Skip to main content
  1. Posts/
  2. Howto/

Base64 Header in Okta Access Gateway

·391 words·2 mins·
Okta OAG Okta Access Gateway Nginx Base64 OpenResty Legacy Integration Headers
Fabio Grasso
Author
Fabio Grasso
Solutions Engineer specializing in Identity & Access Management (IAM) and cybersecurity.
Table of Contents

Use case
#

OAG - Okta Access Gateway, doesn’t provide an out of the box way to encode in Base64 the header to be sent to an internal application. However, it is quite common for legacy applications to require Base64-encoded data (e.g., the username of the authenticated user). This guide takes advantage of the ability to edit the OAG nginx configuration to create a simple function that allows you to manage Base64 encoding.

Instructions
#

To make it work, we need to create an “internal-only” application in OAG.

In this case, Public Domain must be an internal-only address not exposed to the internet (i.e. testapp.domain.local)

Internal Application
#

Settings
#

  • Type: No-Auth
  • Name: TestApp - 1 Internal
  • Public Domain: https://testapp.domain.local/

Attributes - None
#

Policies
#

  • Policy Type: Not Protected
  • Advanced: copy the following custom code…

Custom Code
#

⚠️ Important: Start with this code to deny access from internet. This host must be reachable only by the OAG.

allow 127.0.0.1;
deny all;

Sample code using LUA for one field (i.e. Username) in the AUTHORIZATION header:

set_encode_base64 $authzHeader $http_oag_username;
proxy_set_header AUTHORIZATION $authzHeader;

Alternative code combining two fields (i.e. First Name + Last Name) in the AUTHORIZATION header:

set $val "${http_FirstName}${http_FirstLastName}";
set_encode_base64 $authzHeader $val;
proxy_set_header AUTHORIZATION $authzHeader;

As you noted, we are using the set_encode_base64 function of nginx. This function is included in the OpenResty module set-misc

OAG Configuration
#

  1. Open an SSH session

  2. Select 1 Network and then 3 Edit /etc/hosts

  3. Select a ([a]dd entry)

  4. Enter IP address: 127.0.0.1

  5. Enter Host(s): testapp.domain.local (the “Public Domain” of the internal application)

  6. Confirm by pressing key c ([c]ommit changes)

    Then press x (e[x]it)

    Press again c (c - commit changes to the system)

    And finally x (exit)

Test the configuration
#

[TODO]

Lua alternative
#

ℹ️ Note: It is also possible to use Lua. In fact, OAG uses OpenResty (an extension of nginx, which supports LuaJIT, a Just-In-Time Compiler for Lua). However, for this simple use case, it is sufficient to use the native nginx functions.

As a reference example, here is the Lua version for Base64 encoding:

Single field (username):

set_by_lua_block $authzHeader  {
 local val =  ngx.req.get_headers()['oag_username']
 return ngx.encode_base64(val)
}

proxy_set_header AUTHORIZATION $authzHeader;

Joint of two fields (First Name + Last Name):

set_by_lua_block $authzHeader  {
 local firstname =  ngx.req.get_headers()['FirstName']
 local laststname =  ngx.req.get_headers()['LastName']
 local val =  firstname..lastname 
 return ngx.encode_base64(val)
}

proxy_set_header AUTHORIZATION $authzHeader;
Okta Flask SCIM Server with Docker Compose GLPI Integration with Okta
Do you like what you read? Buy Me a Coffee at ko-fi.com

Powered by Hugo Streamline Icon: https://streamlinehq.comHugo Hugo & Blowfish