Login to Okta admin dashboard. You can use a free developer account or configure your existing account.
A new authorization server is required because Animal Rescue will need it's own set of scopes and claims.
issuer-uriduring Gateway setup.
animals.adopt(with any display name and description). Check the box for "User Consent" and "Metadata"
groups, set "Include in token type" to always include to ID Token, value type to "Groups" with filter matching regex ".*" (so all groups are included). Optionally, configure "Include in" to
groupsscope (you need to create the scope first) if you'd like to include groups information only when a certain scope is requested and approved.
user_nameand set it to be always included into ID token, configure value to be
user.email. The claim value can be configured using Okta Expression Language.
authorization_codegrant, for any user, any scope.
Navigate to "Directory → People" from the main menu
Navigate to "Directory → Groups" from the main menu
Navigate to "Applications → Applications" in the main menu.
<gateway url>/login/oauth2/code/sso. If your gateway has not been deployed yet, you can skip this step for now and add the redirect URI later.
Limit access to selected groupsand add the "Adopter" group.
After you completed the steps above, you should have the following values:
Make sure you have them before proceeding to the next step.
Clone the repo first.
backend/secrets/sso-credentials.txt with the following:
gateway/sso-secret-for-gateway/secrets/test-sso-credentials.txt with the following:
scope=openid,profile,email,groups,animals.adopt client-id=<client id> client-secret=<client id> issuer-uri=<issuer uri>
If you decided to use
groups scope to get groups information, make sure it is listed in
The issuer URI must exactly match the value from the server configuration, including trailing slashes! You can always check expected value by navigating to
gateway/gateway-demo.yaml and add
sso: secret: animal-rescue-sso roles-attribute-name: "groups"
The default value is "roles". Alternatively you can configure Okta to return the "roles" claim instead of "groups".
backend/k8s/animal-rescue-backend-route-config.yaml file. Add
Scopes=animals.adopt filter to
/api/animals/*/adoption-requests/** route if you'd like to use scopes to authorize access to Adoption Request API, or
Roles=Adopter if you'd like to use roles. You can keep both filters as well.
- ssoEnabled: true tokenRelay: true predicates: - Path=/api/animals/*/adoption-requests/** - Method=POST,PUT,DELETE tags: - "pet adoption" filters: - Scopes=animals.adopt
kustomize build . | kubectl apply -f - or refer to Animal Rescue README for most up to date deployment instructions.
Port-forward the gateway demo-demo service:
kubectl port-forward service/gateway-demo 8080:80
Navigate to your gateway URL, http://localhost:8080/rescue.
Note: If you are using dynamic IP address you may need to go back to Okta and configure this IP address in the list of allowed Redirect URIs.
Try logging in with different test users, within or without "Adopter" groups and add, edit or delete adoption request. You should see a successful response or "Request failed with status code 403" error message depending on your groups list and approved scopes.