Configure Okta to use JWT

JWT with Okta

SnapLogic public APIs support JWT authentication. You can use Okta as your Identity Provider (IdP) as long as:

  1. The JWT is correctly signed and verifiable via a JWKS endpoint.
  2. The token contains the required claims (fields inside the JWT).

Here is an example which shows a generated token body with the required claims:

{
  "iat": 1746477764,
  "exp": 1746481364,
  "sub": "[email protected]",
  "aud": "https://elastic.snaplogic.com/api/1/rest/public",
  "iss": "6255cabfb089cfac8f490573",
  "org": "MyEnvironment"
}
  • iat: Issued-at time (Unix timestamp).
  • exp: Expiration time.
  • sub: The SnapLogic username (user identity).
  • aud: The SnapLogic public API base URL (varies by POD – US, EMEA, UAT, etc.).
  • iss: Issuer ID (configured in SnapLogic).
  • org: SnapLogic org/environment name.
Note: The iat and exp values in this example are illustrative only. When generating a real JWT, set iat to the current time and exp to an appropriate expiration time based on your security requirements.

Prerequisites

Before configuring Okta for JWT authentication with SnapLogic, ensure the following:

  • You have completed the JWT configuration in SnapLogic. Refer to JWT configuration.
  • You have administrative access to your Okta Admin console.
  • An active user account exists within your organization's identity management system.
  • The user account has appropriate permissions to access the API resources.
  • Your organization has OAuth or OpenID Connect (OIDC) capabilities enabled.
Important: If your organization has already configured JWT authentication applications in Okta, you may not need to create new ones.

Custom claims

SnapLogic supports custom claims for scenarios where standard claims cannot be modified in your IdP:

  • snaplogic_org: Use this if there is a conflict adding the org claim.
  • snaplogic_username: Use this if the sub claim cannot be set to the SnapLogic username.
  • snaplogic_aud: Use this if the aud claim cannot be modified to match the SnapLogic public API URL.

Okta configuration

Access the Okta Admin console

The Okta Admin console manages JWT authentication settings. Follow these steps to access and navigate the console:

  1. Navigate to your organization's Okta Admin console URL in your web browser.
  2. Click the Sign in button on the login page.
  3. Enter your administrative credentials and click the Sign in button to proceed to the next authentication step.
  4. When prompted, enter the answer to your configured security question.
  5. Click the Verify button to complete the authentication process.

Create an OAuth application

  1. In the Okta Admin console, navigate to Applications > Applications.
  2. Click Create App Integration.
  3. Select OIDC - OpenID Connect as the sign-in method.
  4. Select Web Application as the application type.
  5. Enter your app's details:
    • App integration name: Provide a descriptive name (e.g., "SnapLogic JWT Integration").
    • Grant types: Select Authorization Code.
    • Sign-in redirect URIs: Enter your callback URL (e.g., http://localhost:8000/callback for testing).
  6. Click Save.
  7. Note the Client ID and Client Secret from the application's settings page.

Configure Authorization Server

To add custom claims required by SnapLogic, create or configure a custom authorization server:

  1. In the Okta Admin console, navigate to Security > API.
  2. Under Authorization Servers, either use the default server or click Add Authorization Server to create a new one.
  3. If creating a new server:
    • Provide a name (e.g., "SnapLogic Auth Server").
    • Set the Audience to the SnapLogic public API URL: https://elastic.snaplogic.com/api/1/rest/public (adjust for your POD: US, EMEA, UAT, etc.).
  4. Click Save.

Configure custom claims

Add the required SnapLogic claims to your authorization server:

  1. In your authorization server, navigate to the Claims tab.
  2. Click Add Claim.
  3. Add the org (or snaplogic_org) claim:
    • Name: org or snaplogic_org
    • Include in token type: Select Access Token and ID Token
    • Value type: Expression
    • Value: Enter your SnapLogic environment name in quotes (e.g., "MyEnvironment")
    • Include in: Any scope
  4. If needed, add the snaplogic_username claim:
    • Name: snaplogic_username
    • Include in token type: Select Access Token and ID Token
    • Value type: Expression
    • Value: user.email or user.login (depending on which matches your SnapLogic username)
    • Include in: Any scope
  5. If aud cannot be modified, add the snaplogic_aud claim:
    • Name: snaplogic_aud
    • Include in token type: Select Access Token and ID Token
    • Value type: Expression
    • Value: "https://elastic.snaplogic.com/api/1/rest/public" (adjust for your POD)
    • Include in: Any scope
  6. Click Create for each claim.

Configure Access Policies and Scopes

  1. In your authorization server, navigate to the Access Policies tab.
  2. Create or modify a policy to allow access for your application.
  3. Add a rule that grants access to the required scopes (e.g., openid, profile, email).
  4. Ensure the rule applies to your client application.

Obtain JWKS endpoint and Issuer ID

Collect the following values from your Okta authorization server to configure in SnapLogic Admin Manager:

  1. Navigate to your authorization server's settings page.
  2. Copy the Issuer URL (e.g., https://your-domain.okta.com/oauth2/default).
  3. The JWKS endpoint URL is the issuer URL with /v1/keys appended (e.g., https://your-domain.okta.com/oauth2/default/v1/keys).

Use these values to configure JWT authentication in SnapLogic Admin Manager. Refer to JWT configuration for detailed steps.

Obtain the Authorization code

  1. In your Okta application settings, locate the authorization URL.
  2. Click the authorization URL link to initiate the OAuth flow.
  3. The system redirects you to an authorization page and generates a code in the URL.
  4. Copy the authorization code from the URL in your browser's address bar - this code appears as a parameter after code=.

Test the JWT token

  1. Authentication: Send a POST request with the authorization code to the token endpoint to obtain a JWT: 
    POST https://your-domain.okta.com/oauth2/default/v1/token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&
code=<authorization_code>&
redirect_uri=<your_redirect_uri>&
client_id=<your_client_id>&
client_secret=<your_client_secret>
  2. The response includes an access_token and id_token. Use the id_token as your Bearer token.
  3. Verify the token contains all required claims:
    • iss, sub, aud, exp, iat
    • org (or snaplogic_org)
    • snaplogic_username (if sub doesn't match SnapLogic username)
    • snaplogic_aud (if aud doesn't match SnapLogic API URL)
  4. Use the JWT for subsequent requests: 
    GET https://elastic.snaplogic.com/api/1/rest/public/...
Authorization: Bearer <id_token>
  5. Test your endpoints by sending requests with the JWT in the Authorization header using a tool like Postman or curl.

Expected response: A successful response includes a 200 OK status code.

Troubleshooting

If JWT authentication fails, refer to JWT troubleshooting for common issues and solutions.