I'm trying to fit the Okta Asp.NET Core Mvc example (https://github.com/oktadeveloper/okta-aspnetcore-mvc-example) into my React Asp.Net Core app. (The reason I'm not using Okta's React example is that it uses Babel and my VS2017 React project uses Typescript.) The Mvc example runs fine against my Okta account, and my React app compiles and runs w the Okta SDK and other code copied from the Mvc example, but I can't get it to authenticate.
Okta returns an http 400: Identity Provider: unknown, Error Code: invalid request, Description: the 'redirect_uri' parameter must be an absolute Uri that is whitelisted in the client app settings.
All I've done is add [authorize] attribs to my controller and a button that requests account/login. Both actions return the same error. I do have the app Url in my Okta app settings.
This, most likely does not have anything to do with React/asp.net but the OIDC flow. If we strip down the SDK, your call to get the jwt token will look something like this: {{url}}/oauth2/v1/authorize?idp=0oae59ifqdtRaTT4G0h7&client_id={{client_id}}&response_type=id_token&response_mode=fragment&scope=openid&redirect_uri=https://www.bing.com
note the redirect_uri above should be the listed in your application setting. To do that: go to Okta's admin dashboard > application >application > choose the application that you used the id of above, and add the above URL to "Login redirect URIs" in the general tab. If that is correct make sure there is no space in the above request.
Related
I have an old web app that uses Forms Authentication that we've converted to support SAML using Shibboleth. This part is complete and works fine. The app redirects to login.microsoftonline.com, allows a login against the customer's AD (hburg.kyschools.us), and redirects back to the app which now allows the authenticated user in.
The web app also has some ASP.NET Web API controllers that we'd like to authenticate the same way. This also seems to work when the controllers are accessed from a browser that has already logged in. So far, so good.
Now we want to access these Web API controllers from a WPF app. The WPF app has been accessing them for years but just using Basic Authentication. Looking for an example, I found this project on github that shows how to use MSAL:
https://github.com/Azure-Samples/active-directory-dotnet-desktop-msgraph-v2
This project will acquire a token via MSAL and then use it with HttpClient to call a web service. I can run this project and use it to log in to the same AD as above (hburg.kyschools.us). And then it can use HttpClient to access MS Graph.
Now, when instead I try to have the project call into my Web API controller using HttpClient, passing in the same token I received back from the hburg.kyschools.us AD, I get back the Log In page at login.microsoftonline.com, as if I haven't authenticated.
Can I use MSAL to get a token this way that can be used to access my web api via HttpClient from WPF? It seems like I'd need to tell MSAL that I want the token to include authorization for the web app. Is that done somehow in the scopes parameter?
We are creating a Xamarin Forms app, only Android for now, which connects to a web API also created by us (ASP.Net Core). I have managed to get OpenId Connect authentication working by:
Using Azure as the identity provider.
Using Android custom tabs to show the Microsoft's login page.
Detect when the custom tab is redirected to our redirect URL.
Get the id token and use it as the authentication bearer token sent to our web API.
Using JwtBearer authentication in the web API.
The problem appears when the id token expires. We want to get a new one without asking the user any question.
To do that, we repeat the authentication process by adding the prompt=none, id_token_hint=THE_TOKEN and login_hint=THE_USER parameters in the authentication request, as defined in the OpenId Connect specification, and supported by Azure.
During that request, we have an issue with the redirect URL:
If the redirect URL has a custom scheme (like myapp://...) Azure responds with an interaction_required error.
If the redirect URL has an HTTPS scheme, then Azure responds successfully (including the necessary parameters to continue the process), but I am not able to detect the redirect URL in the Android custom tab. So my app gets stuck in the custom tab trying to load my invalid redirect URL.
The explanation for #2 is that HTTPS URLs are handled by the browser (Chrome in this case), so it does not trigger any action that I can detect from my app. This seems reasonable.
I also tried to detect custom tab navigation events from Xamarin, trying to detect the event "manually", but failed. Such events are never triggered.
Now, as for #1, I do not have any reasonable explanation. So my question is:
Is there any way to make Azure accept a redirect URL with a custom scheme when trying to refresh an id token by using the standard prompt=none OpenId Connect parameter?
I am working on Xamarin Forms application and new to providing login authentication of the application. I have completed the design part of the application with using Entries for user id and password and button for Submit. Also, i am having web API and for authentication. Now how to connect that Web API in xamarin forms application for login.
Please guide or provide some use full samples...
Thanks in advance...!
I assume you've built out your authentication API already, and that you can make Fiddler or Postman calls directly to your controller, pass in a set of credentials, and return back a JWT / bearer token that you can then use for authenticated calls?
At this point, it's relatively simple then as you'll want to use build a proxy layer / API layer to make calls out to your API. These calls will simply mirror the ones you've made in Fiddler/Postman/your proxy of choice.
I used Refit to achieve this:
https://github.com/reactiveui/refit
Specifically, you can see on the "Setting request headers" section how they easily encapsulate it for you to pass your token.
Of course, your initial call should be to login, and then once logged in, take the JWT response back from your controller, set the token in your Keychain, and then pull it out of Keychain to set in the header.
Let me know specific questions you have? For example, which of the following do you need more info on?
Sending and parsing a response (serializing the response) from your Login action to set/assign a token in keychain?
Saving the token, and setting it in a header for subsequent calls?
Building a proxy layer using a framework like Refit to make generic outbound calls?
I am working through a process of validating the JWT after OKTA Login. I have a SPA Sample SPA Site that handles user login and calling an API.
SPA SITE
User Logins into OKTA
Obtains a JWT
Passes JWT to a .NET Web API (hosted on my own server not at OKTA).
WEB API: This accepts the JWT and needs to validate it.
Per OKTA I need verify the JWT through an Authorization Server. I setup the Authorization Server but I cannot see where the two features (shown on the images) are located on the SPA API or the Auth Server. This includes a URL that is required that follows the format of xxxx.okta.com/AS/{key}
Is there something that has to be enabled that is not enabled in my OKTA Account? I think so but what is it? OKTA support states that everything is enabled and confirmed this is a good code sample (GitHub) to use.
The Image Below should appear after setting up the SPA App. I cannot find this feature under the SPA or under the Auth Server. It does not seem to exist anywhere on OKTA. This is why it seems something is not enabled on my Dev account, or this documentation is outdated?
SPA Code Sample (includes the images below from the PDF) https://github.com/oktadeveloper/okta-oauth-spa-authjs-osw
I see that under the Security menu item -> API.
Also, when I had my app OpenID Connect enabled, I used well-known endpoint:
GET /.well-known/openid-configuration to get "jwks_uri", I used this url to self-verify the JWT token at the API level.
OKTA confirmed the code sample and documentation is out of date. They have no ETA to any updated samples and could not provide any documentation to help. This was via a response on a support ticket. Well already then, time to look at Azure.
I am working on a Windows Phone 8 app and a ASP.NET MVC 5 website and each of these will access a WebApi service (WebApi 2). The website and WebApi are based on the templates provided by VS2013 RTM and have been setup using the "Individual Account" authentication option available in the project template.
The template sets up the WebApi project to enable bearer tokens, application cookies and external login cookies, etc, and the exposed actions have the Authorize attribute on them.
My two questions are:
1) If I were to use Azure Mobile Services to authenticate a user using Google/Twitter on the WP8 application how can I get the WebApi to allow the authenticated user to access the actions?
2) Same as #1, but from a ASP.NET MVC 5 website perspective?
From I what I can see it would appear that each request requires a bearer token. To get this token would I be correct in thinking that I would access the "token" endpoint exposed by the WebApi to get the token and that would need to be passed with each request?
For 1, you can use azure mobile service WP8 sdk to launch a browser control to authorize user from external site. The code should be similar with WebAuthenticationBroker in windows store app.
For 2, the web api template with individual auth is using an implicit flow in OAuth 2.0 to return the application access token back to client. In MVC app, you can redirect user to
http://<web api domain address>/api/account/externallogin?provider=Facebook&redirect_uri=<your callback url in MVC app>&response_type=token&client_id=mvc.
And in your MVC view, you need to use javascript to get access token from url fragment, which won't be sent to server. In your web api server, you need to allow the client id and the callback url in ApplicationOAuthProvider.
For both 1 and 2, you are not using token endpoint to get the token. You are using the authorize endpoint to get token by implicit flow.