wso2 / product-apim

Welcome to the WSO2 API Manager source code! For info on working with the WSO2 API Manager repository and contributing code, click the link below.
http://wso2.github.io/
Apache License 2.0
845 stars 785 forks source link

Key Manager OKTA doesn't work for Angular SPA when subscription is other than Default Application in DevPortal #11060

Closed anupbvr closed 3 years ago

anupbvr commented 3 years ago

Description:

Custom Key Manager OKTA doesn't work when API is subscribed to application other than Default Application in DevPortal.

Steps to reproduce:

  1. Login to admin portal using admin credentials.

  2. Register OKTA key manager by details collected from OKTA. Ensure the steps mentioned here is followed.

  3. Keep Token Generation, Out Of Band Provisioning, Oauth App Creation options enabled.

  4. Login to Publisher Portal using admin credentials.

  5. Deploy the PizzaShack API.

  6. Go to Run time configurations, Under application security, Keep only OKTA Key manager allowed for API.

  7. Save and Publish the API.

  8. Login to Developer Portal using admin credentials.

  9. Create a new Application for OKTA exactly as mentioned here https://apim.docs.wso2.com/en/latest/administer/key-managers/configure-okta-connector/.

  10. Subscribe the PizzaShack API to the new application.

  11. Generate the access token for a OKTA end user directly via okta API.

    OKTA end user is not available in WSO2 user store. And not using wso2 devportal to generate the acces token.

  12. Make a request to pizzashack api using the generated access token.

  13. WSO2 shows the below error,

    <ams:fault xmlns:ams="http://wso2.org/apimanager/security">
    <ams:code>900908</ams:code>
    <ams:message>Resource forbidden </ams:message>
    <ams:description>User is NOT authorized to access the Resource. API Subscription validation failed.</ams:description>
    </ams:fault>
  14. Go to devportal and unsubscribe the PizzaShack from new application.

  15. Subscribe the PizzaShack API to default application and save.

  16. Make a request to pizzashack api using the earlier generated access token.

  17. WSO2 respond with API result.

Affected Product Version:

WSO2 APIM 3.2.0

Environment details (with versions):


Optional Fields

Related Issues:

Suggested Labels:

Bug Defect Priority-High

Suggested Assignees:

anupbvr commented 3 years ago

Our front end application was using SPA OKTA application to generate the access token. How ever registering this as OKTA key manager was not supported. We followed below steps and made it working.

  1. Create a new OKTA application under same authorization server of type web. Generate API Key, Client ID and Client secret.
  2. Add the OKTA key manager using above details. Disable Oauth App Creation option, as it is not required.
  3. Go to devportal, add a new application. Under OKTA key manager, select "Provide Existing Auth keys".
  4. Enter the client ID generated for SPA app in OKTA. Keep the consumer secret empty and save.
  5. Subscribe to PizzaShack API an invoke the API using access token generated from SPA OKTA space.
  6. WSO2 accepts the request and respond with the result.
  7. Since the consumer key attached within the access token is used to identify the subscribed application, it is mandatory to provide the consumer key as client id in the respective section.

It would be good, if these information shall be furnished under documentation of "Configuring OKTA as a key manager" section. This issue can be either moved as a document improvement or shall close it.

tharindu1st commented 3 years ago

@anupbvr yes, Subscription of an API identified from Consumer key of application if you need to provide already existing OAuth app you need to go with steps as mentioned in [1].

[1] - https://apim.docs.wso2.com/en/latest/learn/api-security/oauth2/provisioning-out-of-band-oauth-clients/#provisioning-out-of-band-oauth2-clients