How would I implement Okta Authentication in Gentics Mesh?

Question

Gentics Mesh comes with support for Keycloak built-in, but I'd like to use Okta instead.

What's best practice?

Would it require modifying Mesh source code?

Or maybe I should handle authentication in a middleware layer?

Or could I implement the AuthServicePlugin to validate a token from Okta?
https://github.com/gentics/mesh/blob/dev/plugin-api/src/main/java/com/gentics/mesh/plugin/auth/AuthServicePlugin.java

Update
I've tried using my Okta server in the mesh.yml config, but an exception is thrown.
This is the OIDC url for my Okta service -
https://{yourOktaDomain}/oauth2/v1/authorize

Unfortunately, the OAuth2 implementation seems to be Keycloak specific -

com.gentics.mesh.core.rest.error.GenericRestException: 500 Internal Server Error oauth_config_error at com.gentics.mesh.core.rest.error.Errors.error(Errors.java:124) ... Caused by: java.lang.RuntimeException: Error while loading realm info. Got code {404} at com.gentics.mesh.auth.MeshOAuth2ServiceImpl.fetchPublicRealmInfo(MeshOAuth2ServiceImpl.java:451)

It looks like it's piecing together a url that won't work for Okta.
https://github.com/gentics/mesh/blob/f85dac8bf954248a6556323d792e6b849fb1d593/services/keycloak-auth/src/main/java/com/gentics/mesh/auth/MeshOAuth2ServiceImpl.java#L434

If I'm not mistaken, the implementation [MeshOAuth2ServiceImpl] can be changed to support any OIDC.

Jotschi · Accepted Answer · 2019-10-04T12:18:38.620

The authentication mechanism has been recently updated.

Gentics Mesh will now take the role as a resource server. It can accept any JWT as long as the public key from the OAuth server has been added.

The plugin API has been updated to provide support for custom mappings between oauth user and mesh. This allows you for example to map multiple oauth2 users to one mesh user which contains the needed roles/groups. You can also create a 1:1 mapping in which every oauth2 user will be added to Mesh.

The public keys of the OAuth server can be loaded via plugin API or hardcoded in a public-keys.json file.

You can read more on this topic here: https://getmesh.io/docs/authentication/#_oauth2_oidc

Thanks @Jotschi - I really appreciate your hard work on Mesh, and responsiveness here and on GitHub. I've settled on Mesh as a CMS for two of my current projects. Also, let me know if there are any issues I can help with! — Jeremy, Sep 01 '19 at 20:31

score 0 · Answer 2 · answered Sep 01 '19 at 16:08

According to the Genetics Mesh docs, OAuth2 is supported out of the box. I'd use the OpenID Connect features in Okta to get the JWT and use that within Genetics Mesh.

There's a configuration example on using OIDC with KeyCloak, but you can substitute your Okta endpoints for the provided KeyCloak endpoints.

security:
  oauth2:
    enabled: true
    config:
      realm: "master"
      authServerUrl: "http://localhost:3000/auth" # Okta endpoint here
      sslRequired: "external"
      resource: "mesh"
      credentials:
        secret: "9b65c378-5b4c-4e25-b5a1-a53a381b5fb4" # application secret here
      confidentialPort: 0

Also according to the docs, if you need roles mappings, you'll have to create an AuthServicePlugin.

Thanks Paul, unfortunately, I don't think Mesh is implementing OIDC - I've updated my question. — Jeremy, Sep 01 '19 at 17:42
That's a bummer. Their documentation I guess needs updating. — PaulProgrammer, Sep 01 '19 at 22:33

How would I implement Okta Authentication in Gentics Mesh?

2 Answers2