[SYNCOPE-1844] Support Okta authentication and attribute repository

common/am/lib/src/main/java/org/apache/syncope/common/lib/AbstractOktaConf.java

@@ -0,0 +1,36 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.syncope.common.lib;
+
+import java.io.Serializable;
+
+public abstract class AbstractOktaConf implements Serializable {
+
+    private static final long serialVersionUID = -7800528759438661362L;
+
+    private String organizationUrl;
+
+    public String getOrganizationUrl() {
+        return organizationUrl;
+    }
+
+    public void setOrganizationUrl(final String organizationUrl) {
+        this.organizationUrl = organizationUrl;
+    }
+}

common/am/lib/src/main/java/org/apache/syncope/common/lib/attr/AttrRepoConf.java

@@ -37,6 +37,8 @@ interface Mapper {
         Map<String, Object> map(AttrRepoTO attrRepo, SyncopeAttrRepoConf conf);
 
         Map<String, Object> map(AttrRepoTO attrRepo, AzureActiveDirectoryAttrRepoConf conf);
+
+        Map<String, Object> map(AttrRepoTO attrRepo, OktaAttrRepoConf conf);
     }
 
     Map<String, Object> map(AttrRepoTO attrRepo, Mapper mapper);

common/am/lib/src/main/java/org/apache/syncope/common/lib/attr/OktaAttrRepoConf.java

@@ -0,0 +1,74 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.syncope.common.lib.attr;
+
+import java.util.List;
+import java.util.Map;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+import org.apache.syncope.common.lib.AbstractOktaConf;
+import org.apache.syncope.common.lib.to.AttrRepoTO;
+
+public class OktaAttrRepoConf extends AbstractOktaConf implements AttrRepoConf {
+
+    private static final long serialVersionUID = 1019473980380211566L;
+
+    /**
+     * Username attribute to fetch attributes by.
+     */
+    private String usernameAttribute = "username";
+
+    /**
+     * Okta allows you to interact with Okta APIs using scoped OAuth 2.0 access tokens. Each access token
+     * enables the bearer to perform specific actions on specific Okta endpoints, with that
+     * ability controlled by which scopes the access token contains. Scopes are only used
+     * when using client id and private-key.
+     */
+    private final List<String> scopes = Stream.of("okta.users.read", "okta.apps.read").collect(Collectors.toList());
+
+    /**
+     * Okta API token.
+     */
+    private String apiToken;
+
+    public String getUsernameAttribute() {
+        return usernameAttribute;
+    }
+
+    public void setUsernameAttribute(final String usernameAttribute) {
+        this.usernameAttribute = usernameAttribute;
+    }
+
+    public String getApiToken() {
+        return apiToken;
+    }
+
+    public void setApiToken(final String apiToken) {
+        this.apiToken = apiToken;
+    }
+
+    public List<String> getScopes() {
+        return scopes;
+    }
+
+    @Override
+    public Map<String, Object> map(final AttrRepoTO attrRepo, final Mapper mapper) {
+        return mapper.map(attrRepo, this);
+    }
+}

common/am/lib/src/main/java/org/apache/syncope/common/lib/auth/AuthModuleConf.java

@@ -63,6 +63,8 @@ interface Mapper {
         Map<String, Object> map(AuthModuleTO authModule, SimpleMfaAuthModuleConf conf);
 
         Map<String, Object> map(AuthModuleTO authModule, SpnegoAuthModuleConf conf);
+
+        Map<String, Object> map(AuthModuleTO authModule, OktaAuthModuleConf conf);
     }
 
     Map<String, Object> map(AuthModuleTO authModule, Mapper mapper);

common/am/lib/src/main/java/org/apache/syncope/common/lib/auth/OktaAuthModuleConf.java

@@ -0,0 +1,52 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.syncope.common.lib.auth;
+
+import java.util.Map;
+import org.apache.syncope.common.lib.AbstractOktaConf;
+import org.apache.syncope.common.lib.to.AuthModuleTO;
+
+public class OktaAuthModuleConf extends AbstractOktaConf implements AuthModuleConf {
+
+    private static final long serialVersionUID = -696882546462937138L;
+
+    /**
+     * A number of authentication handlers are allowed to determine whether they can operate on the provided credential
+     * and as such lend themselves to be tried and tested during the authentication handler selection phase.
+     * The credential criteria may be one of the following options:<ul>
+     * <li>A regular expression pattern that is tested against the credential identifier.</li>
+     * <li>A fully qualified class name of your own design that implements {@code Predicate}.</li>
+     * <li>Path to an external Groovy script that implements the same interface.</li>
+     * </ul>
+     */
+    private String credentialCriteria;
+
+    public String getCredentialCriteria() {
+        return credentialCriteria;
+    }
+
+    public void setCredentialCriteria(final String credentialCriteria) {
+        this.credentialCriteria = credentialCriteria;
+    }
+
+    @Override
+    public Map<String, Object> map(final AuthModuleTO authModule, final Mapper mapper) {
+        return mapper.map(authModule, this);
+    }
+}

src/main/asciidoc/reference-guide/concepts/attributerepositories.adoc

@@ -28,6 +28,7 @@ Some attribute repositories are provided:
 * https://apereo.github.io/cas/7.1.x/integration/Attribute-Resolution-Stub.html[Stub^]
 * https://apereo.github.io/cas/7.1.x/integration/Attribute-Resolution-Syncope.html[Syncope^]
 * https://apereo.github.io/cas/7.1.x/integration/Attribute-Resolution-AzureAD.html[Azure Active Directory^]
+* https://apereo.github.io/cas/7.1.x/integration/Attribute-Resolution-Okta.html[Okta^]
 
 [TIP]
 ====

src/main/asciidoc/reference-guide/concepts/authenticationmodules.adoc

@@ -30,6 +30,7 @@ Several authentication modules are provided:
     ** https://apereo.github.io/cas/7.1.x/authentication/SPNEGO-Authentication.html[SPNEGO^]
     ** https://apereo.github.io/cas/7.1.x/authentication/Syncope-Authentication.html[Syncope^]
     ** https://apereo.github.io/cas/7.1.x/authentication/Azure-ActiveDirectory-Authentication.html[Azure Active Directory^]
+    ** https://apereo.github.io/cas/7.1.x/authentication/Okta-Authentication.html[Okta^]
     ** https://apereo.github.io/cas/7.1.x/authentication/X509-Authentication.html[X509^]
     ** https://apereo.github.io/cas/7.1.x/integration/Delegate-Authentication-Generic-OpenID-Connect.html[OpenID Connect^]
     ** https://apereo.github.io/cas/7.1.x/integration/Delegate-Authentication-OAuth20.html[OAuth2^]

wa/bootstrap/src/main/java/org/apache/syncope/wa/bootstrap/mapping/AttrRepoPropertySourceMapper.java

@@ -26,6 +26,7 @@
 import org.apache.syncope.common.lib.attr.AzureActiveDirectoryAttrRepoConf;
 import org.apache.syncope.common.lib.attr.JDBCAttrRepoConf;
 import org.apache.syncope.common.lib.attr.LDAPAttrRepoConf;
+import org.apache.syncope.common.lib.attr.OktaAttrRepoConf;
 import org.apache.syncope.common.lib.attr.StubAttrRepoConf;
 import org.apache.syncope.common.lib.attr.SyncopeAttrRepoConf;
 import org.apache.syncope.common.lib.to.AttrRepoTO;
@@ -36,6 +37,7 @@
 import org.apereo.cas.configuration.model.support.azuread.AzureActiveDirectoryAttributesProperties;
 import org.apereo.cas.configuration.model.support.jdbc.JdbcPrincipalAttributesProperties;
 import org.apereo.cas.configuration.model.support.ldap.LdapPrincipalAttributesProperties;
+import org.apereo.cas.configuration.model.support.okta.OktaPrincipalAttributesProperties;
 import org.apereo.cas.configuration.model.support.syncope.SyncopePrincipalAttributesProperties;
 
 public class AttrRepoPropertySourceMapper extends PropertySourceMapper implements AttrRepoConf.Mapper {
@@ -134,4 +136,17 @@ public Map<String, Object> map(final AttrRepoTO attrRepoTO, final AzureActiveDir
 
         return prefix("cas.authn.attribute-repository.azure-active-directory[].", WAConfUtils.asMap(props));
     }
+
+    @Override
+    public Map<String, Object> map(final AttrRepoTO attrRepoTO, final OktaAttrRepoConf conf) {
+        OktaPrincipalAttributesProperties props = new OktaPrincipalAttributesProperties();
+        props.setId(attrRepoTO.getKey());
+        props.setOrder(attrRepoTO.getOrder());
+        props.setOrganizationUrl(conf.getOrganizationUrl());
+        props.setUsernameAttribute(conf.getUsernameAttribute());
+        props.setScopes(conf.getScopes());
+        props.setApiToken(conf.getApiToken());
+
+        return prefix("cas.authn.attribute-repository.okta.", WAConfUtils.asMap(props));
+    }
 }

wa/bootstrap/src/main/java/org/apache/syncope/wa/bootstrap/mapping/AuthModulePropertySourceMapper.java

@@ -39,6 +39,7 @@
 import org.apache.syncope.common.lib.auth.LDAPAuthModuleConf;
 import org.apache.syncope.common.lib.auth.OAuth20AuthModuleConf;
 import org.apache.syncope.common.lib.auth.OIDCAuthModuleConf;
+import org.apache.syncope.common.lib.auth.OktaAuthModuleConf;
 import org.apache.syncope.common.lib.auth.SAML2IdPAuthModuleConf;
 import org.apache.syncope.common.lib.auth.SimpleMfaAuthModuleConf;
 import org.apache.syncope.common.lib.auth.SpnegoAuthModuleConf;
@@ -61,6 +62,7 @@
 import org.apereo.cas.configuration.model.support.mfa.gauth.GoogleAuthenticatorMultifactorProperties;
 import org.apereo.cas.configuration.model.support.mfa.gauth.LdapGoogleAuthenticatorMultifactorProperties;
 import org.apereo.cas.configuration.model.support.mfa.simple.CasSimpleMultifactorAuthenticationProperties;
+import org.apereo.cas.configuration.model.support.okta.OktaAuthenticationProperties;
 import org.apereo.cas.configuration.model.support.pac4j.oauth.Pac4jOAuth20ClientProperties;
 import org.apereo.cas.configuration.model.support.pac4j.oidc.BasePac4jOidcClientProperties;
 import org.apereo.cas.configuration.model.support.pac4j.oidc.Pac4jAppleOidcClientProperties;
@@ -413,6 +415,18 @@ public Map<String, Object> map(final AuthModuleTO authModuleTO, final AzureActiv
         return prefix("cas.authn.azure-active-directory.", WAConfUtils.asMap(props));
     }
 
+    @Override
+    public Map<String, Object> map(AuthModuleTO authModuleTO, OktaAuthModuleConf conf) {
+        OktaAuthenticationProperties props = new OktaAuthenticationProperties();
+        props.setName(authModuleTO.getKey());
+        props.setOrder(authModuleTO.getOrder());
+        props.setState(AuthenticationHandlerStates.valueOf(authModuleTO.getState().name()));
+        props.setOrganizationUrl(conf.getOrganizationUrl());
+        props.setCredentialCriteria(conf.getCredentialCriteria());
+
+        return prefix("cas.authn.okta.", WAConfUtils.asMap(props));
+    }
+
     @Override
     public Map<String, Object> map(final AuthModuleTO authModuleTO, final GoogleMfaAuthModuleConf conf) {
         GoogleAuthenticatorMultifactorProperties props = new GoogleAuthenticatorMultifactorProperties();

wa/starter/pom.xml

@@ -165,6 +165,14 @@ under the License.
         </exclusion>
       </exclusions>
     </dependency>
+    <dependency>
+      <groupId>org.apereo.cas</groupId>
+      <artifactId>cas-server-support-azuread-authentication</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apereo.cas</groupId>
+      <artifactId>cas-server-support-okta-authentication</artifactId>
+    </dependency>
     <dependency>
       <groupId>org.apereo.cas</groupId>
       <artifactId>cas-server-support-saml</artifactId>