Okta
Create an OIDC application
Note: If you have a standard Okta account you must first navigate to your Okta Org's admin portal (step 1). Developer accounts can skip to Step 2.
- Go to your org and click
Admin
in the top right corner to access the admin portal - Select
Applications
- Select
Add Application
- Choose
Web
andOpenID Connect
. Then clickCreate
. - Give it a name, enter the URL of your Ambassador load balancer in
Base URIs
and the callback URL{AMBASSADOR_URL}/.ambassador/oauth2/redirection-endpoint
as theLogin redirect URIs
- Go to your org and click
Copy the
Client ID
andClient Secret
and use them to fill in theClientID
andSecret
of you Okta OAuthFilter
.Get the
audience
configuration- Select
API
andAuthorization Servers
- You can use the default
Authorization Server
or create your own. - If you are using the default, the
audience
of your Okta OAuthFilter
isapi://default
- The value of the
authorizationURL
is theIssuer URI
of theAuthorization Server
- Select
Configure Filter and FilterPolicy
Configure your OAuth Filter
and FilterPolicy
with the following:
---apiVersion: getambassador.io/v2kind: Filtermetadata:name: okta-filternamespace: defaultspec:OAuth2:authorizationURL: https://{OKTA_DOMAIN}.okta.com/oauth2/defaultaudience: api://defaultclientID: CLIENT_IDsecret: CLIENT_SECRETprotectedOrigins:- origin: https://datawire-ambassador.com
---apiVersion: getambassador.io/v2kind: FilterPolicymetadata:name: httpbin-policynamespace: defaultspec:rules:- host: "*"path: /httpbin/ipfilters:- name: okta-filter ## Enter the Filter name from abovearguments:scopes:- "openid"- "profile"
Note: Scopes openid
and profile
are required at a minimum. Other scopes can be added to the Authorization Server
Questions?
We’re here to help. If you have questions, join our Slack or contact us.