I used the code at https://github.com/oktadeveloper/okta-spring-boot-saml-example to understand how to use Okta for SSO. We are using SAML. My question is how to detect if the session is still valid and if not, redirect the user to the Okta log in page.
I tried using HttpSession but I did not know how to link it to Okta.
If someone can give me a few pointers as to where to start, I would appreciate it.
Thanks
The short and best answer is no.
You can use Javascript on the browser to see if the User still has a live session with Okta using this:
https://developer.okta.com/docs/reference/api/sessions/#get-current-session
There is a way using the Sessions API to authenticate a User, and then check to make sure the session is still valid, but managing the state creates more headaches than it's worth. I would not suggest doing this.
If you are using Oauth 2.0, then it's easier, you can just redirect the User to Okta and perform a re-authorize more easily, plus Oauth 2.0 tells you when the token was minted.
Related
As part of integrating with Okta using OIDC, I am trying to understand if we need to contact Okta to end the session when a user logs out in the app? I am able to login using Okta as an IdP and then logout from the app at which point logging in again requires contacting Okta again. So what is the real need for ending session when a user logs out?
Okta is best-placed to answer in their particular case - being the OP (OIDC Provider) that you're using, but at least in terms of invalidating your tokens - both potentially on their (backend) side, as well as orchestrating all that is required (as part of their possibly custom workflow/process) upon the client side too, so that both sides are fully aware of the log out having taken place; so yes, it's best to, for one (probable) reason or another.
I managed to successfully complete the OAuth flow and gain access token for the user. The OAuth is on a separate server & identity provider (OpenID Connect).
Now, I need to add middleware to check that the user is authenticated throughout his session in the application.
Any idea/directions on how I can manage this? Quite lost.
Seems like Pathfix does exactly what you are looking for. It is a Serverless OAuth Middleware, If you want to try it out. Might save you a whole lot of time setting up and deploying a middleware.
Disclaimer: I am part of the Pathfix Team :)
I work for a large company (50K+). Some orgs within the company use OKTA for auth on their servers.
I have a valid user login (via OKTA) for the servers, and can log in through a browser without any issues, but want to access this site programatically.
How can I log into these websites using my OKTA credentials?
I've found this doc: https://developer.okta.com/docs/reference/api/oidc/#authorize
that details how to use an OKTA endpoint, but it requires some info that I do not have. Namely, nonce, state, and client_id. I have no clue how to get this info.
I've found another endpoint that allows a similar login method, but only requires username and password (I forget the doc that referenced this):
https://<company>.okta.com/api/v1/authn
I am able to successfully authenticate with OKTA using this endpoint, and receive a session_token. Can I take this session_token and apply it to my arbitrary webpage somehow? I can not find any documentation that says so.
At first glance it appears that many of the API endpoints for OKTA require intimate knowledge of the hosted application (and/or are not meant to be accessed programmatically).
Is it possible to log into an arbitrary webpage that uses OKTA for authentication, with only knowledge that an end user would have (username/password/optional MFA)?
Hi not sure you found the answer yet. from your descriptions i think yours is web app, which is supposed to use authentication code flow. else, you can ask your web developers what authentication flow they use and follow the auth process accordingly.
you need to retrieve id token & access token for authentication.
I'm writing a web application that reads my personal calendar data, crunches stats, and then spits them out for the world to see. I don't need an authorization flow. Is it possible to leverage the Google APIs without going through a user sign-in flow? In other words, I want my personal Google account permanently and securely signed in to my server without the risk of my token invalidating or having to re-auth.
Right now I'm signing myself in with an offline token, then uploading the authorization file onto my server, basically spoofing the server that I already auth'd. Is there not a cleaner way?
I've spent hours reading through the API docs and Auth docs, but haven't found and answer. If there is a page I've missed, please point me to it!
PS. I'm using the Calendars API through Python/Flask on Heroku, but that shouldn't matter.
An alternative approach is using a service account while sharing your calendar with that service account. See https://developers.google.com/accounts/docs/OAuth2ServiceAccount
So, you want to be remembered.
If you want to dispose of any kind of authenticacion but yet the user needs to be recognized you should be using a cookie.
On the server side that cookie should be used to select the offline token.
Of course, without that cookie the user needs to be authenticated in any way. I would make them reauth by Google so you get a new offline token.
Hope that it helps.
Can anyone tell me how I could go about authenticating with the various OAuth login mechanisms on the internets (Twitter, Facebook) so that I can run scripts against these services.
As an example, right now when I use Facebook data I goto graph.facebook.com and copy paste the access key from the URL. Obviously this is a bad approach, it has sufficed for now, but is not really an option anymore :)
I've checked out the documentation on the facebook site in particular which requests that I use a callback urL and so on. I'd like to be able to make a call from a ruby script which requests the OAuth token instead.
Is this even possible?
P.s This would be using my own credentials.
Yes, it is possible. http://developers.facebook.com/docs/authentication/ "Authenticating as an Application" section.
You can get the Access Token using a web redirection, and then store it to perform further offline operations. Some APIs need explicit user scope permission to do that.