Configuring Hybrid Data Pipeline and Okta to use OpenID Connect for OData Authentication

Accessing data often brings with it many security and availability headaches, but with DataDirect Hybrid Data Pipeline it is now possible to provide access to your data sources by OData-enabling them and authenticating your users with OpenID Connect (OIDC).

In this tutorial, you’ll learn how to quickly configure Hybrid Data Pipeline to use Okta as an Identity Provider (IDP) to support OpenID Connect (OIDC) authorization, allowing you to use your existing user credentials to access your data via Hybrid Data Pipeline’s OData REST API.

This tutorial assumes you have already installed Hybrid Data Pipeline and OData-enabled your data source. Your OData endpoint should be accessible using basic authentication in Hybrid Data Pipeline before beginning this tutorial.

Note, we will be using several third-party tools to complete this:

• Okta’s Identity Platform
• Postman as your REST API client/test tool

1. Sign up for Okta developer account at: https://developer.okta.com/

2. Create an Application under the Applications section in Okta

   

3. Choose OIDC and Web Application

   

4. On the New Web App Integration page, supply the following details:

   

5. On the following screen, make note of your client ID and client secret

   
   • App Integration Name: <name of your choice>
   • Grant Type: Authorization Code and Refresh Token
   • Assignments: Allow everyone in your organization to access
   • Add Postman’s redirect URI under the Sign-In Redirect URI:
     • https://oauth.pstmn.io/v1/callback

6. 6) Under the Security menu, select API and click on the pencil icon for the default server

   

7. Click on Add Scope

   

8. Add these items to the default scope:

   • Name: api.acccess.odata
   • Require user consent
   • Include in public metadata
   

9. Create your Auth URL and Access Token URLs using your personal Okta root URL. You can find your personal URL in the top right corner of the Okta web interface:

   • Auth URL will be your Okta personal URL + /oauth2/default/v1/authorize
     • Ex: https://dev-<removed>.okta.com/oauth2/default/v1/authorize
   • Access Token URL will be your Okta personal URL + /oauth2/default/v1/token
     • Ex: https://dev-<removed>.okta.com/oauth2/default/v1/token
   • Issuer URL will be your Okta personal URL + /oauth2/default
     • Ex. https://dev-<removed>.okta.com/oauth2/default
   

10. Create the Authentication Service in Hybrid Data Pipeline by logging into your Hybrid Data Pipeline server and clicking on the Authentication tab on the left. Click on New Service at the top of the screen.

11. Fill out the form using your Issuer URL and other details as seen below. Be sure to set HDP Username Identifier to ‘sub’ and JWT as the validation method.

    

    Associate your Authentication Service with an HDP user account that has an OData endpoint configured by opening the user account in HDP and clicking on the Authentication Setup tab. Be sure to provide the full email address of the user used with your Okta account or one added to Okta’s user directory.

    *Note that the user ID (email) must be unique and not match any local user IDs already existing within Hybrid Data Pipeline

    

12. Using Postman, configure a connection to the HDP OData endpoint for this user. (Refer to the documentation for details on creating an OData endpoint in Hybrid Data Pipeline.) Within Postman, past the OData URL into the URL bar as a GET request and click on the header tab. Add a new header:

    • Key: x-datadirect-authService
    • Value: <name of Authentication Service created in HDP>
      • See #11 above
    

13. Click on the Authorization Tab and choose OAuth2. Fill out the fields with the information collected from Okta:

    • Token Name: Okta
    • Grant Type: Authorization Code
    • Authorize using browser
    • Fill in Auth URL, Access Token URL, Client ID, Client Secret
    • Scope: api.access.odata openid
    • State: ca
    

14. Click Get New Access Token and click use token. The connection should authenticate, and data returned from the OData endpoint.

    

    By being able to quickly integrate Hybrid Data Pipeline with your existing identity provider, it is much easier and more secure to share data across your organization or with your customers.

    If you have further questions about this tutorial or Hybrid Data Pipeline in general, please contact us.