Authentication

Overview

This section provides instructions on how to configure WorkflowGen delegated authentication with Okta. At the end of this section, you'll have a working WorkflowGen instance using Okta to authenticate your users.

If you don't need the GraphQL API, you won't need to create an authorization server. See the Configuring the authentication without the GraphQL API for instructions.

Prerequisites

Make sure to have a licensed copy of WorkflowGen installed and running on a server. You must be a WorkflowGen administrator.
Make sure to have an Okta administrator access to be able to configure it properly.
Make sure to have provisioned an existing Okta user that you can authenticate with to WorkflowGen and that the user has administrator privileges. This is important because once you've activated the delegation, you'll still need to be able to manage the application. (The Okta user is in fact a user of an identity provider that's linked to Okta, such GitHub or Google. You have to provision at least one of the users.)
AES encryption mode and its key are required for the authentication to work.

The WorkflowGen user's username must match their Okta user's username in order to identify and authenticate the correct user from Okta.
To test your configuration after the steps below, you can add an Okta user in the Okta portal's Users section.
When importing users into WorkflowGen from the Okta database, make sure to set the username as the email (e.g. john.doe@example.com).

Configuring the authentication with the GraphQL API

The configuration of Okta will be done in several steps. First, you have to configure an authorization server in the web interface; then, you have to add a regular web application.

The WorkflowGen GraphQL API (authorization server) configuration is required if you want to use the WorkflowGen Plus v2 mobile app.

Step 1: Create an authorization server

An Okta authorization server is a logic element that defines the security boundaries of your system when an application wants to access your resources via an API.

An authorization server defines your security boundary, and is used to mint access and identity tokens for use with OIDC clients and OAuth 2.0 service accounts when accessing your resources via API. Within each authorization server you can define your own OAuth scopes, claims, and access policies. Source: Information sidebar in Okta's administrative panel

You can find more information on authorization servers on the Okta developer website.

To create an authorization server with a classic usage:

Go to the Okta Developer portal and log in to your account.
In the left panel, choose API under the Security menu.
Click the Add Authorization Server button on the Authorization Servers tab.
Enter the following information:
- Name: WorkflowGen GraphQL API
- Audience: <workflowgen url>/graphql
- Description: WorkflowGen GraphQL API (or whatever description you want)
Click the Save button.

To create an authorization server with multi-audience support:

Go to the Okta Developer portal and log in to your account.
In the left panel, choose API under the Security menu.
Click the Add Authorization Server button on the Authorization Servers tab.
Enter the following information:
- Name: My APIs
- Audience: my-apis
- Description: Authorization server for all my APIs (or whatever description you want)
Click the Save button.

Step 2: Add the scope

For classic usage:

Go to the WorkflowGen GraphQL API authorization server's Scopes tab.
Click the Add Scope button.
Enter the following information:
- Name: default
- Display phrase: default
- Description: Use the default scope if no other scope is specified
- Default scope: Check Set as a default scope
Click the Create button.

For multi-audience support:

Go to the WorkflowGen GraphQL API authorization server's Scopes tab.
Click the Add Scope button.
Enter the following information:
- Name: wfgen-graphql-full-access
- Display phrase: wfgen-graphql-full-access
- Description: Full access to the WorkflowGen GraphQL API
Click the Create button.

You've now properly configured your Okta authorization server for the WorkflowGen GraphQL API.

Step 3: Add a claim

Go to the Claims section, then click the Add Claim button.
Enter the following information:
- Name: com.workflowgen.api.username
- Include in token type: Select Access Token
- Value Type: Select Expression
- Value: Enter the following Okta code:
  appuser.username != null ? appuser.username : appuser.email != null ? appuser.email : appuser.nickname != null ? appuser.nickname : null
- Include in: Select Any scope
✏️ Note: This step will ensure that WorkflowGen and the GraphQL API will always get a username through the same claim instead of having to make a lot of conditional statements.
Click the Create button.
Add a second claim with the same information, but this time, set the Include in token type property to ID Token.
Click the Create button.

Step 4: Add the server access policy

You now need to configure the authorization server access policy.

Go to the WorkflowGen GraphQL API authorization server's Access Policies tab.
Click the Add Policy button.
Enter the following information:
- Name: All Clients Policy
- Description: Enables all clients to have access to this application server›.
- Assign to: All clients
Click the Create Policy button.
Click the Add Rule button.
Enter the following information:
- Rule Name: All Grant Types; Any Scopes; Any User assigned
- Leave the other settings set to their defaults.
Click the Create Rule button.

You've now successfully configured the authorization server access policy. There's just one more step needed in order for the client credentials flow to work, which will enable you to use machine-to-machine authentication with Okta and the WorkflowGen GraphQL API.

Step 5: Create the WorkflowGen web application

Go to the Okta Developer portal.
In the Applications item under the Applications menu, click the Create App Integration button.
Select the following options in Create a new app integration, then click Next:
- Sign-in method: OIDC - OpenID Connect
- Application type: Web Application
Enter the following information:
- App integration name: WorkflowGen
- Grant type: Check Authorization Code
- Sign-in redirect URIs: <workflowgen url>/auth/callback
- Sign-out redirect URIs: <workflowgen url>/auth/logout/return
- Base URIs: <workflowgen url> without any path (just the base URL); for example, https://localhost, if <workflowgen url> is https://localhost/wfgen
- Controlled access: Check Allow everyone in your organization to access
- Leave the remaining properties set to their defaults.
Click the Save button.
On the General tab of your WorkflowGen web application page, click the Edit button in the General Settings section.
Enter the following information:
- Initiate login URI: <workflowgen url>/auth/callback
Click Save.

You've now successfully configured Okta for your WorkflowGen instance.

Review the registration

You should now have all the information you need to configure WorkflowGen to delegate the authentication to Okta. Here's a review:

A client ID and a client secret which can be found on the Okta WorkflowGen web application's General tab.
An audience and a metadata endpoint (Metadata URI) which can be found on the Okta WorkflowGen GraphQL API authorization server page.

WorkflowGen configuration

Now, you need to configure WorkflowGen to delegate its authentication to Okta.

Step 1: Add Okta values to the WorkflowGen `web.config`

Open the WorkflowGen web.config file and add/update the following properties:

Classic usage:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <appSettings>
        <!-- Okta auth -->
        <add key="ApplicationSecurityAuthProvider" value="okta"/>
        <add key="ApplicationSecurityAuthClientId" value="<CLIENT ID>" />
        <add key="ApplicationSecurityAuthClientSecret" value="<CLIENT SECRET>" />
        <add key="ApplicationSecurityAuthMetadataUrl" value="<METADATA URL>" />
        <add key="ApplicationSecurityAuthUsernameClaim" value="com.workflowgen.api.username" />
        <add key="ApplicationSecurityAuthAppIdClaim" value="sub" />
        <add key="ApplicationSecurityAuthClockTolerance" value="60" />
        <add key="ApplicationSecurityAuthSessionRefreshEnableIFrame" value="Y"/>
    </appSettings>
</configuration>

With multi-audience support:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <appSettings>
        <!-- Okta auth -->
        <add key="ApplicationSecurityAuthProvider" value="okta"/>
        <add key="ApplicationSecurityAuthClientId" value="<CLIENT ID>" />
        <add key="ApplicationSecurityAuthClientSecret" value="<CLIENT SECRET>" />
        <add key="ApplicationSecurityAuthMetadataUrl" value="<METADATA URL>" />
        <add key="ApplicationSecurityAuthUsernameClaim" value="com.workflowgen.api.username" />
        <add key="ApplicationSecurityAuthAppIdClaim" value="sub" />
        <add key="ApplicationSecurityAuthClockTolerance" value="60" />
        <add key="ApplicationSecurityAuthSessionRefreshEnableIFrame" value="Y"/>
        <add key="ApplicationSecurityAuthAudience" value="my-apis"/>
        <add key="ApplicationSecurityAuthAdditionalScopes" value="wfgen-graphql-full-access"/>
        <add key="ApplicationSecurityAuthGraphQLScope" value="wfgen-graphql-full-access"/>
    </appSettings>
</configuration>

Replace <CLIENT ID> with the client ID of the WorkflowGen web application from Okta.
Replace <CLIENT_SECRET> with the client secret of the WorkflowGen web application from Okta.
Replace <METADATA_URL> with the Metadata URI property found in the WorkflowGen GraphQL API's settings page. Then, replace the last part, /.well-known/oauth-authorization-server, with /.well-known/openid-configuration (e.g. https://{YOUR_OKTA_DOMAIN}/oauth2/{AUTH_SERVER_ID}/.well-known/openid-configuration).

You've probably noticed that the setting with the ApplicationSecurityAuthUsernameClaim key is set to the value entered in a rule earlier. Therefore, you could use any value here provided that you also modify the rule.

For information about available configuration options to use with your instance, see the Web and Application Configuration Parameters appendix.

WorkflowGen is now linked to Okta and back. The last thing left to do is configure a few more options in order to finish the internal wiring of WorkflowGen so that it can delegate its authentication.

Step 2: Add some security values for session generation

In order to generate a session token, you need to add a few more settings to the web.config file.

Open the WorkflowGen web.config file and add/update the following property:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <appSettings>
        <!-- Auth -->
        <add key="ApplicationSecurityAuthSessionTokenSigningSecret" value="<SECRET>" />
    </appSettings>
</configuration>

Replace <SECRET> with a value that can't be easily guessed, such as a UUID.

The secret will be only accessible inside your instance of WorkflowGen, so when generating a session token, WorkflowGen will sign it with this secret in order to check the validity of all session tokens passed to it.

Step 3: Activate the authentication delegation

You now need to activate the delegation by replacing the authentication system in IIS and pointing WorkflowGen's modules to the correct authentication module.

Configure IIS

In IIS Manager, click on the WorkflowGen application in the tree view.
Click the Authentication button.
Enable Anonymous Authentication, and disable all other authentications.

Perform these steps for all sub-applications as well.

Add properties to the web.config files of certain modules

Certain modules need to have their authentication checked by the special Advantys.Security.JWTAuthenticationModule WorkflowGen authentication module, but certain other modules should not because they are either public or aren't part of the global authentication system.

Open the WorkflowGen web.config file and add/update the following property:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
 <system.webServer>
     <modules>
         <add name="ApplicationSecurityAuthenticationModule" type="Advantys.Security.Http.JWTAuthenticationModule" />
     </modules>
 </system.webServer>
</configuration>

In the auth module's web.config, add/update the following property:
```
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
 <system.webServer>
     <modules>
         <remove name="ApplicationSecurityAuthenticationModule"/>
     </modules>
 </system.webServer>
</configuration>
```
This line removes the authentication Node.js module from the global authentication system, because this Node.js application encapsulates the OpenID Connect authentication mechanisms.
Repeat the above two steps for the hooks and scim modules as well.
Copy the following .NET assemblies and dependency libraries from \wfgen\bin to each custom webform's \bin folder (\wfgen\wfapps\webforms\<custom webform>\bin):
- Advantys.My.dll
- Advantys.Security.dll
- Newtonsoft.Json.dll
- jose-jwt.dll

You should now have a working WorkflowGen instance with the authentication delegated to Okta through the OpenID Connect protocol. Make sure to have provisioned your users to WorkflowGen in order for them to successfully access WorkflowGen.

Configuring the authentication without the GraphQL API

If for some reason you can't add an authorization server in your Okta account and you don't need GraphQL API authentication configured with the provider, you can avoid creating the server and configure WorkflowGen with the default Okta authorization server.

Step 1: Create the WorkflowGen web application

Go to the Okta Developer portal.
In the Applications item under the Applications menu, click the Create App Integration button.
Select the following options in Create a new app integration, then click Next:
- Sign-in method: OIDC - OpenID Connect
- Application type: Web Application
Enter the following information:
- App integration name: WorkflowGen
- Grant type: Check Authorization Code
- Sign-in redirect URIs: <workflowgen url>/auth/callback
- Sign-out redirect URIs: <workflowgen url>/auth/logout/return
- Base URIs: <workflowgen url> without any path (just the base URL); for example, https://localhost, if <workflowgen url> is https://localhost/wfgen
- Controlled access: Check Allow everyone in your organization to access
- Leave the remaining properties set to their defaults.
Click the Save button.
On the General tab of your WorkflowGen web application page, click the Edit button in the General Settings section.
Enter the following information:
- Initiate login URI: <workflowgen url>/auth/callback
Click Save.

You've now successfully configured Okta for your WorkflowGen instance.

Step 2: Configure WorkflowGen

Add or update the following configuration options in the WorkflowGen web.config file.

Change MetadataUrl to https://<YOUR OKTA DOMAIN>/.well-known/openid-configuration.
Change UsernameClaim to preferred_username.
Change AuthAudience to the client ID of the configured WorkflowGen web application from Okta.
Set the ApplicationSecurityAuthDecodeAccessToken option to N.

Keep in mind that by setting ApplicationSecurityAuthDecodeAccessToken=N, the expiration date of the session token generated by WorkflowGen will be based on that of the ID token.
You won't be able to use the access token received from Okta to query the GraphQL API. This access token will give you access to the Okta API and nothing else. To query the GraphQL API, you'll need to configure its authentication with another method, like Basic authentication.

Classic usage:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <appSettings>
        <!-- Okta auth -->
        <add key="ApplicationSecurityAuthProvider" value="okta"/>
        <add key="ApplicationSecurityAuthClientId" value="<CLIENT ID>" />
        <add key="ApplicationSecurityAuthClientSecret" value="<CLIENT SECRET>" />
        <add key="ApplicationSecurityAuthMetadataUrl" value="https://<YOUR OKTA DOMAIN>/.well-known/openid-configuration" />
        <add key="ApplicationSecurityAuthUsernameClaim" value="preferred_username" />
        <add key="ApplicationSecurityAuthAppIdClaim" value="sub" />
        <add key="ApplicationSecurityAuthClockTolerance" value="60" />
        <add key="ApplicationSecurityAuthSessionRefreshEnableIFrame" value="Y"/>
        <add key="ApplicationSecurityAuthAudience" value="<CLIENT ID>"/>
        <add key="ApplicationSecurityAuthDecodeAccessToken" value="N"/>
    </appSettings>
</configuration>

Step 3: Add some security values for session generation

In order to generate a session token, you need to add a few more settings to the web.config file.

Open the WorkflowGen web.config file and add/update the following property:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <appSettings>
        <!-- Auth -->
        <add key="ApplicationSecurityAuthSessionTokenSigningSecret" value="<SECRET>" />
    </appSettings>
</configuration>

Replace <SECRET> with a value that can't be easily guessed, such as a UUID.

Step 4: Activate the authentication delegation

You now need to activate the delegation by replacing the authentication system in IIS and pointing WorkflowGen's modules to the correct authentication module.

Configure IIS

In IIS Manager, click on the WorkflowGen application in the tree view.
Click the Authentication button.
Enable Anonymous Authentication, and disable all other authentications.

Perform these steps for all sub-applications as well.

Add properties to the `web.config` files of certain modules

Open the WorkflowGen web.config file and add/update the following property:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
 <system.webServer>
     <modules>
         <add name="ApplicationSecurityAuthenticationModule" type="Advantys.Security.Http.JWTAuthenticationModule" />
     </modules>
 </system.webServer>
</configuration>

In the auth module's web.config, add/update the following property:
```
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
 <system.webServer>
     <modules>
         <remove name="ApplicationSecurityAuthenticationModule"/>
     </modules>
 </system.webServer>
</configuration>
```
This line removes the authentication Node.js module from the global authentication system, because this Node.js application encapsulates the OpenID Connect authentication mechanisms.
Repeat the above two steps for the hooks and scim modules as well.
Copy the following .NET assemblies and dependency libraries from \wfgen\bin to each custom webform's \bin folder (\wfgen\wfapps\webforms\<custom webform>\bin):
- Advantys.My.dll
- Advantys.Security.dll
- Newtonsoft.Json.dll
- jose-jwt.dll