Decision Management (ODM,ADS)

 View Only

  • 1.  Configure ODM ON PREM RES REST API with Okta

    Posted Mon May 16, 2022 09:46 AM
    Hi ,

    i am Looking for Some help on How to Configure OnPrem ODM 8.10.5 RES with OKTA Clint_Crdentials Flow ,  , We Control Res/decisonserver acess with roles and users , How we can Configure Clinet Credntials Flow ? As it eont get any user consent in access tokrn ?

    ------------------------------
    PIKU Queen
    ------------------------------


  • 2.  RE: Configure ODM ON PREM RES REST API with Okta

    Posted Tue May 17, 2022 02:45 AM
    Hi,
    Is your concern that the user should be prompted to give their consent when authenticating in OKTA ?
    If so, it seems that OKTA can be configured to require user consent: https://developer.okta.com/docs/guides/request-user-consent/main/#enable-consent-for-scopes
    But please notice that Decision Center and the RES console only request the openid scope when sending a request to the authorization endpoint.
    With regards, Frederic

    ------------------------------
    Frederic Mercier
    ------------------------------

    Original Message


  • 3.  RE: Configure ODM ON PREM RES REST API with Okta

    Posted Tue May 17, 2022 03:13 AM
    Hello,

    Here you can find a documentation that describe the integration between ODM on k8s and Okta.
    https://github.com/DecisionsDev/odm-docker-kubernetes/tree/master/authentication/Okta

    The way to manage the client_credentials flow with ODM on prem is the same :
    1/ Create a specific scope that we named "odmapiusers" in this tutorial https://github.com/DecisionsDev/odm-docker-kubernetes/tree/master/authentication/Okta#configure-the-default-authorization-server
    2/ Create the dedicated OpenId Provider that will be used by Decision Center https://github.com/DecisionsDev/odm-docker-kubernetes/blob/master/authentication/Okta/templates/OdmOidcProviders.json#L5
    3/ Provide to the RES liberty the authorization to the OKTA ClientId. The ClientId is seen as a user in the client_credentials flow https://github.com/DecisionsDev/odm-docker-kubernetes/blob/master/authentication/Okta/templates/webSecurity.xml#L14

    Obviously, all of this is assuming you configured the ODM liberty using an openIdConnectClient artefact similar to https://github.com/DecisionsDev/odm-docker-kubernetes/blob/master/authentication/Okta/templates/openIdWebSecurity.xml

    If you are just interested by calling RES rest-api using client-credentials flow :
    1/ Get a Bearer Token with the client_credentials flow

    scope=odmapiusers #as explained previously
    token_url=https://dev-963731.okta.com/oauth2/default/v1/token # replace by your own

    curl -k -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" \
    -d "scope=${scope}&grant_type=client_credentials&client_id=${client_id}&client_secret=${client_secret}" \
    ${token_url}

    2/ Call res rest-api using an authorization Bearer header
    -H "Authorization: Bearer <YOUR_TOKEN>"

    Hope this helps

    ​​

    ------------------------------
    Mathias Mouly
    ------------------------------

    Original Message