Questions regarding Okta inline-hooks

Before getting into the details, I’ll mention that I know Okta only as an end-user, and I have no experience with Okta development.
The use-case I’m trying to solve is adding a boolean decision (yes/no) for a user, whether s/he can or cannot grant access to an Okta-authenticated application.
The info regarding the boolean decision should come from an external DB.
I reviewed all the relevant documentation about Okta inline-hooks, and I’m still left with some questions that I’ll appreciate getting answers:

  1. What is the relevant inline hook that I should use for the use-case described earlier? I guess that its SAML-hook or Token-hook, but I’m not sure which one exactly.

  2. When generating the JSON payload of the response, what is the relevant command that I should use that suites my use-case?

  3. I’ve encountered the following github account, belong to one of Okta’s support engineers: https://github.com/dragosgaftoneanu-okta/okta-inline-hooks, and I have the following questions about it as well:
    (a) How/where should I use such code examples? Should they be used in my external service that responds to the hook POST requests?
    (b) In the requirements of any of the 4 inline hooks, there are some features that should be enabled in the Okta account (e.g. “CALLBACKS”). This isn’t mentioned in the inline-hooks documentation. What do these features mean? Do they enable the inline-hooks on the Okta account?

  4. And finally, is there any step-by-step beginners guide that I missed?

Thanks

Hi @akaduri75

For now, we do not have unfortunately an inline hook which would support your use-case - restricting access to applications. Currently, the SAML assertion inline hook allows SAML attributes modification before the assertion is generated, while the token inline hook is the equivalent for JWT tokens issued by Okta.

Regarding the examples from GitHub, an inline hook will work as follows:

  • if user achieves the use-case of the inline hook (accesses SAML application, requests an authorization for an OIDC application, registers through Self Service Registration option, imports users from a profile master), Okta will send a request to an external server hosted on your end and wait for a response
  • your server will answer with the specific commands for the inline hook
  • Okta reads the response, interprets it and takes actions based on it

Saying this, the examples provided in the GitHub repository can be hosted on any public resolvable domain, so that Okta can access them through the backend and read the commands.

The features mentioned in the README files need to be activated by Okta Support for your Okta tenant in order for the hook to be successfully used.

If you have any further questions, please let me know.

Thanks for the info.

  1. Do you know by any chance what is the relevant command that I should use in the SAML inline-hook response, in order to actually block the user eventually from accessing the app?
    (AFAIU, this will satisfy my use-case).
  2. Any plans to provide the github inline-hooks example in Python, rather than in PHP?

Hi @akaduri75

  1. At the moment, we do not have a command to block the user, only to add or modify claims inside SAML assertions or JWT tokens.
  2. This sounds good. I will look into it and publish the repository in the future.
1 Like

Thanks for the detailed answer.
After testing the Registration inline-hook, the function getUser() in https://github.com/dragosgaftoneanu/okta-inline-hooks/blob/master/registration-inline-hook/index.php should be changed to:
public function getUser()
{
return $this->request[‘data’][‘userProfile’];
}