Integrating API Developer portal Open API specification security schemes with Okta.

We are trying to provision an APIGEE developer portal and included an open API specification into it where we have defined the security scheme as below:

securitySchemes:
    oauth2:
      type: oauth2
      flows:
        implicit:
          authorizationUrl: >-
            https://XXXXXXXXXXXXX/connect/authorize?
          scopes:
            order.customer 

Here, the authorization server is actually an OKTA endpoint. When we are trying to Authorize the from the API Specification visible in Developer portal while providing the appropriate client id in the pop-up.

9890-screen-shot-1.png

The developer portal is generating the implicit request to OKTA like below

https://<OKTA_AUTHORIZATION_URL>?client_id=<client_id>&response_type=token&redirect_uri=<redirect_ur...

But as per OKTA documentation for making an implicit call they need two more query parameters i.e. nonce and status. How can we pass these parameters from the APIGEE developer portal? Is there any configuration that will enable me to pass these extra query parameters to my authorization call?

I am using a public cloud (SaaS) APIGEE version.

0 2 266
2 REPLIES 2

Dino-at-Google do you have any idea on this? Please help.

Your security schema is defined as oauth2, whereas OKTA is most likely configured to implement OIDC. OIDC is based on oauth (and is indeed very similar), but there are some differences. One of them is that OIDC implicit flow REQUIRES the nonce parameter, whereas the OAuth2 flow doesn't even mention it. You will need to implement an intermediary proxy that generates a random nonce and adds it as a query parameter before forwarding the request to OKTA, and configure your OpenAPI specification so that authorizationUrl points to this proxy. For instance:

securitySchemes:
    oauth2:
      type: oauth2
      flows:implicit:
          authorizationUrl:https://<your-apigee-endpoint><wbr>/oidc/authorize
          scopes:
            order.customer