Giter Club home page Giter Club logo

omniauth-okta's Introduction

OmniAuth Okta OAuth2 Strategy

Strategy to authenticate with Okta via OAuth2 in OmniAuth.

This strategy uses Okta's OpenID Connect API with OAuth2. See their developer docs for more details.

Installation

Add this line to your application's Gemfile:

gem 'omniauth-okta'

And then execute:

$ bundle install

Or install it yourself as:

$ gem install omniauth-okta

OmniAuth

Here's an example for adding the middleware to a Rails app in config/initializers/omniauth.rb:

Rails.application.config.middleware.use OmniAuth::Builder do
  provider :okta, ENV['OKTA_CLIENT_ID'], ENV['OKTA_CLIENT_SECRET'], {
    client_options: {
      site:                 'https://your-org.okta.com',
      authorization_server: '<authorization_server>',
      authorize_url:        'https://your-org.okta.com/oauth2/<authorization_server>/v1/authorize',
      token_url:            'https://your-org.okta.com/oauth2/<authorization_server>/v1/token',
      user_info_url:        'https://your-org.okta.com/oauth2/<authorization_server>/v1/userinfo',
      audience:             'api://your-audience'
    }
  }
end

Devise

First define your application id and secret in config/initializers/devise.rb.

Configuration options can be passed as the last parameter here as key/value pairs.

config.omniauth :okta, ENV['OKTA_CLIENT_ID'], ENV['OKTA_CLIENT_SECRET'], {}

or add options like the following:

  require 'omniauth-okta'
  config.omniauth(:okta,
                  ENV['OKTA_CLIENT_ID'],
                  ENV['OKTA_CLIENT_SECRET'],
                  scope: 'openid profile email',
                  fields: ['profile', 'email'],
                  client_options: {
                    site:          'https://your-org.okta.com',
                    authorize_url: 'https://your-org.okta.com/oauth2/default/v1/authorize',
                    token_url:     'https://your-org.okta.com/oauth2/default/v1/token',
                    user_info_url: 'https://your-org.okta.com/oauth2/default/v1/userinfo',
                  },
                  strategy_class: OmniAuth::Strategies::Okta)

Then add the following to 'config/routes.rb' so the callback routes are defined.

devise_for :users, controllers: { omniauth_callbacks: 'users/omniauth_callbacks' }

Make sure your model is omniauthable. Generally this is "/app/models/user.rb"

devise :omniauthable, omniauth_providers: [:okta]

Auth Hash

Here's an example of an authentication hash available in the callback by accessing request.env['omniauth.auth']:

{
  "provider" => "okta",
  "uid" => "0000000000000001",
  "info" => {
    "name" => "John Smith",
    "email" => "[email protected]",
    "first_name" => "John",
    "last_name" => "Smith",
    "image" => "https://photohosting.com/john.jpg"
  },
  "credentials" => {
    "token" => "TOKEN",
    "expires_at" => 1496617411,
    "expires" => true
  },
  "extra" => {
    "raw_info" => {
      "sub" => "0000000000000001",
      "name" => "John Smith",
      "locale" => "en-US",
      "email" => "[email protected]",
      "picture" => "https://photohosting.com/john.jpg",
      "website" => "https://example.com",
      "preferred_username" => "[email protected]",
      "given_name" => "John",
      "family_name" => "Smith",
      "zoneinfo" => "America/Los_Angeles",
      "updated_at" => 1496611646,
      "email_verified" => true
    },
    "id_token" => "TOKEN",
    "id_info" => {
      "ver" => 1,
      "jti" => "AT.D2sslkfjdsldjf899n090sldkfj",
      "iss" => "https://your-org.okta.com",
      "aud" => "https://your-org.okta.com",
      "sub" => "[email protected]",
      "iat" => 1496613811,
      "exp" => 1496617411,
      "cid" => "CLIENT_ID",
      "uid" => "0000000000000001",
      "scp" => ["email", "profile", "openid"]
    }
  }
}

Contributing

  1. Fork it
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Add some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Create new Pull Request

License

The gem is available as open source under the terms of the MIT License.

omniauth-okta's People

Contributors

bobbymcwho avatar dandrews avatar hectron avatar jduff avatar petergoldstein avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

andrewvanbeek-okta identification-io rebeccaryang jduff mesutcan iwaffles nitin-cis jarp ndwebgroup serneum destinf emilianop11 opentok timfrazee andrewshatnyy onboardiq renatojf bradstewart fantuaneats bobbymcwho decisiv greenriver andrew-tolentino gozego atni webdoctorgroup ryanswood okriuchykhin scinote-eln isabella232 rmorlok haxgranit petergoldstein seanpm2001

omniauth-okta's Issues

The authorization code is invalid or has expired

Seems that when using the embed url for an app in Okta this is not working correctly. I end up getting an invalid credentials error omniauth: (okta_oauth) Authentication failure! invalid_credentials: OAuth2::Error, invalid_grant: The authorization code is invalid or has expired.

Here are the logs returned in Okta when trying to sign in. Seems like it works until the last step it makes another call and the authorization code is somehow invalid (maybe this is a double use kind of situation?)
Screen Shot 2022-08-31 at 3 38 54 PM

Here is the setup in initializers:

require 'omniauth-okta'
  config.omniauth :okta, ENV['OKTA_CLIENT_ID'], ENV['OKTA_CLIENT_SECRET'], {
    name: :okta_oauth,
    scope: 'openid profile email phone mobilePhone',
    provider_ignores_state: true, # TODO: seems we need this for the Okta sign in link to work
    client_options: {
      site:          "https://#{ENV['OKTA_APP_URL']}",
      authorize_url: "https://#{ENV['OKTA_APP_URL']}/oauth2/default/v1/authorize",
      token_url:     "https://#{ENV['OKTA_APP_URL']}/oauth2/default/v1/token",
      user_info_url: "https://#{ENV['OKTA_APP_URL']}/oauth2/default/v1/userinfo",
    },
    strategy_class: OmniAuth::Strategies::Okta
  }

I noticed that I needed to set the :provider_ignores_state flag to true, otherwise I get a CSRF error which I also couldn't seem to resolve otherwise. For reference I'm on omniauth-okta version 0.1.3

How to add omniauth-okta without devise ?

Hi!

I added this code with credentials

Rails.application.config.middleware.use OmniAuth::Builder do
  provider :okta, ENV['OKTA_CLIENT_ID'], ENV['OKTA_CLIENT_SECRET'], {
    client_options: {
      site:                 'https://your-org.okta.com',
      authorization_server: '<authorization_server>',
      authorize_url:        'https://your-org.okta.com/oauth2/<authorization_server>/v1/authorize',
      token_url:            'https://your-org.okta.com/oauth2/<authorization_server>/v1/token',
      user_info_url:        'https://your-org.okta.com/oauth2/<authorization_server>/v1/userinfo',
      audience:             'api://your-audience'
    }
  }
end

But after restart rails I go to /auth/okta and receive :404
According to the docs I need to pass provider name ( https://github.com/omniauth/omniauth#integrating-omniauth-into-your-application)

Can you please describe, what cause a problem ?
Update: this fork works without devise (https://github.com/andrewvanbeek-okta/omniauth-oktaoauth)

Getting the token in an authorize grant request

I'm attempting to use Omniauth to implement an authorization code grant-type through Okta. I've implemented a strategy that is nearly identical to that in the okta omniauth gem. I've added the necessary code to the devise initializer and it easily retrieves the authorization code and grant type form the authorization endpoint. However, when it returns the parameters to the redirect_uri, I don't understand how to get the strategy to initiate the callback_phase method which is necessary to exchange the code for an access token with the token endpoint. As a result, the auth hash is not created so the User.from_omniauth call in my controller throws an error.

Question: How do I deliver the access code to my strategy to retrieve the access token?

Any help would be greatly appreciated.

Strategy:

require 'omniauth' require 'net/http'

# frozen_string_literal: true

require 'omniauth-oauth2'

module OmniAuth
  module Strategies
    class Moto < OmniAuth::Strategies::OAuth2

      ORG           = AUTH['oauth2']['moto']['OKTA_ORG']    || 'your-org'
      DOMAIN        = AUTH['oauth2']['moto']['OKTA_DOMAIN'] || "https://#{ORG}.okta.com"
      BASE_URL      = DOMAIN
      DEFAULT_SCOPE = %[openid profile email].freeze

      option :name, 'moto'

      option :skip_jwt, false
      option :jwt_leeway, 60
      option :redirect_uri, AUTH['oauth2']['moto']['redirect']

      option :client_options, {
        site:          BASE_URL,
        authorize_url: "#{BASE_URL}/oauth2/v1/authorize",
        token_url:     "#{BASE_URL}/oauth2/v1/token",
        response_type: 'authorization_code'
      }

      option :scope, DEFAULT_SCOPE

      uid { raw_info['sub'] }

      info do
        {
          name:       raw_info['name'],
          email:      raw_info['email'],
          first_name: raw_info['given_name'],
          last_name:  raw_info['family_name'],
          image:      raw_info['picture']
        }
      end

      extra do
        hash = {}
        hash[:raw_info] = raw_info unless skip_info?
        hash[:id_token] = access_token.token
        if !options[:skip_jwt] && !access_token.token.nil?
          hash[:id_info] = validated_token(access_token.token)
        end
        hash
      end

      alias :oauth2_access_token :access_token

      def access_token
        puts "in access token"
        ::OAuth2::AccessToken.new(client, oauth2_access_token.token, {
          :refresh_token => oauth2_access_token.refresh_token,
          :expires_in    => oauth2_access_token.expires_in,
          :expires_at    => oauth2_access_token.expires_at
        })
      end

      def raw_info
        @_raw_info ||= access_token.get('/oauth2/v1/userinfo').parsed || {}
      rescue ::Errno::ETIMEDOUT
        raise ::Timeout::Error
      end

      def request_phase
        puts "In request phase"
        super
      end

      def callback_phase
        puts "in callback phase"
        build_access_token
        super
      end

      def callback_url
        options[:redirect_uri] || (full_host + script_name + callback_path)
      end

      def validated_token(token)
        JWT.decode(token,
                   nil,
                   false,
                   verify_iss:        true,
                   iss:               BASE_URL,
                   verify_aud:        true,
                   aud:               BASE_URL,
                   verify_sub:        true,
                   verify_expiration: true,
                   verify_not_before: true,
                   verify_iat:        true,
                   verify_jti:        false,
                   leeway:            options[:jwt_leeway]
                   ).first
      end
    end
  end
end

controller callback

class OmniauthController < Devise::OmniauthCallbacksController
def moto_callback
    # You need to implement the method below in your model (e.g. app/models/user.rb)
    puts "Request env #{env['omniauth.auth']}"
    logger.debug "Request env #{env['omniauth.auth']}"
    @user = User.from_omniauth(request.env["omniauth.auth"])
    print(@user)
    if @user.save
        session[:oktastate] = request.env["omniauth.auth"]
        print(@user.oauth_permissions(session[:oktastate]))
    else
        print(@user.errors.full_messages)
    end
    if @user.persisted?
        redirect_to "/users"
    end
end
end

initializer/devise.rb

config.omniauth(:moto, AUTH['oauth2']['moto']['OKTA_CLIENT_ID'], AUTH['oauth2']['moto']

500 error from Okta. Omniauth error, invalid credentials.

Hi team,

Need some insight/help from you. (Long post ahead)

I'm in the process of integrating Okta into our app, which currently uses Clearance as an authentication tool. Our goal is to integrate Okta as a second sign in option.

We run a Ruby on Rails app, and are using omniauth and omniauth-okta gems in development.

Here's our Omniauth Builder code snippet:

Rails.application.config.middleware.use OmniAuth::Builder do
    provider :okta, Rails.application.credentials.OKTA_CLIENT_ID, Rails.application.credentials.OKTA_CLIENT_SECRET, {
    client_options: {
      site:                 'https://dev-934210.okta.com',
      authorization_server: 'https://dev-934210.okta.com/oauth2/default',
      authorize_url:        'https://dev-934210.okta.com/oauth2/default/v1/authorize',
      token_url:            'https://dev-934210.okta.com/oauth2/default/v1/token',
      user_info_url:        'https://dev-934210.okta.com/oauth2/default/v1/userinfo',
      audience:             'api://default',
      redirect_uri:         'http://localhost:3000/auth/okta/callback'
    }
  }

Routes:

  get '/login', to: redirect('/auth/okta')
  get "/auth/:provider/callback" => "sessions#create_from_omniauth"

Sessions controller:

class SessionsController < Clearance::SessionsController
  def create_from_omniauth
    auth_hash = request.env["omniauth.auth"]

    authentication = Authentication.find_by_provider_and_uid(auth_hash["provider"], auth_hash["uid"]) || Authentication.create_with_omniauth(auth_hash)
    if authentication.user
      user = authentication.user 
      authentication.update_token(auth_hash)
      @next = root_url
      @notice = "Signed in!"
    else
      user = User.create_with_auth_and_hash(authentication,auth_hash)
      @next = edit_user_path(user)   
      @notice = "User created - confirm or edit details..."
    end
    sign_in(user)
    redirect_to @next, :notice => @notice
  end
end

Currently, I can successfully reach the login page hosted by Okta, but once I entered my username and password, I consistently reach the same error of the following screenshot

Screen Shot 2020-08-12 at 3 25 58 PM

Terminal ouput:

Started GET "/auth/okta" for ::1 at 2020-08-10 14:04:59 -0500
I, [2020-08-10T14:04:59.608267 #99101]  INFO -- omniauth: (okta) Request phase initiated.
Started GET "/auth/okta/callback?code=0dlprTDQxVGZKx-jafvh&state=f175cc7828a27c0029bcf74f1a7860d1a37a1b279bd46abf" for ::1 at 2020-08-10 14:05:10 -0500
I, [2020-08-10T14:05:10.515149 #99101]  INFO -- omniauth: (okta) Callback phase initiated.
E, [2020-08-10T14:05:11.240164 #99101] ERROR -- omniauth: (okta) Authentication failure! invalid_credentials: OAuth2::Error,

OAuth2::Error ():

oauth2 (1.4.4) lib/oauth2/client.rb:120:in `request'
oauth2 (1.4.4) lib/oauth2/access_token.rb:107:in `request'
oauth2 (1.4.4) lib/oauth2/access_token.rb:114:in `get'
omniauth-okta (0.1.1) lib/omniauth/strategies/okta.rb:60:in `raw_info'
omniauth-okta (0.1.1) lib/omniauth/strategies/okta.rb:28:in `block in <class:Okta>'
omniauth (1.9.1) lib/omniauth/strategy.rb:109:in `instance_eval'
omniauth (1.9.1) lib/omniauth/strategy.rb:109:in `block in compile_stack'
omniauth (1.9.1) lib/omniauth/strategy.rb:108:in `each'
omniauth (1.9.1) lib/omniauth/strategy.rb:108:in `inject'
omniauth (1.9.1) lib/omniauth/strategy.rb:108:in `compile_stack'
omniauth (1.9.1) lib/omniauth/strategy.rb:102:in `uid_stack'
omniauth (1.9.1) lib/omniauth/strategy.rb:332:in `uid'
omniauth (1.9.1) lib/omniauth/strategy.rb:348:in `auth_hash'
omniauth (1.9.1) lib/omniauth/strategy.rb:372:in `callback_phase'
omniauth-oauth2 (1.7.0) lib/omniauth/strategies/oauth2.rb:93:in `callback_phase'
omniauth-okta (0.1.1) lib/omniauth/strategies/okta.rb:70:in `callback_phase'
omniauth (1.9.1) lib/omniauth/strategy.rb:238:in `callback_call'
omniauth (1.9.1) lib/omniauth/strategy.rb:189:in `call!'
omniauth (1.9.1) lib/omniauth/strategy.rb:169:in `call'
omniauth (1.9.1) lib/omniauth/builder.rb:45:in `call'
remotipart (1.4.2) lib/remotipart/middleware.rb:32:in `call'
clearance (1.16.1) lib/clearance/rack_session.rb:23:in `call'
rack (2.2.3) lib/rack/tempfile_reaper.rb:15:in `call'
rack (2.2.3) lib/rack/etag.rb:27:in `call'
rack (2.2.3) lib/rack/conditional_get.rb:27:in `call'
rack (2.2.3) lib/rack/head.rb:12:in `call'
actionpack (5.2.2.1) lib/action_dispatch/http/content_security_policy.rb:18:in `call'
rack (2.2.3) lib/rack/session/abstract/id.rb:266:in `context'
rack (2.2.3) lib/rack/session/abstract/id.rb:260:in `call'
actionpack (5.2.2.1) lib/action_dispatch/middleware/cookies.rb:670:in `call'
activerecord (5.2.2.1) lib/active_record/migration.rb:559:in `call'
actionpack (5.2.2.1) lib/action_dispatch/middleware/callbacks.rb:28:in `block in call'
activesupport (5.2.2.1) lib/active_support/callbacks.rb:98:in `run_callbacks'
actionpack (5.2.2.1) lib/action_dispatch/middleware/callbacks.rb:26:in `call'
actionpack (5.2.2.1) lib/action_dispatch/middleware/executor.rb:14:in `call'
rollbar (2.19.3) lib/rollbar/middleware/rails/rollbar.rb:25:in `block in call'
rollbar (2.19.3) lib/rollbar.rb:145:in `scoped'
rollbar (2.19.3) lib/rollbar/middleware/rails/rollbar.rb:22:in `call'
actionpack (5.2.2.1) lib/action_dispatch/middleware/debug_exceptions.rb:61:in `call'
rollbar (2.19.3) lib/rollbar/middleware/rails/show_exceptions.rb:22:in `call_with_rollbar'
web-console (3.7.0) lib/web_console/middleware.rb:135:in `call_app'
web-console (3.7.0) lib/web_console/middleware.rb:30:in `block in call'
web-console (3.7.0) lib/web_console/middleware.rb:20:in `catch'
web-console (3.7.0) lib/web_console/middleware.rb:20:in `call'
actionpack (5.2.2.1) lib/action_dispatch/middleware/show_exceptions.rb:33:in `call'
railties (5.2.2.1) lib/rails/rack/logger.rb:38:in `call_app'
railties (5.2.2.1) lib/rails/rack/logger.rb:26:in `block in call'
activesupport (5.2.2.1) lib/active_support/tagged_logging.rb:71:in `block in tagged'
activesupport (5.2.2.1) lib/active_support/tagged_logging.rb:28:in `tagged'
activesupport (5.2.2.1) lib/active_support/tagged_logging.rb:71:in `tagged'
railties (5.2.2.1) lib/rails/rack/logger.rb:26:in `call'
sprockets-rails (3.2.1) lib/sprockets/rails/quiet_assets.rb:13:in `call'
actionpack (5.2.2.1) lib/action_dispatch/middleware/remote_ip.rb:81:in `call'
actionpack (5.2.2.1) lib/action_dispatch/middleware/request_id.rb:27:in `call'
rack (2.2.3) lib/rack/method_override.rb:24:in `call'
rack (2.2.3) lib/rack/runtime.rb:22:in `call'
activesupport (5.2.2.1) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'
actionpack (5.2.2.1) lib/action_dispatch/middleware/executor.rb:14:in `call'
actionpack (5.2.2.1) lib/action_dispatch/middleware/static.rb:127:in `call'
rack (2.2.3) lib/rack/sendfile.rb:110:in `call'
railties (5.2.2.1) lib/rails/engine.rb:524:in `call'
puma (3.12.1) lib/puma/configuration.rb:227:in `call'
puma (3.12.1) lib/puma/server.rb:660:in `handle_request'
puma (3.12.1) lib/puma/server.rb:474:in `process_client'
puma (3.12.1) lib/puma/server.rb:334:in `block in run'
puma (3.12.1) lib/puma/thread_pool.rb:135:in `block in spawn_thread'

Since I got an error saying invalid credentials, naturally, I double- and triple-checked my Okta client ID, Okta client secret, login username and password, even when they are correct, I'm still getting the same error over and over.

I reached out to Okta Support, provided them a HAR network trace file, and got the following response:
"There is a 500 on the callback route of the application. I don't see any errors at okta end. This could be an issue at the callback route handling the response from okta. Unfortunately, onmiauth-okta is not maintained by Okta, you might have to file an issue in their github if we are unable to figure out."

So here I am, looking for help. Any insight would be greatly appreciated.
Thanks, team!

Machine 2 Machine Auth

Is it possible to use omniauth-okta with devise to do Machine to Machine authentication ?
If so do you have an example of how to do so ?

Incompatible with dotenv

I've noticed a funny issue, which is that the way env vars are used to set constants is incompatible with using dotenv for setting environmental paths.

My hunch is that this has something to do with the way bundler follows requires.

I think the fastest fix would be to eliminate these lines:

      ORG           = ENV['OKTA_ORG']    || 'your-org'
      DOMAIN        = ENV['OKTA_DOMAIN'] || 'okta'
      BASE_URL      = "https://#{ORG}.#{DOMAIN}.com"
      DEFAULT_SCOPE = %[openid profile email].freeze

And instead reference ENV wherever the constants were called.

Thoughts?

Support for multi-tenancy ?

Okta is quite explicit about their view on multi-tenancy (See: https://developer.okta.com/docs/guides/build-sso-integration/openidconnect/main/#multi-tenancy). They mandate full support of multi-tenancy to be added in the approved list of integration (the OIN network).

A typical SAAS service that serves B2B customers - who might be using Okta as their identity provider - will have to manage many client_id, secret, and site. Typically, one per customer using Okta, or even more than one according to the doc above.

As far as I can see, the config needs to be set in an initialiser, making it impossible to support multi-tenancy with this library. Is there something I am missing in this strategy that would allow for the config to be dynamically loaded on a customer-per-customer basis ?

No refresh token coming back

Hi,

Trying to integrate Okta with my application. I've used omniauth for other providers with no problems.

My client configuration is as follows:

  config.omniauth :oktaoauth, OKTA_OAUTH2_CLIENT_ID, OKTA_OAUTH2_CLIENT_SECRET, {
    scope: 'openid profile email offline_access',
    fields: ['profile', 'email'],
    client_options: {
      site: OKTA_ISSUER,
      authorize_url: OKTA_ISSUER + '/oauth2/v1/authorize',
      token_url: OKTA_ISSUER + '/oauth2/v1/token',
      response_type: 'code',
    },
    redirect_uri: <snip>,
    issuer: OKTA_ISSUER,
    strategy_class: OmniAuth::Strategies::Oktaoauth,
   }

However, when I inspect the auth_hash coming back, there's no refresh_token present. There is an id_token/token present.

The corresponding application on Okta's end has refresh tokens enabled. When I use curl to perform the authorize and corresponding token flow, I get back a refresh_token.

What am I missing to enable this Ruby-side?

Thanks!

Gem release?

Would it be possible to get a new gem released? It looks like a few patches have been merged which means I can get off the fork I was using, would be great to move over to a released version of the gem as well.

Thanks!

Token claims are not verified

Security bug(??)

The call to JWT.decode()

omniauth-okta/lib/omniauth/strategies/okta.rb

Lines 97 to 110 in b7d530a

JWT.decode(token,
nil,
false,
verify_iss: true,
verify_aud: true,
iss: authorization_server_path,
aud: authorization_server_audience,
verify_sub: true,
verify_expiration: true,
verify_not_before: true,
verify_iat: true,
verify_jti: false,
leeway: options[:jwt_leeway]
).first
requires true (verify = true) to allow claim verification.

The verify_* options do not do anything unless verify = true (line 99).

see: https://github.com/jwt/ruby-jwt/blob/0ae9af6fd5f5085588a65accb2a23587c52ac637/lib/jwt/decode.rb#L26-L32

Issues while deploying the app under a subdirectory

Hey!

I have a Rails app deployed under a subdirectory as the the manual shows and I'm having issues with Omniauth.

The route generated by user_okta_omniauth_authorize_path seems to ignore the subdirectory and generates the URL without it.

Any ideas on how I can work around this?

I'm using Rails 6.1.4.1 with both this gem's latest version available on Rubygems and the master branch

Allow to configure `authorization_server_path` - i.e. JWT `iss`

Context

The omniauth-okta Gem assumes an authorization server is being used, so it appends /oauth2/default to the token issuer.

https://github.com/omniauth/omniauth-okta/blob/master/lib/omniauth/strategies/okta.rb#L89

This causes an Invalid issuer error when authorizing with our organization's Okta account. Since we don't use an authorization server, we need to only use the site as the issuer. We are getting around this issue with the following patch:

module OmniAuth
  module Strategies
    class Okta < OmniAuth::Strategies::OAuth2
      def authorization_server_path
        client_options.fetch(:site)
      end
    end
  end
end

Proposal

Add a configuration option to the strategy, allowing the full authorization server path - or JWT token issuer, if we want to be more explicit - to be inputted. By doing so, we give users of the Gem more flexibility to set any value they need.

Let me know if this sounds like a good idea so I can work on a pull request for it.

Publish gem with client_options fix

Hi, thanks for your work on this gem. I noticed that you merged in the fix for client_options in #1 but it doesn't look like the gem has been updated with those fixes.

Can you publish a new version with these fixes? I'm running into a JWT::InvalidIssuerError because the site url isn't matching.

How to access user_info?

Hello,

We have opted for a SETUP_PROC when handling multi-tenancy for Okta. This means, however, we need to access the user info BEFORE we get to the omniauth callbacks controller.

Since the gem can actually access the user info, is there a more low level way of retrieving the user information from the returned state and code that's in the callback URL?

POST, CORS and Turbo

If your using Turbo, you might see this behavior when trying to follow the redirect from Omniauth:
image

Where the browser POST's to the Rails server, gets the 302 redirect to Okta but then fails on CORs verification. This happens when you are using Turbo in your rails app and to fix it you should make a login button like this:

<%= button_to "Login via Okta", user_okta_omniauth_authorize_path, method: :post, form: {"data-turbo" => "false"}%>

I figured this out by following what this comment said:
hotwired/turbo#45 (comment)

This might be worth putting in the readme as a weird gotcha?

Devise and multi tenancy

Hey all,

We are trying to implement Okta as an SSO for our application.

As other (closed) issues has mentioned, multi tenancy for Okta requires us to host our users credentials. This pose a problem, as we setup what Okta does through an initializer, hence we only have one set of credentials. We need to dynamically change these as users access our app through the Okta SSO button.

The closed issues mention you can use a SETUP_PROC to dynamically change the credentials, but in our case, this will not be possible.

We use Devise, so using Rails.application.config.middleware.use OmniAuth::Builder do will result in a frozen array issue.

Maybe I am missing an obvious way of solving this?

/oauth2/v1/userinfo URL is hard-coded

Hello,

I notice /oauth2/v1/userinfo in #raw_info is a hard-coded URL. I have a case where it needs to include the auth server ID e.g. /oauth2//v1/userinfo. authorize_url and token_url are both configurable through client_options. Would it make sense to add userinfo_url to this list? I could submit a pull request, but first wanted to ask for feedback, or if I'm missing something.

CVE-2015-9284

Hi team.
Getting warning from 'bundle audit':

Name: omniauth
Version: 1.9.0
Advisory: CVE-2015-9284
Criticality: High
URL: https://github.com/omniauth/omniauth/pull/809
Title: CSRF vulnerability in OmniAuth's request phase
Solution: remove or disable this gem until a patch is available!

Not sure if you have noticed this vulnerability URL: omniauth/omniauth#809 in omniauth but I barely have no idea what's going on. :). There seems to be a fix/patch which convert get to post

link_to('Sign In with Okta', admin_user_okta_omniauth_authorize_path, class: "btn btn-success btn-block")

to

link_to('Sign In with Okta', admin_user_okta_omniauth_authorize_path, class: "btn btn-success btn-block", method: :post)

along with some other changes.

But apparently this doesn't work for okta. Hope some one could help and explain if this is some thing need to be fixed and how I can fix it. Thanks.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.