I have been able to successfully integrate Okta authorization into our application, either by using the Okata plug-in on a custom login-to-okta.html page or checking the StatusCode from the PostResponse(url As String, content As String, ByRef statusCode As HttpStatusCode) As Byte()) function provided through the StackOverflow site.
The problem I have with both of these methods is that this is only authenticating the user, it is not checking to see if the user has access to the app, and in fact, in neither of these cases are we able to pass to Okta any application specific info.
I would much prefer using the plug-in, but either method is acceptable provided we can authenticate a user’s ability to access the app that is managed in that user’s profile in Okta.
BTW, I had emailed Okta support but have not received a reply as yet.
Thanks In Advance
Basically Okta and an IDP is primarily designed to tell you who the user is via a SAML assertion. They they are getting successfully authenticated into your app and they shouldn't be, you should not permit them via the Okta application or you should implement some check at the point of authentication.
Related
I'm sorry if this question is asked before, but I'm still confused.
I'm currently creating a REST API with laravel. I'm using passport to secure the API-endpoints. The API should be used/accessed from several websites and SPA's. BUT all this sites need to access the API on there own behalf. So there is no user that need to sign in! I found a lot of tutorials that cover the topic of authorization and authentication but only on behalf of a user.
So my question is: What oauth grant type shoud i use to secure my API considering that all api consumers act on there own behalf?
I tried to use the client credential grant because the documentation said that
The client credentials grant is suitable for machine-to-machine authentication.
But that creates a bearer token and it seems not save to store it in a SPA or generally on client side.
Has someone experience in this topic and can please provide an answer (maybe with a short explanation)?
A simple example of how I want to use some endpoints of the API to provide some context:
I created a location endpoint that receives a zip code and returns all the relevant places. I want to use this in a form. So that the user inputs his zip code and dynamically receives all the places in a select box, so that he can choose one and proceed with the form.
Thanks in advance!
I want to build a web application in Go. I'm using Google App Engine for deployment combined with Identity Aware Proxy (IAP) to authenticate user access.
I want to know how to access the authentication to get the user email, which I can link to app data stored in a back end database. Essentially I want to avoid my users logging in and then having to authenticate again to get their profiles from the back end.
I have looked into the IAP documentation and I can see it uses JWT Headers and that is where my knowledge lacks. My guess would be a link to the incoming request which accesses those headers to get the email.
I work for a large company (50K+). Some orgs within the company use OKTA for auth on their servers.
I have a valid user login (via OKTA) for the servers, and can log in through a browser without any issues, but want to access this site programatically.
How can I log into these websites using my OKTA credentials?
I've found this doc: https://developer.okta.com/docs/reference/api/oidc/#authorize
that details how to use an OKTA endpoint, but it requires some info that I do not have. Namely, nonce, state, and client_id. I have no clue how to get this info.
I've found another endpoint that allows a similar login method, but only requires username and password (I forget the doc that referenced this):
https://<company>.okta.com/api/v1/authn
I am able to successfully authenticate with OKTA using this endpoint, and receive a session_token. Can I take this session_token and apply it to my arbitrary webpage somehow? I can not find any documentation that says so.
At first glance it appears that many of the API endpoints for OKTA require intimate knowledge of the hosted application (and/or are not meant to be accessed programmatically).
Is it possible to log into an arbitrary webpage that uses OKTA for authentication, with only knowledge that an end user would have (username/password/optional MFA)?
Hi not sure you found the answer yet. from your descriptions i think yours is web app, which is supposed to use authentication code flow. else, you can ask your web developers what authentication flow they use and follow the auth process accordingly.
you need to retrieve id token & access token for authentication.
I am trying to build an app in Laravel that uses the OneLogin API to provide a seamless integration with their data.
Part of the users' data is displayed in an embedded Tableau view (hosted on Tableau Online).
I have successfully added the Tableau app in OneLogin.
I have also
setup the SAML authentication - working
Laravel app can get a token and assertion via API from OneLogin
My understanding is that the SAML assertion is supposed to authenticate the user whose details were sent as part of the assertion, however, after receiving the assertion and redirecting to the view with the embedded Tableau view, the user is prompted to log in.
This kind of defeats the purpose of the assertion.
User prompted to log in:
Application storage:
Am I missing (misusing) the purpose of the assertion?
Should the assertion be added to the session?
How can I authenticate the user once without having them providing credentials for all the services used in the app?
I think you missed to enable iframe embedding.
When you enable SAML on your site, you need to specify how users sign in to access views embedded in web pages. These steps configure OneLogin to allow your OneLogin dashboard to be embedded into an inline frame (iFrame) on another site. Inline frame embedding may provide a more seamless user experience when signing-on to view embedded visualizations. For example, if a user is already authenticated with your identity provider and iFrame embedding is enabled, the user would seamlessly authenticate with Tableau Server when browsing to pages that contain an embedded visualizations.
Reference: https://onlinehelp.tableau.com/current/online/en-us/saml_config_onelogin.htm#enable-iframe-embedding
I'm currently writing a web application, which should access user facebook data.
The problem is, that many users access via proxy (all facebook urls are blocked) and therefore it's not possible to use the default oauth mechanism provided by facebook. Any ideas?
Best Regards
Markus
The user must be able to access facebook's servers to authenticate your app.