Take OKTA as example
More and more companies that provide SSO (Single Sign-On) service for their customs or end-users to access their systems or applications in seamless way.
OKTA is a platform that offering user identity and authentication services for enterprises. The company could focus on developing business logic services and relay on OKTA to control the main authorization and authentication parts.
Here was the basic scenario we might encounter. Suppose we have web application and user will login via OKTA’s authorization server. After login successfully, the application need to grant the permission so we could access the API (Resource Server) to retrieve desire resource/information back.
Below was the default flow of not highly trust client to obtain ‘Authorization Code’ and ‘Access Token’ for demonstrate how permission grant.
OKTA also support authorization code with Proof Key for Code Exchange (PKCE). See here.
Before implement authorization, we need to register our app in OKTA by creating an app integration from the Admin Console (we should apply privilege role of application administrator):
- In the Admin Console, go to Applications > Applications.- Click Create App Integration.- Select OIDC — OpenID Connect as the Sign-in method.- Select Web Application as the Application type, go Next.- Specify the App integration name.
After app creation completed, we could get below screen and information:
1) Client ID: keep this for later API use.
2) Client Secret: keep this for later API use.
3) Enable Authorization Code.
Please also added redirect URIs for postman or we will be blocked by OKTA server while redirect not proper setup.
Next goes to Postman, we simulate we have an application that will fire a request (/oauth2/v1/userinfo) to OKTA’s resource service and retrieve back user relative information for further control.
filled in the request URI and open the tab of 'Authorization'1) Type select 'OAuth 2.0'
2) Add authorization data into 'Request Header'
3) Header prefix: 'Bearer'
4) Grant Type: 'Authorization Code'
5) Turn on 'Authorize using browser', authorized UI will prompt on the browser, also the MFA (Multi-Factor Authentication) will need to completed as well [if necessary]
6) Setup Auth URL: '/oauth2/v1/authorize'
7) Setup Access Token URL: '/oauth2/v1/token'
8) Fill in Client ID from previous step
9) Fill in Client Secret from previous step
10) Fill in Scope: 'openid profile'
11) State: 'NO_STATE'
12) Client Authentication: 'Send client credentials in body'
13) Fired to get the access token
If everything goes well, you will see the whole process (authentication and authorization) should be handle by Postman gracefully. And you could found that authorization code will get back on the URL as below:
The access token will retrieve as well. Press ‘Use Token’ then fire the current request and the result should be return:
Somehow if you got unexpected errors, you could try to turn on the pop-ups and redirects setting from you browser. Or you could see the Postman console for more details.