMENT
    echo $TEST_IDP_APIGEE_CLIENT_ID
    echo $TEST_IDP_APIGEE_CLIENT_SECRET
    echo $APIGEE_X_ORG
    echo $APIGEE_X_ENV
    echo $APIGEE_X_HOSTNAME
    
  5. Deploy the identity facade
    ./pipeline.sh --googleapi
    
    • The output is shown below. The values for consumerKey and consumerSecret are from the Apigee identityApp that was created as part of the Identity Facade deployment. idp facade output
  6. Copy and save the following values:
    • consumerKey
    • consumerSecret
    • authorization URL
  7. Finally, generate environment variables for use later.
    • Base64 encoding of client id and secret for use during Basic Auth in tests
    export APIGEE_CLIENT_ID={consumerKey above}
    export APIGEE_SECRET={consumerSecret above}
    export BASE64_ENCODED=$(echo -n $APIGEE_CLIENT_ID:$APIGEE_SECRET | base64)
    

This test will simulate a three-legged OAuth 2.0 flow / authorization grant

  1. Open an incognito tab in a browser and visit the authorization URL captured above
    • This step simulates an application attempting to authenticate against the Apigee Identity Facade.
    • You can generate the authorization url using the command below.
    export AUTH_URL="https://$APIGEE_X_HOSTNAME/v1/oauth20/authorize?client_id=$APIGEE_CLIENT_ID&response_type=code&scope=openid email profile&state=abcd-1234&redirect_uri=https://mocktarget.apigee.net/echo"
    echo $AUTH_URL
    
  2. Apigee will redirect to Okta to generate an authorization code. Log in using the Okta credentials for the user created earlier.Okta Auth
  3. After successful authentication, Okta redirects to the Apigee callback URL (/v1/oauth20/callback), which controls the incoming query parameters, generate an authorization code (using the same value as the one provided by Okta) and performs a redirection on the client app redirect_uri https://mocktarget.apigee.net/echo providing the authorization_code and initial state parameters.
    • In a real-world scenario, the redirection would be back to the client application and it would parse Okta's response to capture the authorization code
    Okta auth code
  4. Pass the authorization code, client id, and base64 encoded string to Apigee Identity Facade to generate a Bearer token that will be used for API calls.
    export AUTH_CODE={authorization code returned above}
    export APIGEE_RESPONSE=$(curl -s --location --request POST "https://$APIGEE_X_HOSTNAME/v1/oauth20/token?client_id=$APIGEE_CLIENT_ID" \
    --header "Authorization: Basic $BASE64_ENCODED" \
    --header 'Content-Type: application/x-www-form-urlencoded' \
    --data-urlencode 'redirect_uri=https://mocktarget.apigee.net/echo' \
    --data-urlencode 'grant_type=authorization_code' \
    --data-urlencode "code=$AUTH_CODE")
    echo $APIGEE_RESPONSE
    export ACCESS_TOKEN=$(echo $APIGEE_RESPONSE | jq -r .access_token)
    echo $ACCESS_TOKEN
    
  5. Apigee will respond with a Bearer token (access_token) which is saved to an environment variable
  6. Finally, call an endpoint protected by OAuth. The identity facade has /protected one configured to validate OAuth tokens.
    curl --location --request GET "https://$APIGEE_X_HOSTNAME/v1/oauth20/protected" \
    --header "Authorization: Bearer $ACCESS_TOKEN"
    
    IDP Test

Congratulations! You've now successfully integrated your Apigee environment with a 3rd party IDP, Okta, and secured your API using OAuthV2 tokens.