Okta authentication for BizDoc
$ dotnet add package BizDoc.Authentication.OktaBizDoc supports Okta for both authentication and authorization, in one of two configurations: server flow or client flow.
Server flow redirects unauthorized users to Okta sign-in page on Okta domain, and handles the redirect. Client flow prompts unauthorized users for credentials in an hosted widget, and negotiate with Okta on the background.
dotnet add package BizDoc.Core.Okta
Okta sign-in redirect url should match "/authorization-code/callback" on server mode, and no path for client mode.
Create an API Token to allow BizDoc to retrieve users information.
For server flow, use AddOktaRedirect:
AddBizDoc(o=> {
o.ApplicationUri = "https://app-domain";
})
.AddOktaServer(o=> {
o.ApiToken = "api-token";
o.Domain = "domain-name";
o.ClientId = "client-id";
o.ClientSecret = "client-secret";
});
...
UseBizDoc().
.UseOktaServer();
For client mode, use AddOkta:
AddBizDoc(...)
.AddOkta(o=> {
o.ApiToken = "api-token";
o.Domain = "domain-name";
}).
UseIdentityProvider();
The UseIdentityProvider() method registers an identity provider which retrieve user information from Okta. To use a different provider, while still authenticating via Okta, see Implementing Identity Provider.
npm i @bizdoc/okta
Add Okta configuration in Angular app.module:
OktaModule.forRoot({
domain: 'domain-name',
clientId: 'client-id'
})
In order to map user groups to BizDoc roles for authorization purposes, add a new claim to Okta Authorization Server with the following specifications.
| Property | Value |
|---|---|
| Name | bizdoc.roles |
| Include in token type | ID Token |
| Value type | Groups |
| Filter | Matches regex, .* |
| Include in |
| Any scope |
Add an attribute to either application profile or all profiles and set its type to boolean. Add a claim in API server that map to the profile attribute you created.
| Property | Value |
|---|---|
| Name | bizdoc.admin |
| Include in token type | ID Token |
| Value type | Expression |
| Value | user.{attr-name-here} |
Groups.
Roles.
Staff Performance, current user is manager or sibling uner same manager.
Staff Pending, current user is manager.
Groups Performance, selected groups, or current user groups.
Departments Performance. User profile Department.
Divisions Performance. User profile Division.
Cost Centers Performance. User profile CostCenter.
Organizations Performance. User profile Organization.
Implicit user attributes for analysis axes.
| Name | Usage |
|---|---|
| CostCenter | |
| Department | |
| Division | |
| Organization | |
| EmployeeNumber | |
| Owner Additional Property | PropertyName required. |
A type must be set for attributes in Architecture tool to enable the analysis to map to an axis.
User attribues available within rule expression.
| Name | Usage |
|---|---|
| CostCenter | |
| Department | |
| Division | |
| Organization | |
| User Additional Property | PropertyName required. |
| Owner Additional Property | PropertyName required. |
Manager.
GroupRule.