Hate it or love it…
Overview: what is OKTA
OKTA is a third party solution that helps you handle user accounts, logins, authentications. Also you connect to your own application to it seamlessly. There is a saying that never write your own authentication. That’s where OKTA jumps in to play.
Application Type
You can use OKTA to manage your organization members, or to server your customer end users. The flow is basically the same.
Basic Flow
Below is the basic flow to integrate your app with OKTA login. You can create an app in OKTA, and specify the redirect endpoint after the user is authenticated.
Authenticators
OKTA provides all kinds of different type of authenticators listed below:
Authentication
How user is authenticated is based on Group and Policy setting in OKTA. It is a rule based authentication. For example:
Rule 1: If you are in Admin group, you can access Admin console with password authenticator + 2FA.
Rule 2: else if you are in employee group, you can access user dashboard with password authenticator.
Rule 3: catch-all: you can access user dashboard with password authenticator.
Noted there is priority in these rules, so if a user is in both Admin and employee group, he will need password + 2FA to login. And don’t forgot the catch-all rule, where any user that doesn’t fit into any rule will go here. OKTA forces every policy to have a catch-all rule.
Security
Okta provides normal password login, or a more secure multi-factor authentication (MFA) login. Because Password is a knowledge based authentication, you will need either a possession based method or a biometric method to create the MFA policy.
Passwordless
Passwordless login has become more popular these days, as we have more and more password to remember. It will be nice if the password can go away and we just use email magic link, or SMS code to login our application. This also improves user experience.
However, there are some restrictions when going passworsless with OKTA.
- You have to use Identity Engine, where Classic Engine doesn’t support passwordless.
- You cannot use SMS to authenticate, only email magic link is allowed.
- If you want to configure MFA with passwordless, the second factor has to be a biometric method, which is not user friendly.
Source Control
If you want to source control all your configurations so it won’t get messed up when multiple developers are working on the same application, Terraform is you friend here.
It it a good tool to make all the above mentioned configuration into backend config file. It will compare the current state of the target application with the code config you have on your backend. It’s a good tool to make sure everything is working as we want.
For example, running this terraform apply will list out all the difference you have, and ask you if you want to apply your local change to remote.
yoshie$ terraform apply
...
# okta_policy_rule_mfa.all_users will be updated in-place
~ resource "okta_policy_rule_mfa" "all_users" {
~ enroll = "CHALLENGE" -> "LOGIN"
id = "0im5socre2aucIDTq4h2"
name = "Authenticator enrollment rule for all users"
# (5 unchanged attributes hidden)
}
Plan: 0 to add, 2 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: Limitation
As mentioned above, OKTA still have some limitations including the passwordless, MFA, terraform support issues.
One issue I found is that, when we configure passwordless with email, and we enter a wrong email to login, it prompt the user to password. That is super weird as we go passwordless for the entire app! That’s a confusing one.
There are also some part of the integration where you cannot customize. For example, I couldn’t seem to find a way to update the help link in the sign in page, which is kind of annoying.
Conclusion
I’ve been working on OKTA integration for over 2 years. It’s not the best experience, but it definitely does what you need in a way that you can control most of the behavior, so consider doing it when your org/app needs a secure login/auth!
