Merge pull request #362 from okta/jwt-authorization-mode

add jwt as an authorization mode

.generator/templates/configuration.mustache

@@ -149,6 +149,7 @@ type Configuration struct {
 			Token             string   `yaml:"token" envconfig:"OKTA_CLIENT_TOKEN"`
 			AuthorizationMode string   `yaml:"authorizationMode" envconfig:"OKTA_CLIENT_AUTHORIZATIONMODE"`
 			ClientId          string   `yaml:"clientId" envconfig:"OKTA_CLIENT_CLIENTID"`
+			ClientAssertion   string   `yaml:"clientAssertion" envconfig:"OKTA_CLIENT_CLIENTASSERTION"`
 			Scopes            []string `yaml:"scopes" envconfig:"OKTA_CLIENT_SCOPES"`
 			PrivateKey        string   `yaml:"privateKey" envconfig:"OKTA_CLIENT_PRIVATEKEY"`
 			PrivateKeyId      string   `yaml:"privateKeyId" envconfig:"OKTA_CLIENT_PRIVATEKEYID"`

.generator/templates/private_key_test.go

@@ -21,3 +21,22 @@ func Test_Private_Key_Request_Can_Create_User(t *testing.T) {
 	require.NoError(t, err, "Creating a new user should not error")
 	assert.NotNil(t, user, "User should not be nil")
 }
+
+func Test_JWT_Request_Can_Create_User(t *testing.T) {
+	if os.Getenv("OKTA_TRAVIS_CI") != "yes" {
+		t.Skip("Skipping testing not in CI environment")
+	}
+	configuration := NewConfiguration(WithAuthorizationMode("JWT"), WithScopes([]string{"okta.users.manage"}))
+	privateKeySigner, err := createKeySigner(configuration.Okta.Client.PrivateKey, configuration.Okta.Client.PrivateKeyId)
+	require.NoError(t, err)
+	clientAssertion, err := createClientAssertion(configuration.Okta.Client.OrgUrl, configuration.Okta.Client.ClientId, privateKeySigner)
+	require.NoError(t, err)
+	configuration.Okta.Client.ClientAssertion = clientAssertion
+	client := NewAPIClient(configuration)
+	uc := testFactory.NewValidTestUserCredentialsWithPassword()
+	profile := testFactory.NewValidTestUserProfile()
+	body := CreateUserRequest{Credentials: uc, Profile: profile}
+	user, _, err := client.UserApi.CreateUser(apiClient.cfg.Context).Body(body).Execute()
+	require.NoError(t, err, "Creating a new user should not error")
+	assert.NotNil(t, user, "User should not be nil")
+}

README.md

@@ -859,8 +859,9 @@ The client is configured with a configuration setter object passed to the `NewCl
 | WithRequestTimeout(requestTimeout int64) | HTTP request time out in seconds |
 | WithRateLimitMaxRetries(maxRetries int32) | Number of request retries when http request times out |
 | WithRateLimitMaxBackOff(maxBackoff int64) | Max amount of time to wait on request back off |
-| WithAuthorizationMode(authzMode string) | Okta API auth mode, `SSWS` (Okta based) or `PrivateKey` (OAuth app based) |
+| WithAuthorizationMode(authzMode string) | Okta API auth mode, `SSWS` (Okta based), `PrivateKey` (OAuth app based) or `JWT` (OAuth app based) |
 | WithClientId(clientId string) | Okta App client id, used with `PrivateKey` OAuth auth mode |
+| WithClientAssertion(clientAssertion string) | Okta App client assertion, used with `JWT` OAuth auth mode |
 | WithScopes(scopes []string) | Okta API app scopes |
 | WithPrivateKey(privateKey string) | Private key value |
 | WithPrivateKeyId(privateKeyId string) | Private key id (kid) value |
@@ -1055,6 +1056,43 @@ ctx, client, err := okta.NewClient(ctx,
 
 ```
 
+### OAuth 2.0 With JWT Key
+Okta allows you to interact with Okta APIs using scoped OAuth 2.0 access
+tokens. Each access token enables the bearer to perform specific actions on
+specific Okta endpoints, with that ability controlled by which scopes the
+access token contains.
+
+Access Tokens are always cached and respect the `expires_in` value of an access
+token response.
+
+This SDK supports this feature only for service-to-service applications. Check
+out [our
+guides](https://developer.okta.com/docs/guides/implement-oauth-for-okta/overview/)
+to learn more about how to register a new service application using a private
+and public key pair. Otherwise, follow the example steps at the end of this
+topic.
+
+When using this approach you won't need an API Token because the SDK will
+request an access token for you. In order to use OAuth 2.0, construct a client
+instance by passing the following parameters:
+
+```go
+ctx := context.TODO()
+ctx, client, err := okta.NewClient(ctx,
+  okta.WithOrgUrl("https://{yourOktaDomain}"),
+  okta.WithAuthorizationMode("JWT"),
+  okta.WithClientAssertion("{{clientAssertion}}"),
+  okta.WithScopes(([]string{"okta.users.manage"})),
+)
+if err != nil {
+  fmt.Printf("Error: %v\n", err)
+}
+
+fmt.Printf("Context: %+v\n Client: %+v\n\n",ctx, client)
+```
+
+This is very similar to PrivateKey Authorization Mode with a caveat, instead of providing public/privatekey pair, you can use a pre-signed JWT instead
+
 ### OAuth 2.0 With Bearer Token
 
 Okta SDK supports authorization using a `Bearer` token. A bearer token is an

okta/config.go

@@ -55,6 +55,7 @@ type config struct {
 			Scopes            []string `yaml:"scopes" envconfig:"OKTA_CLIENT_SCOPES"`
 			PrivateKey        string   `yaml:"privateKey" envconfig:"OKTA_CLIENT_PRIVATEKEY"`
 			PrivateKeyId      string   `yaml:"privateKeyId" envconfig:"OKTA_CLIENT_PRIVATEKEYID"`
+			ClientAssertion   string   `yaml:"clientAssertion" envconfig:"OKTA_CLIENT_CLIENTASSERTION"`
 		} `yaml:"client"`
 		Testing struct {
 			DisableHttpsCheck bool `yaml:"disableHttpsCheck" envconfig:"OKTA_TESTING_DISABLE_HTTPS_CHECK"`
@@ -189,6 +190,12 @@ func WithClientId(clientId string) ConfigSetter {
 	}
 }
 
+func WithClientAssertion(clientAssertion string) ConfigSetter {
+	return func(c *config) {
+		c.Okta.Client.ClientAssertion = clientAssertion
+	}
+}
+
 func WithScopes(scopes []string) ConfigSetter {
 	return func(c *config) {
 		c.Okta.Client.Scopes = scopes