Okta Integration API Registration

ashishmundra · 02-12-2020 10:21 PM

Without Apigee, we had a API which needed to be registered in Okta for user to authenticate before getting access to the API. This API obtained user context from Okta token.

Then, we adopted Apigee and set Okta as OAuth2.0 Server for Apigee.

Question 1: Do I need to now register two APIs in Okta 1. The API Proxy which I create in Apigee and 2. The original API, so that it can still create User Context from the Okta token which gets forwarded to it by API Proxy?

Question 2: Should we also validate token from backend API also (along with validating token from API proxy) or is it acceptable to have no Authentication in our backend APIs going forward?

Thanks,

Ashish

kurtkanaskie

Hi @Ashish Mundra,

Q1: You don't need to register 2 APIs in Okta, you just need to associate the Okta token with the Apigee token via a custom attribute when you create it. Then when you validate the Apigee token in your proxy, you will have access to the Okta token which you can then set as the Authorization for the backend API call.

Q2: I would keep backend API Authentication as per Q1 answer. That way if your backend authorizations changed (say to remove a user or change scope) your APIs would be protected.

Regards,

Kurt

ashishmundra

I am thinking that if Okta is my IAM solution, then Okta should provide a Token and not Apigee (even the one which you mention as Apigee Token in answer above). In this https://www.okta.com/sites/default/files/okta_apigee-data-sheet_20180618.pdf, Apigee is not generating any token as well (is how I read it). If Apigee is to provide a Token then will I need to not register User in Apigee also and if so, I would want to avoid adding users to Apigee as we have Okta+AD for that. May be I am not understanding this plumbing well and will need some advice from community and how others have done it. Thanks.