Okta Generated Private Key Not working in Terrform Provider

[dbshelke]

    > Hi, @simonweil! Thanks for submitting this issue!

1. API token can be created using admin Okta console Security > API > Tokens Crete Token. API tokens inherit the privilege level of the admin account that is used to create them
2. Using client_id, scopes and private_key can give more granular access to the org resources. Basically, caller exchange client_id, scopes and private_key for Bearer token and use it to make API calls. You can read more about this type of auth here.

This is simplified example of how to create and use access token:

1. Generate JWK using this https://mkjwk.org/
2. Convert it to private/public keys using this https://8gwifi.org/jwkconvertfunctions.jsp
3. Add JWK key to service app
4. Grand necessary scopes in Okta API Scopes in that app.
5. Config sample:

provider "okta" {
  org_name  = "my-org"
  base_url  = "okta.com"
  private_key = file("a.pem") // this is the file with the private key
  client_id = "0oazdwjh3wTJdfeRW0h7" // clientID from the service app
  scopes = ["okta.apps.manage", "okta.users.read", "okta.users.manage", "okta.policies.manage", "okta.groups.manage"]
}

6. Run terraform

Above steps worked for me but If we generate-the-jwk-using-the-admin-console and use the same in PEM format i am getting below error . https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/main/#generate-the-jwk-using-the-admin-console PEM File Format : -----BEGIN PRIVATE KEY----- XXXXXX -----END PRIVATE KEY-----

Error: failed to get SAML application: RSA private key is of the wrong type

Originally posted by @dbshelke in https://github.com/okta/terraform-provider-okta/issues/892#issuecomment-1277446861

[dbshelke]

If we update PEM File Format to below then following Error gets generated: -----BEGIN RSA PRIVATE KEY----- XXXXXX -----END RSA PRIVATE KEY-----

Error: failed to get user: x509: failed to parse private key (use ParsePKCS8PrivateKey instead for this key format)

[monde]

Okta internal reference https://oktainc.atlassian.net/browse/OKTA-544025

[dbshelke]

Any updates here

[monde]

@dbshelke I'm working on an adjacent item in #1249 and I'll see if I can capture this in that work.

[monde]

@dbshelke here is a better example of using terraform providers for PEM + JWKS + Okta OAuth app: https://github.com/okta/terraform-provider-okta/issues/1249#issuecomment-1301238359 Don't use internet websites for production secrets and audit all software used to generate secrets.

[dbshelke]

This does not resolve the issue raised of Okta Generated Private Key Not working in Terrform Provider. Requirement was to generate a Public/Private Key pair from Okta and then use it in the provider configuration to connect to Okta .

provider "okta" { org_name = "my-org" base_url = "okta.com" private_key = file("a.pem") // this is the file with the private key client_id = "0oazdwjh3wTJdfeRW0h7" // clientID from the service app scopes = ["okta.apps.manage", "okta.users.read", "okta.users.manage", "okta.policies.manage", "okta.groups.manage"] }

[monde]

@dbshelke I don't have access to your pem file or know how you generated the pem file. To me the error messages posted above indicate an issue with the pem format, not with the terraform provider. I'm not seeing any bug with the terraform provider here. Please open a support ticket to get additional help https://support.okta.com/help/s/?language=en_US as github issues are for bugs with the provider not for support discussions in general.

If you work through the example config I posted here https://github.com/okta/terraform-provider-okta/issues/1249#issuecomment-1301238359 look inside terraform.tfstate for the pem file that is generated. Perhaps you can deduce the issue with your pem.

[wcarson]

This should be re-opened as it is a valid bug. The private key PEM format generated by Okta does not work in the provider, but does work for calling obtaining a token and calling the API standalone (e.g. via Postman)

Error: failed to list groups: RSA private key is of the wrong type

[monde]

@wcarson we have some better documentation that explains what is happening. The Admin UI produces a PKCS#8 format private key and the TF provider / Okta API takes a PKCS#1 format private key. The doc hasn't been published yet, but here's some information you'll hopefully find helpful.

This guide uses Okta to generate the public/private key pair: 

Open the application details page in the Admin Console, and select the General tab.
Click Edit in the client credentials section.
Select Public key / Private key. 
Click Add key to create a new public/private key pair.
From the Add a public key window, click Generate new key. 
In the Private key section, click PEM. 
Copy the PEM private key and save it in a file on your computer. 
Note: The private key is only displayed in this window once. Losing the private key requires generating a new pair of keys using these steps. 
Click Done to save the key.
Click Save to save the Client Credentials settings.
From the confirmation window, click Save.

Note: Use only one active public key at a time in the Okta application. Set the status of the public key used by Terraform to Active, and set the status of the other public keys to Inactive.  

Check that the generated private key is in PKCS#1 encoding, the format required by the Okta Terraform provider. In that format, the file containing the private key begins with `-----BEGIN RSA PRIVATE KEY-----`. You can convert the key to the correct format using the OpenSSL command line program:

In a terminal, navigate to the file path where you saved the original private key. 
Run the following command:
`openssl rsa -in {ORIGINAL_PRIVATE_KEY} -out {CONVERTED_PRIVATE_KEY}`

*ORIGINAL_PRIVATE_KEY*: The file containing the key generated earlier. 
*CONVERTED_PRIVATE_KEY*: The file containing the converted key.

Note: The file containing the converted private key must begin with “-----BEGIN RSA PRIVATE KEY-----”. If not, try step two again. 

[wcarson]

@monde Thanks for the quick reply! This makes sense and I used this workaround to become "unstuck" with the provider. I assume this isn't really a provider issue but more of a Golang SDK issue? I think it's fair to expect that a key generated by Okta in the UI should work in the SDKs (and TF provider). Would it make sense to create an issue over on okta-sdk-golang or am I missing something here?

[monde]

Sadly both format choices are Okta service related ... Okta Admin UI produces PKCS#8 but the Okta API (which the TF provider calls) takes PKCS#1 for bearer token. Perhaps it would be a cool feature to have the Okta TF provider juggle the conversion under the hood.

[wcarson]

Not sure I follow. I can use a client assertion signed by the Okta-generated PEM as-is against the Okta API. So, it seems like the issue is how the SDK parses/ingests the key before signing (see here). I think this could pretty easily be modified to check for both formats. I'll submit an issue over in that repo for this.

[monde]

I started a PR on this https://github.com/okta/terraform-provider-okta/pull/1725 Need to get okta-sdk-golang v3 updated to close the loop here.

[monde]

We made the provider be flexible with using PKCS#1 or PKCS#8 private key formats without the operator having to do any conversion. I'm going to close issue as done.

https://github.com/okta/terraform-provider-okta/releases/tag/v4.4.3

[antonmos]

Thank you!