yujunjun/OpenMetadata
1
0
Fork 0
mirror of https://github.com/open-metadata/OpenMetadata.git synced 2025-07-13 20:18:24 +00:00
Code Issues Packages Projects Releases Wiki Activity
OpenMetadata/deploy/deploy-on-kubernetes/enable-security/okta-sso/create-ingestion-service-account.md
Shilpa V 3065c0b9c3 GitBook: [#95] Okta Changes
2022-03-22 11:44:28 -07:00

3.7 KiB
Raw Blame History

description
This is a guide to create ingestion bot service app.

Create Service Application

Step 1: Generate Public/Private Key Pair

For a Test or Staging Instance:

  • Use a tool such as this JSON Web Key Generator to generate a JWKS public/private key pair for testing.

For a Production Instance:

  • Use your own internal instance of the key pair generator.
  • Clone the repository using git clone https://github.com/mitreid-connect/mkjwk.org.git.
  • Use mvn package -DskipTests && java -jar target/ROOT.war to run the above repo.
  • Go to http:localhost:8080 to generate public/private key pairs.

Alt text

  • Enter the following values to generate a public/private key pair:
    • Key size - 2048
    • Key use — signature
    • Algorithm — RSA256
    • Key ID — Enter the Key ID that is fetched from the issuer_url/v1/keys. Fetch the kid as the key ID

Alt text

  • Once you provide the input, click Generate. You will get the Public/Private Keypair, Public/Private Keypair Set, and Public Key

Alt text

Step 2: Create a Token

While creating the service application, an authorization token will be needed. To create a token:

  • Navigate to Security -> API from the left nav bar.
  • Click on the Tokens tab.
  • Click on Create New Token
  • Save the token safely.

Step 3: Create Service Application

  • You will need to make a POST request to https://${yourOktaDomain}/oauth2/v1/clients endpoint to create a service app in okta
  • The parameters involved in the request are:
    • client_name - the name of the service app
    • grant_type - client_credentials
    • token_endpoint_auth_methodprivate_key_jwt
    • application_typeservice
    • jwks — add the Public/Private Keypair Set that you created in the previous step.
  • Create a service app using the below format:
curl --location --request POST '<domain-url>/oauth2/v1/clients' \
--header 'Authorization: SSWS <token-created-in-previous-step>' \
--header 'Content-Type: application/json' \
--data-raw '{
    "client_name": "OM-service-app-postman-4",
    "grant_types": [
        "client_credentials"
    ],
    "response_types": [
        "token"
    ],
    "token_endpoint_auth_method": "private_key_jwt",
    "application_type": "service",
    "jwks": {
        <public private key pair set with kid(key id) that of the authorization server>
}'
  • To check if the service app is created navigate to your Okta Dashboard.
  • Click on Applications -> Applications in the left navigation bar.
  • You should see your service account in the list.

Step 4: Grant Allowed Scopes

  • To add scopes, navigate to your Okta Dashboard. Click on Applications -> Applications as in step 2.
  • Click on your service app.

  • Now click on Okta API Scopes from the top nav bar.
  • Grant the scopes by clicking on Grant. Ensure that the following scopes are granted:
    • okta.users.read
    • okta.users.manage
    • okta.clients.read

  • To get more information on the Scopes. Visit the Doc.