Creating a Custom OAuth Application

CData JDBC Driver for Okta requires the creation of a custom OAuth application to connect to Okta from all auth flows. Custom OAuth applications are also useful if you want to:

• Control branding of the authentication dialog.
• Control the redirect URI that the application redirects the user to after the user authenticates.
• Customize the permissions that you are requesting from the user.

OAuth Authorization Code Grant

From your Okta account:

1. Sign in to your Okta developer edition organization with your administrator account.
2. In the Admin Console, go to Applications -> Applications.
3. Click Create App Integration.
4. For the Sign-in method, select OIDC - OpenID Connect.
5. For Application type, choose Web Application.
6. Enter a name for your custom application.
7. Set the Grant Type to Authorization Code. If you want the token to be automatically refreshed, also check Refresh Token.
8. Set the callback URL:
   • For desktop applications and headless machines, use http://localhost:33333 or another port number of your choice. The URI you set here becomes the CallbackURL property.
   • For web applications, set the callback URL to a trusted redirect URL. This URL is the web location the user returns to with the token that verifies that your application has been granted access.
9. In the Assignments section, either select Limit access to selected groups and add a group, or skip group assignment for now.
10. Save the OAuth application.
11. The application's Client Id and Client Secret are displayed on the application's General tab. Record these for future use. You will use the Client Id to set the OAuthClientId and the Client Secret to set the OAuthClientSecret properties in the driver.
12. Check the Assignments tab to confirm that all users who must access the application are assigned to the application.
13. On the Okta API Scopes tab, select the scopes you wish to grant to the OAuth application. These scopes determine the data that the app has permission to read, so a scope for a particular view must be granted for the driver to have permission to query that view. To confirm the scopes required for each view, see the view-specific pages in Views.

OAuth JWT

From your Okta account:

1. Sign in to your Okta developer edition organization with your administrator account.
2. In the Admin Console, go to Security -> API.
3. On the Authorization Servers tab, create a new authorization server and select it.
4. On the Scopes tab, select Add Scope. Name the scope jwt_scope, ensure that you have not checked 'Block services from requesting this scope', and then save the scope.
5. In the Admin Console, go to Applications -> Applications.
6. Click Create App Integration.
7. For the Sign-in method, select API Services.
8. Enter a name for your custom application and save it.
9. On the General tab of your app, in the Client Credentials section, set Client authentication to Public key/Private key.
10. Also in the Client Credentials section, copy the Client Id and use it to set the OAuthClientId property in the driver.
11. In the Public Keys section, set Configuration to Save keys in Okta.
12. Generate a key pair and save the private key as a PEM file. Set OAuthJWTCert to the path to your PEM file to set the OAuthJWTCertType to PEMKEY_FILE. Note that although Okta allows multiple key pairs to be created, it will be unable to sign the JWT if the app has more than one key pair.
13. In the General Settings section, ensure that Require Demonstrating Proof of Possession (DOoP) header in token requests is not checked.
14. Save the OAuth application.
15. The application's Client Id and Client Secret are displayed on the application's General tab. Record these for future use. You will use the Client Id to set the OAuthClientId and the Client Secret to set the OAuthClientSecret.
16. On the Okta API Scopes tab, select the scopes you wish to grant to the OAuth application. These scopes determine the data that the app has permission to read, so a scope for a particular view must be granted for the driver to have permission to query that view. To confirm the scopes required for each view, see the view-specific pages in Views.
17. On the Admin Roles tab, add a role that grants API access, such as 'API Access Management Administrator'.
18. In the driver, you will now need to set the AuthScheme connection property to OAuthJWT.