Questions regarding Okta inline-hooks

Before getting into the details, I’ll mention that I know Okta only as an end-user, and I have no experience with Okta development.
The use-case I’m trying to solve is adding a boolean decision (yes/no) for a user, whether s/he can or cannot grant access to an Okta-authenticated application.
The info regarding the boolean decision should come from an external DB.
I reviewed all the relevant documentation about Okta inline-hooks, and I’m still left with some questions that I’ll appreciate getting answers:

  1. What is the relevant inline hook that I should use for the use-case described earlier? I guess that its SAML-hook or Token-hook, but I’m not sure which one exactly.

  2. When generating the JSON payload of the response, what is the relevant command that I should use that suites my use-case?

  3. I’ve encountered the following github account, belong to one of Okta’s support engineers: https://github.com/dragosgaftoneanu-okta/okta-inline-hooks, and I have the following questions about it as well:
    (a) How/where should I use such code examples? Should they be used in my external service that responds to the hook POST requests?
    (b) In the requirements of any of the 4 inline hooks, there are some features that should be enabled in the Okta account (e.g. “CALLBACKS”). This isn’t mentioned in the inline-hooks documentation. What do these features mean? Do they enable the inline-hooks on the Okta account?

  4. And finally, is there any step-by-step beginners guide that I missed?

Thanks

Hi @akaduri75

For now, we do not have unfortunately an inline hook which would support your use-case - restricting access to applications. Currently, the SAML assertion inline hook allows SAML attributes modification before the assertion is generated, while the token inline hook is the equivalent for JWT tokens issued by Okta.

Regarding the examples from GitHub, an inline hook will work as follows:

  • if user achieves the use-case of the inline hook (accesses SAML application, requests an authorization for an OIDC application, registers through Self Service Registration option, imports users from a profile master), Okta will send a request to an external server hosted on your end and wait for a response
  • your server will answer with the specific commands for the inline hook
  • Okta reads the response, interprets it and takes actions based on it

Saying this, the examples provided in the GitHub repository can be hosted on any public resolvable domain, so that Okta can access them through the backend and read the commands.

The features mentioned in the README files need to be activated by Okta Support for your Okta tenant in order for the hook to be successfully used.

If you have any further questions, please let me know.

Thanks for the info.

  1. Do you know by any chance what is the relevant command that I should use in the SAML inline-hook response, in order to actually block the user eventually from accessing the app?
    (AFAIU, this will satisfy my use-case).
  2. Any plans to provide the github inline-hooks example in Python, rather than in PHP?

Hi @akaduri75

  1. At the moment, we do not have a command to block the user, only to add or modify claims inside SAML assertions or JWT tokens.
  2. This sounds good. I will look into it and publish the repository in the future.
1 Like

Thanks for the detailed answer.
After testing the Registration inline-hook, the function getUser() in https://github.com/dragosgaftoneanu/okta-inline-hooks/blob/master/registration-inline-hook/index.php should be changed to:
public function getUser()
{
return $this->request[‘data’][‘userProfile’];
}

I customize the REgistration page. Added some more fields to get info from user. Using inline Hook TRying to verify the entered info with my DB. I have .Net Rest Api. In order to call my REst API, Do I need to use use some authorization process. I tried to follow the asp.net Startup.cs and trying to call my api using post man but getting "Authorization has been denied "

Pl guide to correct route.

Hi @hmistry

What is the payload that you are sending as a response to Okta when this error occurs? Usually, the Authorization has been denied occurs when Okta could not process the commands sent by the web server.

it’s returning true/false.

Hi @hmistry

The response should look something similar to https://developer.okta.com/docs/reference/registration-hook/#sample-json-payload-of-response.

I will try to parse my string to this format. Do I have to force authorization on my custom rest api?

Hi @hmistry

It would be good to have an authentication mechanism to check the Authorization header received in the request, so that there will not be any potential leaks from the web server.

I am trying to follow secure endpoint url article but it’s not working for me.

I m able to register user using HTTPPost . Now I am trying to get Okta authorization from REst Api. Not able to get this . Any idea?