- Release status
- Need help?
- Getting started
- Usage guide
- Configuration reference
- Building the SDK
- Contributing
This repository contains the Okta IDX SDK for Java. This SDK can be used in your server-side code to assist in authenticating users against the Okta Identity Engine.
❕ The use of this SDK requires usage of the Okta Identity Engine. This functionality is in general availability but is being gradually rolled out to customers. If you want to request to gain access to the Okta Identity Engine, please reach out to your account manager. If you do not have an account manager, please reach out to [email protected] for more information.
⚠️ Beta alert! This library is in beta. See release status for more information.
This library is built for projects in Java framework to communicate with Okta as an OAuth 2.0 + OpenID Connect provider. It works with Okta's Identity Engine to authenticate and register users.
To see this library working in a sample, check out our Java Samples.
This library uses semantic versioning and follows Okta's Library Version Policy.
Version | Status |
---|---|
0.1.0 |
The latest release can always be found on the releases page.
If you run into problems using the SDK, you can
- Ask questions on the Okta Developer Forums
- Post issues here on GitHub (for code errors)
- JDK 8 or later
- Apache Maven 3.6.x or later
To use this SDK, you will need to include the following dependencies:
For Apache Maven:
<dependency>
<groupId>com.okta.idx.sdk</groupId>
<artifactId>okta-idx-java-api</artifactId>
<version>${okta.sdk.version}</version>
</dependency>
where {okta.sdk.version}
is the Java IDX SDK version.
For Gradle:
compile "com.okta.idx.sdk:okta-idx-java-api:${okta.sdk.version}"
where okta.sdk.version
is the latest stable release version listed here.
Snapshots are deployed off of the 'master' branch to OSSRH and can be consumed using the following repository configured for Apache Maven or Gradle:
https://oss.sonatype.org/content/repositories/snapshots/
You will also need:
- An Okta account, called an organization (sign up for a free developer organization if you need one).
These examples will help you understand how to use this library.
IDXAuthenticationWrapper
object needs to be instantiated to be able to invoke all the backend Okta APIs.
Begin Transaction:
AuthenticationResponse beginResponse = idxAuthenticationWrapper.begin()
Authenticate User:
AuthenticationResponse authenticationResponse =
idxAuthenticationWrapper.authenticate(new AuthenticationOptions(username, password), beginResponse.getProceedContext());
The AuthenticationStatus
in AuthenticationResponse
you get will indicate how to proceed to continue with the authentication flow.
Type: AuthenticationStatus.Success
The user was successfully authenticated and you can retrieve the tokens from the response by calling getTokenResponse()
on AuthenticationResponse
object.
Type: AuthenticationStatus.PasswordExpired
The user needs to change their password to continue with the authentication flow and retrieve tokens.
Type: AuthenticationStatus.AwaitingAuthenticatorEnrollment
The user needs to enroll an authenticator to continue with the authentication flow and retrieve tokens. You can retrieve the authenticators information by calling authnResponse.Authenticators
.
Type: AwaitingChallengeAuthenticatorSelection
The user needs to select and challenge an additional authenticator to continue with the authentication flow and retrieve tokens.
There are other statuses that you can get in AuthenticationStatus
:
Type: AwaitingAuthenticatorVerification
The user has successfully selected an authenticator to challenge so they now need to verify the selected authenticator. For example, if the user selected phone, this status indicates that they have to provide they code they received to verify the authenticator.
Type: AwaitingAuthenticatorEnrollmentData
The user needs to provide additional authenticator information. For example, when a user selects to enroll phone they will have to provide their phone number to complete the enrollment process.
Type: AwaitingChallengeAuthenticatorData
The user needs to provide additional authenticator information. For example, when a user selects to challenge phone they will have to choose if they want to receive the code via voice or SMS.
Type: AwaitingPasswordReset
The user needs to reset their password to continue with the authentication flow and retrieve tokens.
idxAuthenticationWrapper.revokeToken(TokenType.ACCESS_TOKEN, accessToken);
// begin transaction
AuthenticationResponse beginResponse = idxAuthenticationWrapper.begin();
// get proceed context
ProceedContext beginProceedContext = beginResponse.getProceedContext();
// enroll user
AuthenticationResponse newUserRegistrationResponse = idxAuthenticationWrapper.fetchSignUpFormValues(beginProceedContext);
// set user profile
UserProfile userProfile = new UserProfile();
userProfile.addAttribute("lastName", lastname);
userProfile.addAttribute("firstName", firstname);
userProfile.addAttribute("email", email);
ProceedContext proceedContext = newUserRegistrationResponse.getProceedContext();
# register user with proceed context context
AuthenticationResponse authenticationResponse =
idxAuthenticationWrapper.register(proceedContext, userProfile);
Note: Check the response's
AuthenticationStatus
to determine what the next step is.
// recover password
AuthenticationResponse authenticationResponse =
idxAuthenticationWrapper.recoverPassword(username, proceedContext);
Note: Check the response's
AuthenticationStatus
to determine what the next step is.
AuthenticationResponse
contains the list of SDK errors as strings.
List<String> errors = authenticationResponse.getErrors();
Every instance of the SDK Client
is thread-safe. You should use the same instance throughout the entire lifecycle of your application. Each instance has its own Connection pool and Caching resources that are automatically released when the instance is garbage collected.
This library looks for configuration in the following sources:
- An
okta.yaml
at the root of the applications classpath - An
okta.yaml
file in a.okta
folder in the current user's home directory (~/.okta/okta.yaml
or%userprofile%\.okta\okta.yaml
) - Environment variables
- Java System Properties
- Configuration explicitly set programmatically (see the example in Getting started)
Higher numbers win. In other words, configuration passed via the constructor will override configuration found in environment variables, which will override configuration in okta.yaml
(if any), and so on.
The full YAML configuration looks like:
okta:
idx:
issuer: "https://{yourOktaDomain}/oauth2/{authorizationServerId}" # e.g. https://foo.okta.com/oauth2/default, https://foo.okta.com/oauth2/ausar5vgt5TSDsfcJ0h7
clientId: "{clientId}"
clientSecret: "{clientSecret}" # Required for confidential clients
scopes:
- "{scope1}"
- "{scope2}"
redirectUri: "{redirectUri}"
Here's an example config file
okta:
idx:
issuer: "https://dev-1234.okta.com/oauth2/default"
clientId: "123xyz"
clientSecret: "123456abcxyz" # Required for confidential clients
scopes:
- "openid"
- "profile"
- "offline_access"
redirectUri: "https://loginredirect.com"
Each one of the configuration values above can be turned into an environment variable name with the _
(underscore) character:
OKTA_IDX_ISSUER
OKTA_IDX_CLIENTID
OKTA_IDX_CLIENTSECRET
OKTA_IDX_SCOPES
OKTA_IDX_REDIRECTURI
Each one of the configuration values written in 'dot' notation to be used as a Java system property:
okta.idx.issuer
okta.idx.clientId
okta.idx.clientSecret
okta.idx.scopes
okta.idx.redirectUri
In most cases, you won't need to build the SDK from source. If you want to build it yourself, clone the repo and run mvn install
.
By default, the Cucumber Integration tests are run on Maven builds (see here).
If you wish to skip these Cucumber Integration tests,
simply disable the associated Maven profile using mvn clean install -P '!cucumber-it'
We are happy to accept contributions and PRs! Please see the contribution guide to understand how to structure a contribution.