Okta OAuth
Feature
How to integrate OAuth2 Authentication with Germain using Okta.
Configure
In Okta
Sign in to your Okta organization with your administrator account.
In the Admin Console, go to Applications > Applications.
Select the OpenID Connect (OIDC) or OAuth 2.0 app that needs grants added.
Under General Tab, go to Login section.
Modify Sign-in redirect URIs according to the below template
https://<host>:<port>/login/oauth2/code/<client_id>
ex: http://localhost:8080/login/oauth2/code/0oa7asda8tu9esOGL5d7
Note: Client id can be found in the Client Credentials section on the same tab.Make a note of the Client ID, Client Secret from the Client Credentials section. We need these two values when we configure the Germain Authentication Provider.

7. Under the Sign On tab, go to the OpenID Connect ID Token section and update the Groups claim filter as below. This will allow Germain to extract Group information from Okta amd map these to Roles configured in Germain. To create Roles in Germain, see here.

In Germain
Sign in to your Germain application with your administrator account.
Go to System > System Settings > Root Config (Advanced)
Go to monitoringConfig > systemConfig > authentication
In AuthenticationConfig we need to set the following:defaultRedirectPath: workspace URL ( ex: http://localhost:8080/germainapm/workspace/app )
oauthAuthentication: true
Go to System > Auth Settings > Authentication
Click on the Plus button to add a new Authentication Provider
Select OAuth Provider and click next
Set the provider settings below
Provider Name: Name for your Auth Provider
Client ID: <Client ID Copied from Okta>
Client Secret: <Client Secret Copied from Okta>
Authorization Grant Type:authorization_code
Redirect URI Template:{baseUrl}/login/oauth2/code/{registrationId}
Authorization URI: https://<
yourOktaDomain>
/oauth2/v1/authorizeToken URI: https://<
yourOktaDomain>
/oauth2/v1/tokenUser Info URI:https://<
yourOktaDomain>
/oauth2/v1/userinfoJWK Set URI:https://<
yourOktaDomain>
/oauth2/v1/keysUser Name Attribute:email
JWS Algorithm:
Role List Path: userInfo.claims.groups
Scope values:
openid
profile
email
groups
Click Finish.
Restart the tomcat services to make the changes effective.
Once done, login page should display Login with Okta oauth provider option.
