Check Authorization header

The requests that Okta sends to your external service include an Authorization header containing a secret string.

At the time you register your external service with Okta, you specify the value of the secret string that should be sent. This provides a mechanism to secure access to your endpoint.

An important piece, therefore, to include in any external service implementation, is a check for the presence of an Authorization header that contains the correct value in all incoming requests. If the Authorization header in an incoming request cannot be verified, the request needs to be denied.

For the check of the Authorization header, we use npm packages to parse the request from Okta and to decode the value of the Authorization header.

For the secret value, we chose to use the Basic Authentication scheme to encode a username and password combination in Base64, setting that value as our authentication secret when registering the Inline Hook with Okta.

If the Authorization header is missing or the value provided is wrong, we deny the request, returning an HTTP 401 "Unauthorized" status code.

app.use(bodyParser.json());
app.use(basicAuth({
  users: { 'admin': 'supersecret' },
  unauthorizedResponse: req => 'Unauthorized'
}));

Next: Get submitted credentials

Check Authorization header

On This Page