# OpenID Connect

Identity providers streamline the process of maintaining verified access to multiple applications. The end user only needs to authenticate with the identity provider. Subsequently, the end user can access multiple applications and services without needing to remember additional sets of credentials. For example, the identity provider will issue JWT tokens that allow the end user to make authenticated requests with Workato API platform.

API platform integrates fully with your IDP using the OpenID Connect (opens new window) specification to manage cross-domain authentication.

Identity provider issues JWT to the end user, who uses it to obtain verified access to Workato API platform Identity provider issues JWT to the end user, who uses it to obtain verified access to Workato API platform

# Access profile token claim

When Workato receives an incoming request, the JWT token is checked to see if it contains a valid token. This is done to determine that the request is coming from a valid access profile. If no valid token value is found, the API request will return a 401 Unauthorized error.

This token can be included in the JWT in a number of ways. Including the list of default claims described in Supported claims. In some cases, these claims may be required for other purposes. If so, you may provide a Custom claim for access profile token to pass this token.

# How to configure access profile

Workato claim works with most identity providers, including ADFS (opens new window), OneLogin (opens new window), and Okta (opens new window). Let’s go through an example using Okta.

There are three stages:

  1. Configure an Authorization server in Okta and obtain the discovery url.
  2. Create an access profile in Workato API platform and obtain the token.
  3. Configure Authorization server to include access profile token.

# 1. Configure Authorization server

First, create an application in Okta and obtain the discovery URL.

Steps Description
1. Go to Security > API. Then Add Authorization Server
Create Okta APICreate Okta API
2. Define the name, audience, and provide a useful description
3. When the authorization server is created, obtain the Discovery URL (opens new window). You will need this in the next step. It should look like this https://acme.okta.com/oauth2/aushqgufq8Ir4qSrw357/.well-known/openid-configuration.

# 2. Create Workato access profile

Next, configure an access profile in Workato and obtain the token.

Steps Description
1. Go to API platform > Clients. Learn more about API clients here.
Open Workato API platformOpen Workato API platform
2. Create new access profile for a your client. Select OpenID Connect as the authentication method.
Choose OpenID ConnectChoose OpenID Connect
3. Paste the Discovery URL that you obtained in the earlier step.
Provide Discovery URLProvide Discovery URL
4. Apply advanced settings (optional) and click Save access profile.
5. Locate and copy the token to the access profile you have just created.
Copy tokenCopy token

# 3. Configure JWT claim

Lastly, configure the Okta authorization server to include the access profile token.

Steps Description
1. Go back to the Authorization server in Okta and find the Claims tab.
Configure custom claim valueConfigure custom claim value
2. Edit the claim that you chose for passing the access profile token.
3. Paste the access profile token here. Ensure that it is wrapped in single quotes.
Paste access profile tokenPaste access profile token
4. Setup is now complete. All tokens generated by this authorization server will now be accepted and validated by API platform.

# Signing key rotation

IDPs often rotate signing keys to ensure a better security posture. This will be automatically reflected in the contents of the discovery URL. Workato will internally update the signing key and associated key IDs to ensure zero disruption to API traffic.

Last updated: 4/23/2022, 5:46:52 AM