Over the course of my technical career, I’ve always thought of Oauth2 to, frankly, be a bit of a pain. Oauth2 offers a mind boggling amount of possibilities and is the basis of many authorization workflows.
However, I have found the documentation and supporting examples of how to integrate Oauth2 somewhat lacking. I hope that someone out in the ether will find this blog post and save a few days of keyboard smashing.
First, the backstory: We needed to deploy an application into a Kubernetes Cluster with no native authentication or authorization. It was an application to which everyone in Agari’s engineering organization needed access, so the authorization workflow needed to be easy to use and robust.
Enter OKTA. For those of you that aren’t familiar with OKTA, it’s a cloud-based identity service that supports Oauth 2.0 workflows. The concept was fairly simple. We would deploy our handy little application into one of our Elastic Kubernetes Service (EKS) clusters, give it an ingress via an Application Load Balancer (ALB), and configure the ingress rules to integrate with OKTA.
This way, everyone could use their existing OKTA logins to access our new application. In addition, my team, Site Reliability Engineering (SRE), needed to programmatically access the same endpoint to configure our little application via an API. While provisioning user access to the application was a fairly straightforward process, getting programmatic access was a bit harder.
For starters, we needed to deploy our application and get it configured for Okta. I won’t go into great detail here as there are lots of ways to do this and tons of documentation on the interwebs.
The following steps were done in Python3 with the requests library:
That’s it! While this solution may not be overly complex, the documentation on how to do it is mediocre at best. I hope this clarifies how to programmatically provision access to applications protected by Okta and AWS ALBs.
This solution, and many others like it, help Agari to protect against email based advanced phishing and social engineering attacks.