@bizdoc/okta v2.2.1
Okta for BizDoc
BizDoc supports Okta for both authentication and authorization, in one of two configurations: server flow or client flow.
Server flow redirects unauthorized users to Okta sign-in page on Okta domain, and handles the redirect. Client flow prompts unauthorized users for credentials in an hosted widget, and negotiate with Okta on the background.
Setting up
1) For both modes, install BizDoc Nuget package:
dotnet add package BizDoc.Core.Okta
2) Add Okta application. If using server mode, choose Web Application. If using client mode, choose ODIC - OpenID Connect, and select SPA.
Okta sign-in redirect url should match "/authorization-code/callback" on server mode, and no path for client mode.
Create an API Token to allow BizDoc to retrieve users information.
3) In startup.cs, add Okta service.
For server flow, use AddOktaRedirect:
AddBizDoc(o=> {
o.ApplicationUri = "https://app-domain";
})
.AddOktaServer(o=> {
o.ApiToken = "api-token";
o.Domain = "domain-name";
o.ClientId = "client-id";
o.ClientSecret = "client-secret";
}).
UseIdentityProvider();
...
UseBizDoc().
.UseOktaServer();
For client mode, use AddOkta:
AddBizDoc(...)
.AddOkta(o=> {
o.ApiToken = "api-token";
o.Domain = "domain-name";
}).
UseIdentityProvider();
The UseIdentityProvider() method registers an identity provider which retrieve user information from Okta. To use a different provider, while still authenticating via Okta, see Implementing Identity Provider.
4) Client mode only, install Angular package:
npm i @bizdoc/okta
Add Okta configuration in Angular app.module:
OktaModule.forRoot({
domain: 'domain-name',
clientId: 'client-id'
})
Roles
In order to map user groups to BizDoc roles for authorization purposes, add a new claim to Okta Authorization Server with the following specifications.
Property | Value |
---|---|
Name | bizdoc.roles |
Include in token type | ID Token |
Value type | Groups |
Filter | Matches regex, .* |
Include in | Any scope |
System Role
Add an attribute to either application profile or all profiles and set its type to boolean. Add a claim in API server that map to the profile attribute you created.
Property | Value |
---|---|
Name | bizdoc.admin |
Include in token type | ID Token |
Value type | Expression |
Value | user.{attr-name-here} |
1 month ago
2 months ago
4 months ago
8 months ago
11 months ago
12 months ago
1 year ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago