Okta as SSO for Drupal and iOS

We have a drupal site with a member base and content nodes created by that member base. We have a working iOS app that currently connects to the drupal site using oauth2 and drupal’s REST api.

But, we’re attempting to come up with a working proof of concept to support the idea of switching to Okta for SSO.

This far, we have:

  • Achieved a working authorization between the drupal site and an okta app that successfully logs-in a member on the drupal site through a web browser. This is using the openid_connect module.

  • We also have achieved an authorization with Okta SSO within the iOS app.

Here’s where we are stuck understanding what’s needed next…
The iOS app needs to use the Okta SSO to authenticate users who can then hit our Drupal REST API endpoints with a valid token that Drupal understands as authenticated. Currently there is a disconnect between iOS and Drupal using Okta SSO, as they can each authenticate, but, don’t know of each other’s authentications in order to properly communicate between iOS app and Drupal, after an authentication takes place.

How do we get Drupal REST API to recognize the iOS app’s successful login, so our Drupal REST api endpoints can allow GET and POST requests from the iOS authenticated users?

In the Drupal REST API settings for each endpoint, there are only “OAuth2” and “Cookie” methods of authentication. Where is “Okta”?

Ok, so, I didn’t get any timely answers to this dilemma. Ended up figuring this out after banging my head on it all night. For anyone else who might come upon this post hoping for direction:

First, the Okta app that iOS connects to has to be SPA (single page app). Not “Native”. That was our first mistake.

I had to write a custom Authorization Service in drupal. The class implements AuthenticationProviderInterface ( AuthenticationProviderInterface | AuthenticationProviderInterface.php | Drupal 8.8.x | Drupal API )

In the applies() method, I check for a Bearer token to be passed in.
In the authenticate() method, I came up with a custom derivative of Aaron Parecki’s github introspect endpoint example here: oauth-exercise-php/api.php at main · oktadeveloper/oauth-exercise-php · GitHub

Then, in the drupal admin (after enabling my new Authentication Service Provider), I navigated to the REST api configurations and for the given endpoints, I chose my new custom service from the authentication methods.

Now, the iOS app can authenticate users through Okta SSO, and it can then use the access token from that login to connect to Drupal’s REST endpoints where Drupal can verify that the token is in fact valid, before returning data from Drupal to iOS. Exactly what we needed.

Hope that helps others who may be trying to figure out something similar.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.