OpenMetadata/docs/install/enable-security/okta-sso/create-ingestion-service-account.md

---
description: This is a guide to create ingestion bot service app.
---

# Create Service Account

## Step 1: Generate Public/Private key pair

* Use a tool such as this JSON [Web Key Generator](https://mkjwk.org) to generate a JWKS public/private key pair for testing.
* For a production use case, use your own [internal instance](https://github.com/mitreid-connect/mkjwk.org) of the key pair generator.
* For production use case, clone the repository using `git clone https://github.com/mitreid-connect/mkjwk.org.git`.
* Use `mvn package -DskipTests && java -jar target/ROOT.war` to run the above repo.
* Go to `http:localhost:8080` to generate **public/private key pairs**.

![Alt text](https://user-images.githubusercontent.com/83201188/126946539-cb31793d-7616-4343-821b-8e190d626b63.png)

* Enter the following values to generate a **public/private key pair**:
  * Key size - 2048
  * Key use — signature
  * Algorithm — RSA256
  * Key ID — (Optional) This can be any random value.

![Alt text](https://user-images.githubusercontent.com/83201188/126946546-1e86ae45-2774-4217-925e-f423053a7a1d.png)

* Once you provide the input, click **Generate**. You will get the **Public/Private Keypair**, **Public/Private Keypair Set,** and **Public Key**

![Alt text](https://user-images.githubusercontent.com/83201188/126946550-ec9fa2b3-0a47-4fe1-ac32-7e326b3f7d45.png)

## Step 2: Create Service-App

* You will need to make a **POST** request to `https://${yourOktaDomain}/oauth2/v1/clients` endpoint to create a service app in okta
* The parameters involved in the request are:
  * **client_name** - the name of the service app
  * **grant_type** - **client_credentials**
  * **token_endpoint_auth_method** — **private_key_jwt**
  * **application_type** — **service**
  * **jwks** — add the **Public/Private Keypair Set** that you created in the previous step.
* The request looks something like this:

![Alt text](https://user-images.githubusercontent.com/83201188/126946556-01bfab7b-1a3a-48da-8661-e01071af66db.png)

* To check if the service app is created navigate to your **Okta Dashboard**.

![Alt text](https://user-images.githubusercontent.com/83201188/126946567-23178d0d-baff-4a3b-8401-330353db1b88.png)

* Click on **Applications -> Applications** on the left side.

![Alt text](https://user-images.githubusercontent.com/83201188/126946558-89969475-c23b-4338-8681-6da66b2c2486.png)

* You should see your service account in the list.

![Alt text](https://user-images.githubusercontent.com/83201188/126948899-3fddfaa6-a881-446a-bf2d-9ccf417275e3.png)

## Step 3: Grant allowed scopes

* To add a grant for an allowed scope to your service app, we need to make a **POST** request to `https://${yourOktaDomain}/api/v1/apps/{serviceappclient_id}/grants` endpoint.
* The parameters involved in the request are:
  * **scopeID** — **okta.clients.manage**
* The request looks something like this:

![Alt text](https://user-images.githubusercontent.com/83201188/126947013-8ba3bf00-26ad-457f-bba4-dab2b022c073.png)

* You can also add scopes by navigating to your **Okta Dashboard** and Clicking on **Applications -> Applications** just like in step 2.

![Alt text](https://user-images.githubusercontent.com/83201188/126946558-89969475-c23b-4338-8681-6da66b2c2486.png)

* Click on your service app.

![Alt text](https://user-images.githubusercontent.com/83201188/126948899-3fddfaa6-a881-446a-bf2d-9ccf417275e3.png)

* Now click on Okta API Scopes available on the top of the form.

![Alt text](https://user-images.githubusercontent.com/83201188/126946565-323ec31e-ec66-48bb-b290-31ae51d0ae2f.png)

* Grant the scopes by clicking on **Grant**.
* To get more info on the scopes. Visit the [Doc](https://developer.okta.com/docs/guides/implement-oauth-for-okta/scopes/)