OKTA and API Gateway Config
1.
Subscribe to Okta and configure a
OAuth2 client in Okta.
·
Create Application Okta
o Create Client ID
o Create Client
Secrets
·
Configure API
o Create Audience
o Create Scopes
o Generate oAuth
Token
·
Get token_endpoint
·
Using token_endpoint get access_token
2.
Deploy a sample API Gateway HTTP API
with a test endpoint
·
Login in AWS console, select API Gateway
·
Create API
o Select HTTP API
option and click on Build button
o Enter API Name and
hit "Review and create" button and then press create
o Select Routes under
develop option from menu list
·
Select Create button
·
Select method (Get/Put etc)
§ Enter path (like
/users or /pet/{id})
§ Method will be
created
·
Select created method
§ Select Attach
Authorizer button
·
If any existing authorizer exist select from list
·
If authorizer does not exists
·
Select create and attach authorizer
·
Select Authorizer Type - Select JWT
·
Enter Authorizer name and details (issuer
details, Audience, Scope) and save
o Select Integration
·
Create an integration to attach (configured for
this API)
§ Select HTTP URI
·
Select Integration Details
·
Method type, API URL , timeout
§ If Stage exist
select deploy
·
Otherwise create stage
§ Select throttling
from Protect menu
·
Enter throttling information as needed (route
throttling, Account throttling)
§ Select metrices and
logging details as needed
§ Select Deploy and
select Stage for deployment
o Under Optimize
option
o Select Cache
Setting
·
Enter details for caching related
o Select stage option
o Select Setting tab
·
Enable API cache
·
API Gateway is ready for Okta and API Gateway
integration based on oAuth Token
- WAF deployed on API Gateway
- Select REST API and build
- Enter setting details (API name and other related details) and create API
- Under API Resources list, in middle section (resources),
- select Action and create method (chose one of the option get, put etc), select tick mark
- Under Get define Integration type and integration details and save
- Deploy this API after creating new stage or using existing stage
- In Middle section Stage be display and right section will have stage editor.
- Select setting from editor, enable API Cache if needed, Apply client certificate if exist and select existing WebACL or create new
- Click WebACL, it will open new AWS console
- Enter all details and select Resource type as regional resource and select region
- Select Associate AWS resource option
- It will open new window where you select API Gateway resource type
- Select API Gateway as resource where you want to deploy WAF, click Add
- Select next
- Create new rules or use existing rule and add into this WebACL
- Select Default web ACL action (Allow or blocks)
- Add token list to WebACL
- Click next
- Select rules priority based on needs
- Add Cloudwatch Metrics and select next
- Review all details for WebACL and select Create WebACL
- Similarly we can select any other resources except NLB (WebACL does not apply to Network Load balancer)
- Go to API Gateway select API which needs WAF protection
- Select Stage and select setting
- Select Web ACL from list and save
- This will allow API which goes through API Gateway will be protect through WAF
- WAF is deployed on API Gateway for those API which needs to be protect
No comments:
Post a Comment