Published using Google Docs
Preparing for the Exercises
Updated automatically every 5 minutes

Preparing for the Exercises

Description

In this exercise you'll sign up for a developer account at developer.okta.com to follow along with the exercises. Once you have an account, you'll be able to create applications and configure your OAuth server to follow along with the assignments.

Estimated Duration

10 minutes

Instructions

Please visit developer.okta.com and sign up for an account.

Once you've registered, navigate to Security then click API in the side menu. On that page, you'll see a list of your authorization servers. There should be only one, called "default".

Copy the Issuer URI from that list, that is the identifier of your OAuth server and you’ll need it throughout the course.

Next, we need to create a scope that the application can request from your API. We’ll talk more about what scopes are for and how they are used in later lessons, but we need one in order to be able to complete a flow for now.

Click on the name default to view the details of your OAuth server. Then click on the Scopes tab at the top.

The server is preconfigured with OpenID Connect scopes and the offline_access scope. For the exercises, you’ll need to add your own custom scope to get an access token with that scope. It doesn’t matter what it’s called for now, so use a word that represents the API you’re building, like “photos”.

Click on Add Scope, and enter the name of the scope in the first field. It’s usually a good idea to stick to lowercase letters. Make sure to also click the “Include in public metadata” checkbox at the bottom as well.

Once you’ve created the custom scope you’re ready to complete the exercise. To check your work, we’ll be using a companion tool for this course which lives at oauth.school.

Visit the website oauth.school, and in the first “Getting Started” exercise, paste the issuer URI. This will check that it can find your OAuth server and find your custom scope you added in the previous step. If everything worked, the website will show you the custom scope it found.

Next you’ll need to find the server’s authorization endpoint and token endpoint for use in the later exercises. These can be found programmatically by fetching the server’s metadata URL.

Back in your list of authorization servers, choose your default server and click the Settings tab.

One of the fields visible is your server’s Metadata URI. You might notice that it’s actually based off of your server’s Issuer URI. That is described in the OAuth Server Metadata extension, which says that the metadata URI should be created by appending the .well-known path to the issuer URI. If you click on that link, you’ll see that it’s actually a JSON file with a bunch of properties that describe the server.

(Note: It is helpful to install a browser plugin that can format JSON into a nice tree!)

Most of these properties we don’t care about right now. We really only care about the authorization_endpoint and token_endpoint values. These two happen to also be prefixed with the Issuer URI, but that isn’t something you should rely on, which is why it’s important to fetch the metadata URL and grab the actual values from there.

Copy these two values somewhere you’ll be able to find them again when you start the exercises. You’ll need these throughout the course.

Check your work by entering the authorization endpoint and token endpoint URLs into the website.

Once you’ve entered them correctly, you’ll be able to continue on with the next exercises.