This plugin enables authentication with Okta for Sonatype Nexus OSS. It provides a AuthenticatingRealm that uses the Okta API to authenticate users. MFA can be used, but only the push factor is supported at the moment. This plugin only provides very basic functionality (read the next section carefully).
Authorization based on Okta groups is currently not implemented. This means you can't map Okta groups to Nexus roles. You still have to create users in Nexus and assign them the desired roles. This isn't ideal, but if your primary use case is authentication via Okta, then this may be sufficient for you. Basically you still manage users and roles in Nexus, but users can authenticate via Okta (including push MFA).
Some background: Unfortunately it doesn't seem to be possible to query Okta for the groups of the current user without an API key. (The session token does not seem to work.) Due to security restrictions and the lack of fine grained access control within Okta, we're unable to use API keys at the moment. That's why we're currently using this workaround.
However, if you're interested in contributing, I'd be happy to review and merge a pull request.
If you are using Docker to deploy NXRM, the following is an example Dockerfile. It installs and configures the plugin. Make sure to replace https://your-account.okta.com with your Okta organization link.
FROM sonatype/nexus3
USER root
# install plugins
RUN yum update -y && \
yum install -y curl && \
curl -L \
https://github.com/restfulhead/nexus-okta-auth-plugin/releases/download/0.0.4/nexus-okta-auth-plugin-0.0.4.jar --output /opt/sonatype/nexus/system/nexus-okta-auth-plugin.jar && \
echo "reference\:file\:nexus-okta-auth-plugin.jar = 200" >> /opt/sonatype/nexus/etc/karaf/startup.properties && \
touch /opt/sonatype/nexus/etc/nexus-okta-auth.properties && \
echo "okta.org.url=https://your-account.okta.com" >> /opt/sonatype/nexus/etc/nexus-okta-auth.properties && \
chown nexus:nexus -R /opt/sonatype/nexus && \
yum clean all && \
rm -rf /var/cache/yum
USER nexus
If you're not using Docker, then you can follow the following manual steps to install the plugin. It is assumed you installed Nexus under /opt/sonatype/nexus. If your installation directory is different, modify the instructions accordingly.
- Download the latest Plugin release from Github.
- Copy the file to
/opt/sonatype/nexus/system/and rename it tonexus-okta-auth-plugin.jar. - Append the following line to startup.properties file (under
/opt/sonatype/nexus/etc/karaf):
reference\:file\:nexus-okta-auth-plugin.jar = 200
- Create a new file
nexus-okta-auth.propertiesunder/opt/sonatype/nexus/etc/with the following content. Adjust the URL to match your Okta org url:
okta.org.url=https://your-account.okta.com
After you've installed the plugin, you need to activate it.
- Login to Nexus with a user that has administration rights.
- In the Nexus administration, navigate to
Security/Realms - If the installation was successful, you should see the "Okta Auth Realm" in the list of available realms. Move it to the list of active realms and save.
Now Okta users can sign in to Nexus. However, without additional configuration they won't be able to do much, because they're not authorized.
In order to assign roles to a user, you need to create the user also in Nexus:
- In the Nexus administration, navigate to
Security/Users - Select
Localas the source and then clickCreate local user. - Make sure the
usernameis the same as the Okta user name (usually the email address). Fill out all required fields. For the password, you can use a long, hard to guess random value. Users will be authenticating using Okta, so this password is effectively meaningless and you don't have to remember it. However, unless you deactivate the Local Authentication Realm, authentication might still fall-back to it. Therefore make sure the password is not easy to guess. - Assign the desired role to the user
Now when users log in (by using Okta credentials), they will have roles assigned based on you local configuration.
If you only want users to be able to login via Okta, then you can deactivate the Local Authentication Realm. This means you will be no longer to use the default admin user. Make sure you have at least one Okta user who you assigned the nx-admin role, so you don't log yourself out. Also make sure to keep the Local Authorizing Realm activated. Here's what this configuration could look like:
To run the unit tests, simply run mvn clean test.
There's also an integration test, which will make https requests against Okta. For this to work, you need to supply a valid Okta organization link, user and password. You can use the following system properties for this: oktaTestOrgUrl, oktaTestUserName and oktaTestUserPassword.
For example: mvn verify -Pintegration-test -DoktaTestOrgUrl=https://your-account.okta.com -DoktaTestUserName=your-email -DoktaTestUserPassword=your-password
To test locally, you can make use of the provided Dockerfile, which will install the plugin from you local target directory.
- To build the container image:
docker build -t nxrm-dev --build-arg OKTA_ORG_URL=https://your-org.okta.com .(Replaceyour-orgwith your Okta organization accordingly) - Then run
docker run -it -p 8081:8081 nxrm-dev
You should now be able to access Nexus from your browser at http://localhost:8081. The default admin user is admin with password admin123. Follow the instructions from above in order to use the plugin.
To release, run (replace $BUILD_NUMBER with the release no).:
mvn clean package bundle:bundle -Drevision=$BUILD_NUMBERmvn deploy scm:tag -Drevision=$BUILD_NUMBER -DskipNexusStagingDeployMojo=true
Some parts of this project were inspired by the Nexus3 Crowd Plugin which is released under the Apache License 2.0 by pingunaut
This is a plugin for Sonatype Nexus (TM) Open Source Version, Copyright (c) 2008-present Sonatype, Inc.