[Meta][Okta] Support OAuth 2.0 for Integration

[simonhearne]

The current Okta Logs Integration supports Basic Auth using an API key to consume Okta System Logs.

Okta supports OAuth 2.0 for scoped API access to System Logs which is a preferable authentication mechanism for some / most users.

This issue is a request to add OAuth as an authentication method for the Okta integration.

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[jamiehynds]

@ShourieG given that our Okta integration uses httpjson, which supports Oauth 2.0, could you provide an estimate on the level of effort on our end to add support for the Oauth 2.0 & scoped API access to the integration?

[ShourieG]

@jamiehynds Implementing Oauth 2.0 for Okta should be a couple of days of work including testing as long the api's support the standard Oauth 2.0 request headers such as

      client_id: 
      client_secret: 
      grant_type: 
      scope: 

which after looking at the docs, it does. However Oauth 2.0 should be implemented as an alternative to the current auth system and not replace it.

[P1llus]

@ShourieG lets add a oauth version UI item or so, and default it currently to 1? Then use if conditions in the manifest to provide the correct auth config or so.

[ShourieG]

@jamiehynds According to this https://devforum.okta.com/t/must-use-the-private-key-jwt-token-endpoint-auth-method/24120, okta seems to support JWT and private Key auth as part of their oauth2 authorization process for custom domains. The https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/main/ doc shows the usage of JWT tokens for oauth2 authorization using the Client Credentials grant flow to mint access tokens that contains scopes. This means the standard process of using a client_id & client_secret might not work for 3rd party services/apps using oauth2 with okta on custom domains which relies on scopes to be present.

Also if this get too complicated, this might need to be separated into a different data stream.

[ShourieG]

@jamiehynds @narph @andrewkroh Latest update :

1. The okta domains have 2 servers generally a default custom server and an okta org server.
2. The custom default okta server supports oauth2 via the standard client_id & client_secret mechanism, which is supported by httpjson and CEL inputs.
3. The okta org server only supports oauth via a JWT generated using a private/public key pair and an okta specific payload.
4. All okta scoped tokens (i.e tokens minted having the okta.* scope) need to be generated via the okta org server.
   In our case this corresponds to the okta.logs.read scope, since we want to read system logs.
5. All the JWTs generated have a maximum validity of 1 hour, i.e they need to be refreshed every 1 hour.
6. After the JWT is generated, we need to use this JTW to retrieve the bearer token hitting /oauth2/v1/token endpoint of
   the okta org server .
7. Finally with this bearer token we can hit the system logs api and poll for logs. We also need to refresh this token every 1
   hour as that seems to be the maximum validity.

To achieve this I think we need to add an okta specific JWT oauth to httpjson. Even with that the expiry of the tokens and it's refresh need to be accounted for. Would need discussions on how to move in the right direction. Is an okta specific input an option as we can then use the okta sdk directly ?

okta doc - https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/main/

[andrewkroh]

httpjson (and cel?) are using the golang.org/x/oauth2 library. I would like to see if there is an extension point where we can continue using this library and hook in the ability to generate tokens in the manner required by Okta for machine-to-machine use cases. Would implementing a custom https://pkg.go.dev/golang.org/x/oauth2#TokenSource work for this? It seems like it would. The TokenSource would create a JWT, sign it with the given JWK, then fetch an access token from Okta based on this.

For configuration I am thinking it would look like this:

- type: httpjson
  auth:
    oauth2:
      token_url: https://${yourOktaDomain}/oauth2/v1/token
      provider: okta_app
      okta_app:
        jwk_file: /path/to/json_web_key.json # OR embed the content directly
        jwk_json: |
          {
            "kty": "RSA",
            "e": "AQAB",
            "use": "sig",
            "kid": "my_key_id",
            "alg": "RS256",
            "n": "FAKE_u0VYW2-76A_lYg5NQihhcPJYYU9-NHbNaO6LFERWnOUbU7l3MJdmCailwSzjO76O-2GdLE-Hn2kx04jWCCPofnQ8xNmFScNo8UQ1dKVq0UkFK-sl-Z0Uu19GiZa2fxSWwg_1g2t-ZpNtKCI279xGBi_hTnupqciUonWe6CIvTv0FfX0LiMqQqjARxPS-6fdBZq8WN9qLGDwpjHK81CoYuzASOezVFYDDyXYzV0X3X_kFVt2sqL5DVN684bEbTsWl91vV-bGmswrlQ0UVUq6t78VdgMrj0RZBD-lFNJcY7CwyugpgLbnm4HEJmCOWJOdjVLj3hFxVVblNJQQ1Z15UXw"
          }