Configure Okta for Smart API, REST OAuth or EcoSys Connect - EcoSys - 3.1 - Installation & Upgrade - Hexagon

Configuring OAuth2 token providers for EcoSys and EcoSys Connect

Language
English
Product
EcoSys
Search by Category
Installation & Upgrade
EcoSys Version
3.1

This section explains how to set up Okta to use with EcoSys Smart API, REST OAuth and/or EcoSys Connect. After completing these steps, the following values can be used in your EcoSys/Connect environments.

  • Base URL

  • Token URL

  • Issuer URL

  • Client ID

  • Client Secret

  • Scope

  • JWKS URL

The following instructions are only meant to get started with configuring an authorization server in Okta - they do not provide express or implied guarantee for security.

  1. Login to your Okta.

  2. Go to Applications > Applications.

    1. Click the Create App Integration button.

    2. Select API Services and click Next.

    3. Enter an App Integration name and click Save.

  3. On the General tab under the Client Credentials section, enter the Client ID and Client secret values.

    The Client ID and Client secret values will be used later in the setup process.

  4. Go to Security -> API and click Add Authorization Server button.

    1. In the Add Authorization Server screen, enter the Name, Audience, and Description values and click Save.

  5. For the newly created authorization server, go to the Scopes tab and then click Add Scope.

    1. Set the Name field to a version 4 UUID value (Universally Unique Identifier https://www.uuidgenerator.net/), enter the values for Display Phrase, Description, and click Save.

      The Scope Name value will be used later in the setup process.

  6. Go to the Claims tab. A claim called sub already exists.

    1. Click the pencil icon to update the claim.

    2. Change the Value field to admin.

      The value ‘admin’ is the username that this claim asserts. In EcoSys context, this corresponds to an ‘admin’ user, so configure it accordingly. In an EcoSys Connect context, this does not correspond to any user.

    3. Click Save.

  7. From the newly created authorization server, go to the Access Policies tab and then click the Add Policy button.

    1. Enter Name and Description values.

    2. For the Assign To setting, select The following clients option and set it to the Application name created from step 2.

    3. Click the Create Policy button.

  8. For the newly created access policy, click the Add Rule button.

    1. Enter a rule name.

    2. Leave the Client Credentials option under the Client acting on behalf of itself section checked.

    3. Uncheck the Authorization Code, Implicit, and Resource Owner Password options under the Client acting on behalf of a user section.

    4. For the Scopes requested setting, select The following scopes option and enter the Scope Name value from step # 5a.

    5. Click the Create Rule button.

  9. For the newly created authorization server, go to the Settings tab and note the URL value set for the Issuer field (for example, https://xyz.okta.com/oauth2/ausp1bwnr0uVptWjS4x.). This URL is the Issuer URL/Base URL.

    For the Token URL, add /v1/token to the end of the Issuer URL. For example, https://xyz.okta.com/oauth2/ausp1bwnr0uVptWjS4x/v1/token

    1. For the JWKS URL, add /v1/keys to the end of the Issuer URL. For example, https://xyz.okta.com/oauth2/ausp1bwnr0uVptWjS4x/v1/keys