How to best connect to Okta using Oauth2.0 & use Okta API's

Hi All,

I am going in circles and not reaching anywhere. Need to get your advice if this is the right way to achieve my use case.

Use Case : In my application, I have a custom user registration screen and based on some validations, I would want to create a Okta user in a group that is linked to my okta application.

My application is on Okta tenant that is shared by other applications. So from security point of view API token is not possible. Next options is to generate Public/Private Key, which also Okta experts in my area said this option is not available in production.

So I started looking at Oauth2.0 communication. If I get handle of Oauth2.0 access token, then I should use a RestTemplate.exchange and send in the bearer token. Something like below in Java-Spring boot code? Is this the right approach or anything better is available? I cannot figure out how com.okta.sdk.client.Client can be instantiated and provided an Oauth2.0 access token.

curl -X GET “https://${yourOktaDomain}/api/v1/users”
-H “Accept: application/json”
-H “Content-Type: application/json”
-H "Authorization: Bearer Token

Have you taken a look at this guide that walks you through configuring a Service application in Okta that can be used to generate OAuth tokens that can in turn be sent to Okta’s management endpoints (including /users) as authorization?

What was the reason given for why this technique (public/private key pair) wouldn’t be an option in production?

1 Like

Thank you so much. I was able to execute a stand along maven project which has only dependency as below and was able to connect to an Okta application and get list of users.

        <artifactId>okta-sdk-api</artifactId>
          <artifactId>okta-sdk-impl</artifactId>
              <artifactId>okta-sdk-httpclient</artifactId>

When I try to include these dependencies in my existing project I get below error.

Caused by: java.lang.SecurityException: class “org.bouncycastle.openssl.PEMException”'s signer information does not match signer information of other classes in the same package
at java.lang.ClassLoader.checkCerts(ClassLoader.java:898) ~[?:1.8.0_121]
at java.lang.ClassLoader.preDefineClass(ClassLoader.java:668) ~[?:1.8.0_121]
at java.lang.ClassLoader.defineClass(ClassLoader.java:761) ~[?:1.8.0_121]
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142) ~[?:1.8.0_121]
at java.net.URLClassLoader.defineClass(URLClassLoader.java:467) ~[?:1.8.0_121]
at java.net.URLClassLoader.access$100(URLClassLoader.java:73) ~[?:1.8.0_121]
at java.net.URLClassLoader$1.run(URLClassLoader.java:368) ~[?:1.8.0_121]
at java.net.URLClassLoader$1.run(URLClassLoader.java:362) ~[?:1.8.0_121]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_121]
at java.net.URLClassLoader.findClass(URLClassLoader.java:361) ~[?:1.8.0_121]
at java.lang.ClassLoader.loadClass(ClassLoader.java:424) ~[?:1.8.0_121]
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:331) ~[?:1.8.0_121]
at java.lang.ClassLoader.loadClass(ClassLoader.java:357) ~[?:1.8.0_121]
at org.bouncycastle.openssl.PEMParser.(Unknown Source) ~[bcpkix-jdk15on-1.70.jar:1.70.00.0]

What does this error mean?

I even excluded bcpkix-jdk15on from two dependencies spring-cloud-starter-config and spring-cloud-starter-bus-amqp.