Authentication
Overview
When using Okta authentication, the io.Manager Server will use Okta to authenticate incoming requests based on an Okta access token. The io.Manager Admin UI will use Okta login to authenticate users and send the Okta access token to the io.Manager Server.
Configuration
To enable Okta authentication, you must configure properly the io.Manager Server and Admin UI, as well as the io.Connect platform that will connect to io.Manager - io.Connect Desktop or io.Connect Browser.
Depending on the deployment approach you have chosen, you have the following options for configuring the io.Manager Server and Admin UI:
If you are using the basic deployment scenario from the template repository approach, you must set properly the necessary environment variables.
If you are using the NPM packages for deployment, or the advanced deployment scenario from the template repository approach, you must provide the necessary configuration settings at runtime when initializing the io.Manager Server and Admin UI.
The following sections provide examples of both options.
Server
To enable Okta authentication for the io.Manager Server, choose one of the following options depending on your deployment approach.
Environment Variables
To configure the io.Manager Server to use Okta authentication, register the following environment variables with the proper values. The API_AUTH_METHOD
environment variable must be set to okta
:
Environment Variable | Description |
---|---|
API_AUTH_EXCLUSIVE_USERS |
List of users that will be granted the GLUE42_SERVER_ADMIN role. This role is required to access the io.Manager Admin UI. The users must already exist in the database. |
API_AUTH_METHOD |
Type of the authentication mechanism. Must be set to okta . |
API_AUTH_OKTA_AUDIENCES |
Comma-delimited string with URLs pointing to the resources that will consume the access token. |
API_AUTH_OKTA_GROUPS_CLAIMS_NAME |
The name of the JWT claim from which to retrieve the Okta user groups. |
API_AUTH_OKTA_ISSUER |
URL pointing to the issuer to be used for validation of access tokens. |
API_AUTH_OKTA_JWKS_URI |
URL pointing to a JSON Web Key Set. |
Example configuration:
API_AUTH_METHOD=okta
API_AUTH_OKTA_AUDIENCES="https://example.com,https://another-example.com"
API_AUTH_OKTA_ISSUER=https://example.okta.com/oauth2/default
API_AUTH_OKTA_JWKSURI=https://example.okta.com/oauth2/default/v1/keys
API_AUTH_EXCLUSIVE_USERS="[\"admin\"]"
Runtime Configuration
To enable Okta authentication for the io.Manager Server, set the auth_method
property of the optional Config
object for initializing the io.Manager Server to "okta"
. Use the auth_okta
and auth_exclusive_users
properties to provide additional settings for the Okta authentication:
Property | Type | Description |
---|---|---|
auth_okta |
object |
Settings for the Okta authentication mechanism. |
auth_exclusive_users |
string[] |
List of users that will be granted the GLUE42_SERVER_ADMIN role. This role is required to access the io.Manager Admin UI. The users must already exist in the database. |
auth_method |
string |
Type of the authentication mechanism. Must be set to "okta" . |
The auth_okta
object has the following properties:
Property | Type | Description |
---|---|---|
audiences |
string[] |
Required. List of URLs pointing to the resources that will consume the access token. |
groupsClaimsName |
string |
The name of the JWT claim from which to retrieve the Okta user groups. |
verifierOptions |
object |
Required. Object with options passed to the constructor of the OktaJwtVerifier class exposed by the @okta/jwt-verifier library. The only required property is issuer . |
Example configuration:
import { start } from "@interopio/manager";
const config = {
// Enabling Okta authentication.
auth_method: "okta",
// Additional settings for Okta authentication.
auth_okta: {
verifierOptions: {
issuer: "https://example.okta.com/oauth2/default",
},
audiences: ["https://example.com"],
},
// List of users that will be granted the `GLUE42_SERVER_ADMIN` role.
auth_exclusive_users: ["admin"]
};
const server = await start(config);
Admin UI
To access the io.Manager Admin UI, a user must be granted the GLUE42_SERVER_ADMIN
role. The list of exclusive users with access to the Admin UI is defined in the io.Manager Server configuration. You can also grant this role to other users from the Admin UI.
To enable Okta authentication for the io.Manager Admin UI, choose one of the following options depending on your deployment approach.
Environment Variables
To configure the Admin UI to use Okta authentication, set the following environment variables with the proper values. The REACT_APP_AUTH
environment variable must be set to okta
:
Environment Variable | Description |
---|---|
REACT_APP_AUTH |
Type of the authentication mechanism. Must be set to okta . |
REACT_APP_OKTA_CLIENT_ID |
The client ID found in the app settings of the Okta "Applications" page. |
REACT_APP_OKTA_ISSUER |
URL pointing to the issuer to be used for validation of access tokens. |
REACT_APP_OKTA_REDIRECT_URL |
URL to which users will be redirected after a successful login. It's not required to set this variable. If not set, the location of the Admin UI will be used as a callback URL. |
REACT_APP_OKTA_USE_REFRESH_TOKEN |
If set to true , will set the scopes for the requests sent to the Okta authorization server to ["openid", "email", "profile", "offline_access"] . |
Example configuration:
REACT_APP_AUTH=okta
REACT_APP_OKTA_CLIENT_ID=clientId
REACT_APP_OKTA_ISSUER=https://example.okta.com/oauth2/default
Runtime Configuration
To enable Okta authentication for the Admin UI, set the auth
property of the <Admin UI />
component to "okta"
and use the auth_okta
property to provide additional settings for the Okta authentication.
The auth_okta
object has the following properties:
Property | Type | Description |
---|---|---|
clientId |
string |
The client ID found in the app settings of the Okta "Applications" page. |
issuer |
string |
URL pointing to the issuer to be used for validation of access tokens. |
redirectUri |
string |
URL to which users will be redirected after a successful login. It's not required to set this property. If not set, the location of the Admin UI will be used as a callback URL. |
scopes |
string[] |
Scopes for the requests sent to the Okta authorization server. |
Example configuration:
<AdminUI
apiURL="http://localhost:4356/api"
auth="okta"
auth_okta={{
clientId: "clientId",
issuer: "https://example.okta.com/oauth2/default",
scopes: ["openid", "email", "profile", "offline_access"]
}}
/>
io.Connect Desktop
To enable Okta authentication for io.Connect Desktop, you must configure the connection to io.Manager and the login screen that's part of the Admin UI.
Connecting to io.Manager
To configure io.Connect Desktop to connect to io.Manager, use the "server"
top-level key of the system.json
system configuration file of io.Connect Desktop located in the %LocalAppData%/interop.io/io.Connect Desktop/Desktop/config
folder. Add the following basic configuration to enable connection to io.Manager:
{
"server": {
"enabled": true,
"url": "http://localhost:4356/api"
}
}
This will add io.Manager as an additional app store and instruct it to store Layouts and app preferences. If you want io.Manager to be the only app store, set the "appStores"
top-level key in the system.json
file to an empty array.
To send client crashes to the io.Manager Server, edit the "output"
property of the "crashReporter"
top-level key in the system.json
file:
{
"crashReporter": {
"output": {
"type": "server",
"serverUrl": "http://localhost:4356/api/crashes"
}
}
}
For more configuration options for connecting to io.Manager, see the Configuration > Platform section.
Login Screen
For Okta authentication to work properly in io.Connect Desktop, you must configure the login screen that's part of the Admin UI.
To enable the login screen, use the "ssoAuth"
top-level key of the system.json
file. Set the "authController"
property of the "ssoAuth"
object to "sso"
. Use the "options"
object to provide the location of the login screen and settings for the io.Connect Window in which it will be loaded. The "url"
property of the "options"
object must point to the location of the Admin UI and must end with the gd
query parameter, which will indicate that the login attempt is coming from io.Connect Desktop.
⚠️ Note that for this configuration to work properly, you must not set the
REACT_APP_OKTA_REDIRECT_URL
environment variable, or theredirectUri
property of theauth_okta
object in the<Admin UI />
component.
Example configuration:
{
"ssoAuth": {
"authController": "sso",
"options": {
"url": "http://localhost:3000/gd",
"keepAlive": true,
"window": {
"width": 540,
"height": 660,
"mode": "flat"
}
}
}
}
io.Connect Browser
Connecting to io.Manager from an io.Connect Browser project requires modifying the configuration for initializing the @interopio/browser-platform
library in the Main app.
To specify settings for the connection to the io.Manager, use the manager
property of the optional configuration object when initializing the @interopio/browser-platform
library. The following example demonstrates configuring the connection to io.Manager with Okta authentication:
import IOBrowserPlatform from "@interopio/browser-platform";
// Callback that will retrieve a valid Okta access token
// and add it to the headers of every request sent to io.Manager.
const getHeaders = async () => {
// Your custom internal logic for refreshing and retrieving the access token.
const token = await getAccessToken();
const extraHeaders = {
Authorization: `Bearer ${token}`
};
// The returned headers will be merged with the existing ones.
return extraHeaders;
};
const config = {
licenseKey: "my-license-key",
manager: {
// URL pointing to io.Manager.
url: "https://my-io-manager.com:4242/api",
// Providing a callback for supplying an Okta access token.
getHeaders,
fetchIntervalMS: 10000,
tokenRefreshIntervalMS: 15000
}
};
const { io } = await IOBrowserPlatform(config);
For more configuration options for connecting to io.Manager, see the Configuration > Platform section.
Example
For a complete example of using Okta authentication in the io.Manager Server and Admin UI, see the io.Manager Okta Authentication example on GitHub.