OKTA logs a successful signin but returns to logon page with error?code= - okta

Okta noob here and hoping the hive-mind could help.
while I have a successful log int to OKTA according to the logs, it returns to an error page with a url similar to the following
localhost:8080/error?code=Tp59q3-more of the hash-W1EP&state=z8JF0llhhMe-more of the hash-e6iLs1A5Z5
I'm using the sample code here: https://github.com/okta/samples-js-angular/tree/master/okta-hosted-login, which I had previously working. That is, up until the point I added my own custom code to the project.
the things that has me scratching my head is the Login challenge/response dialog for passwords appears as expected, the okta dashboard records a successful login. The redirect URL gives me a hash whereas the help documents don't indicate that is the case.
So not sure if I'm getting a head fake from the error? query string.
The response code I'm receiving is 200.
It doesn't make sense that a dev site would obscure error codes. so any guidance would be appreciated. Do I need to decode these hashes? Is this a redirect issue?
const { CLIENT_ID, ISSUER, OKTA_TESTING_DISABLEHTTPSCHECK } = process.env;
export default {
oidc: {
clientId: `${CLIENT_ID}`,
issuer: `${ISSUER}`,
redirectUri: window.location.origin + '/login/callback',
scopes: ['openid', 'profile', 'email'],
pkce: true,
testing: {
disableHttpsCheck: `${OKTA_TESTING_DISABLEHTTPSCHECK}`
}
},
resourceServer: {
messagesUrl: 'http://localhost:8000/api/messages'
},
};

Related

Spring Keycloak Adapter sometimes returns with "Token is not active" when uploading files

lately we are facing an issue that our Spring Boot backend service (stateless REST service) SOMETIMES returns an HTTP 401 (Unauthorized) error when users try to upload files >70 MB (or in other words, when the request takes longer than just a couple of seconds). This does not occur consistently and only happens sometimes (~every second or third attempt).
The www-authenticate header contains the following in these cases:
Bearer realm="test", error "invalid_token", error_description="Token is not active"
Our Spring (Boot) configuration is simple:
keycloak.auth-server-url=${KEYCLOAK_URL:http://keycloak:8080/auth}
keycloak.realm=${KEYCLOAK_REALM:test}
keycloak.resource=${KEYCLOAK_CLIENT:test}
keycloak.cors=true
keycloak.bearer-only=true
Essentially, our frontend code uses keycloak-js and does the following to keep the access token fresh:
setInterval(() => {
// updates the token if it expires within the next 5s
this.keycloak.updateToken(5).then((refreshed) => {
console.log('Access token updated:', refreshed)
if (refreshed) {
store.commit(AuthMutationTypes.SET_TOKEN, this.keycloak.token);
}
}).catch(() => {
console.log('Failed to refresh token');
});
}, 300);
Further, we use Axios and a respective request filter to inject the current token:
axios.interceptors.request.use(
(request: AxiosRequestConfig) => {
if (store.getters.isAuthenticated) {
request.headers.Authorization = 'Bearer ' + store.getters.token;
}
return request;
}
);
This worked very well so far and we have never experienced such a thing for our usual GETs/POSTs/PUTs etc. This happens only when users try to upload files larger than (around) 70MBish.
Any hint or tip how to debug this any further? We appreciate any help...
Cheers

MSAL and OAuth 2.0 - Request an authorization code programmatically

Goal is to get access token from MSAL programmatically for Cypress e2e tests.
We use V2.0 API.
According to this I first need to get the authorization code: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow#request-an-authorization-code
to get the access token https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow#request-an-access-token
So in order to get authorization code I would need to do this request
// GET
// Line breaks for legibility only
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fmail.read
&state=12345
&code_challenge=YTFjNjI1OWYzMzA3MTI4ZDY2Njg5M2RkNmVjNDE5YmEyZGRhOGYyM2IzNjdmZWFhMTQ1ODg3NDcxY2Nl
&code_challenge_method=S256
But this returns text/html so I would need to manually login to get the code.
Is there any way to progammatically to get the authorization code?
This is how I got it solved by creating a login command. The command fetches the token programatically and stores it into localStorage.
import 'cypress-localstorage-commands';
Cypress.Commands.add('login', () => {
const request = {
method: 'POST',
form: true,
url: `https://login.microsoftonline.com/${Cypress.config('tenantId')}/oauth2/v2.0/token`,
body: {
grant_type: 'client_credentials',
client_id: Cypress.config('clientId'),
client_secret: Cypress.config('clientSecret'),
scope: `${Cypress.config('clientId')}/.default`,
},
};
cy.request(request).then(response => cy.setLocalStorage('msal.idtoken', response.body.access_token));
});

Microsoft Graph API /me/people 403 forbidden error

I am getting 403 Forbidden error while trying to use /me/people to get a list of contacts on Outlook. This is working on Graph Explore, but not in my application.
try {
const response = await axios({
method: 'get',
url: 'https://graph.microsoft.com/v1.0/me/people',
headers: {
Authorization: `Bearer ${req.user.accessToken}`,
},
});
res.send(response.data);
} catch (err) {
console.error(err);
}
My guess is the token that you're using doesn't have enough permissions. According to the documentation for GET /v1.0/me/people at https://learn.microsoft.com/en-us/graph/api/user-list-people?view=graph-rest-1.0&tabs=http you need People.Read or People.Read.All. Can you confirm you have those in the access token?
What this means is when users login to your application with their Microsoft account they'll be prompted to give your app access to their contacts. If you're writing an app that runs without user interaction (background process) you should follow these steps for authorizing your application.

Smart Home sample, "Couldn't update settings please check your connection"

My goal is to get the "Turn on the light" message when I say that to my Google Home. To do that, I visited their documentation page, which listed this sample code. I downloaded it and run it locally. Even thought I ran it locally, by default it was available publicly at "https://something.ngrok.io".
I opened the page and added a new light (I chose monochrome, because it looked simpler than RGB light) like this.
Then, I created a project "Fake Light" at Actions on Google.
Now, I see that app when I click "Add devices" on the Google Home app like below. If I click it, it shows the OAuth page, but when I tried to log in, it says, "Couldn't update settings please check your connection".
The NPM console log is like the following (I censored out some parts):
login successful rick
authCode successful 5*************************
GET /oauth?response_type=code&client_id=***********&redirect_uri=https://oauth-redirect.googleusercontent.com/r/******** 302 8.858 ms - 1418
/token query {}
/token body { grant_type: 'authorization_code',
code: '*****************',
redirect_uri: 'https://oauth-redirect.googleusercontent.com/r/*****************',
client_id: 'ZxjqWpsYj3',
client_secret: 'hIMH3uWlMVrqa7FAbKLBoNUMCyLCtv' }
getClient ZxjqWpsYj3, hIMH3uWlMVrqa7FAbKLBoNUMCyLCtv
return getClient { clientId: 'ZxjqWpsYj3',
clientSecret: 'hIMH3uWlMVrqa7FAbKLBoNUMCyLCtv' }
client { clientId: 'ZxjqWpsYj3',
clientSecret: 'hIMH3uWlMVrqa7FAbKLBoNUMCyLCtv' }
handleAuthCode {}
getClient ZxjqWpsYj3, hIMH3uWlMVrqa7FAbKLBoNUMCyLCtv
return getClient { clientId: 'ZxjqWpsYj3',
clientSecret: 'hIMH3uWlMVrqa7FAbKLBoNUMCyLCtv' }
getAccessToken = { uid: '1234',
accessToken: '*****************',
refreshToken: '*****************',
userId: '1234' }
return getAccessToken = { token_type: 'bearer',
access_token: '*****************',
refresh_token: '*****************' }
respond success { token_type: 'bearer',
access_token: '*****************',
refresh_token: '*****************' }
POST /token 200 6.401 ms - 100
POST / 404 0.401 ms - 140
I used the sample account rick/oldman. The last log did show "404" but I am not sure why this happens.
The fulfilment address had to contain "/smarthome". I had entered "https://xxxxxxxx.ngrok.io". I changed it to "https://xxxxxxxx.ngrok.io/smarthome" and the error did not happen again.
https://github.com/actions-on-google/smart-home-nodejs/issues/58

Okta Authentication works but Get User by Id gives Invalid Token Provided

I have a Django app that authenticates using Okta:
headers = {
'Authorization': 'SSWS {}'.format(<okta api token>),
'Accept': 'application/json',
'Content-Type': 'application/json'
}
authentication_payload = {
'username': <username>,
'password': <password>
}
response = requests.post(
<okta auth endpoint>,
headers=headers,
data=json.dumps(authentication_payload)
)
This works successfully. From the response content I am able to get the User Id:
content = json.loads(r.content.decode('utf-8'))
okta_user_id = content['_embedded']['user']['id']
I then use the okta_user_id to create the endpoint to get the okta user by id:
okta_user_endpoint = https://<org>.okta.com/api/v1/users/<okta_user_id>
I then use the same headers from the authentication call, with the same api token, and try to get the user by id:
user_response = requests.get(
okta_user_endpoint,
headers=headers
)
But this is unsuccessful. I get a 401 error with the following content:
{
"errorCode":"E0000011",
"errorSummary":"Invalid token provided",
"errorLink":"E0000011",
"errorCauses":[]
}
Seems straight forward with an invalid token, but if the token is invalid how am I able to successfully make the authentication call? And if the token if valid for the authentication call why is it not working to get the user by id?
Okta recently changed the way that the /authn endpoint works. The /authn endpoint no longer requires an authentication token. This was done in order to support single-page applications.
It looks like your application will need to be able to fetch user information on an arbitrary user. In that case, using an Okta API token makes sense.
However, if you were making that call from a single-page application, you would want to make a request to the /users/me API endpoint.

Resources