Skip to content

techops-staffing/kong-okta-auth-plugin

BranchesTags

Repository files navigation

Kong Okta Auth Plugin

Build Status

Kong Plugin to validate OAuth 2.0 access tokens against an OKTA Authorization Server.

When enabled, this plugin will validate the token and add new headers to requests based on the data in the provided JWT token. The generated headers follow the naming convention of OKTA-<field-name>.

The headers OKTA-Group, OKTA-Scope and OKTA-Username will be included with requests to APIs. All preexisting headers prefixed by OKTA and Authorization header will be stripped from the request.

Example

JWT payload:

{
  "ver": 1,
  "iss": "https://okta.com/oauth2/auth-server-id",
  "aud": "https://api.com",
  "iat": 1507122921,
  "exp": 1508203412,
  "cid": "cid",
  "uid": "uid",
  "scp": [
    "read",
    "write"
  ],
  "sub": "[email protected]",
  "group": [
    "Everyone"
  ]
}

Headers included with request:

OKTA-Group: "Everyone"
OKTA-Scope: "read write"
OKTA-Username : "[email protected]"

Enabling Plugin

You can enable Okta-Auth plugin for an api with the following request:

curl -X POST http://localhost:8001/apis/example-api/plugins \
  --data "name=okta-auth" \
  --data "config.authorization_server=https://okta.com/oauth2/auth-server-id" \
  --data "config.client_id=cid" \
  --data "config.client_secret=secret" \
  --data "config.api_version=v1" \
  --data "config.check_auth_server=true"

Parameters description:

form parameter required description
name required Plugin name: okta-auth
authorization_server required Okta authorization server URL
client_id required Okta's public identifier for the client
client_secret required Okta's client secret
api_version optional Okta's authorization server API version (default: v1)
check_auth_server optional If true check authorization server availability (default: true)

Running Tests

In order to run tests, it is recommneded using Hererocks.

Setting up Hererocks

pip install hererocks
LUA="lua=5.1"
hererocks env --$LUA -rlatest
source ./env/bin activate

Installing dependencies

luarocks install busted
luarocks install kong
luarocks install lua-cjson
luarocks install luasec OPENSSL_DIR=/usr/local/opt/openssl (you may need to run `brew install openssl` and `brew link --force openssl` on MacOS)

You also will need to clone Kong and set the value of KONG_PATH.

Running tests

make test

Using Docker

docker-compose build lua
docker-compose run lua make test

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

13 stars

Watchers

4 watching

Forks

5 forks
Report repository

Releases 25

okta plugin upgrade Latest
Feb 2, 2019
+ 24 releases

Packages

No packages published

Contributors 5

Languages