401 status on login

MatthewFetzer · December 11, 2018, 6:37pm

I’m having an issue getting the login working for our application. I have set it up using this example project listed in your documentation. https://github.com/okta/samples-aspnet/tree/master/self-hosted-login/okta-aspnet-mvc-example

Html for login widget

<!-- Render the login widget here -->
    <div id="okta-login-container"></div>

    <form id="okta-submit-form" method="POST" action="Login">
        @Html.Hidden("sessionToken")
        @Html.Hidden("oktaUserId")
        @Html.AntiForgeryToken()
    </form>

    <!-- Script to init the widget -->
    <script>

    const signIn = new OktaSignIn({
        baseUrl: '@ViewBag.OktaOrgUrl'
        });

        signIn.renderEl({ el: '#okta-login-container' }, (res) => {
            $("#sessionToken").val(res.session.token);
            $("#oktaUserId").val(res.user.id);
            $("#okta-submit-form").submit();
    }, (err) => {
        console.error(err);
    });

        
    </script>

Startup code

public void ConfigureAuth(IAppBuilder app)
    {
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        app.UseCookieAuthentication(new CookieAuthenticationOptions());

        ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;


        // Enable the application to use a cookie to store information for the signed in user
        app.UseOktaMvc(new OktaMvcOptions()
        {
            OktaDomain = ConfigurationManager.AppSettings["OktaOrgUrl"],
            ClientId = ConfigurationManager.AppSettings["OktaClientId"],
            ClientSecret = ConfigurationManager.AppSettings["OktaClientSecret"],
            RedirectUri = "/authorization-code/callback",
            PostLogoutRedirectUri = "/Account/LogOff",
            GetClaimsFromUserInfoEndpoint = true,
            Scope = new List<string> { "openid", "profile", "email" },
        });

    }

Login Post Method

    [HttpPost]
    [ValidateAntiForgeryToken, AllowAnonymous]
    public ActionResult Login(FormCollection form)
    {
        if (!HttpContext.User.Identity.IsAuthenticated)
        {
            var properties = new AuthenticationProperties();
            properties.Dictionary.Add("sessionToken", form.Get("sessionToken"));
            properties.RedirectUri = "/Home/Index";
            HttpContext.GetOwinContext().Authentication.Challenge(properties,OktaDefaults.MvcAuthenticationType);

            // I tried removing this and still same result
            return new HttpUnauthorizedResult();
        }

        return RedirectToAction("Index", "Home");
    }

Once the code hits this part in the login post method

HttpContext.GetOwinContext().Authentication.Challenge(properties,OktaDefaults.MvcAuthenticationType);

The owin response goes to 401.

Error response with stack trace

So im not exactly sure where to go from here. Any help would be great and let me know if you need more info and I will try to supply it.

nate.barbettini · January 3, 2019, 2:58am

Hey @MatthewFetzer, sorry for the long delay.

I noticed the error contained:

IOException: IDX20804: Unable to retrieve document ...

IOException: IDX20803: Unable to obtain configuration from ...

That happens when the Okta domain URL is not configured correctly. Can you show me the value of ConfigurationManager.AppSettings["OktaOrgUrl"]? (You can redact the company name, or send it to me via private message if you want.)

MatthewFetzer · January 7, 2019, 3:47pm

Hi Nate,

Thanks for getting back to me.

The value for that is https://[companyurl].okta.com where companyurl is our subdomian.

Thanks

nate.barbettini · January 14, 2019, 5:36pm

Hey @MatthewFetzer, sorry for the slow replies.

Can you confirm that you can reach this page in a browser?

https://[companyurl].okta.com/oauth2/default/.well-known/openid-configuration

If not, that is the problem. As a follow-up question, are you using a custom Authorization Server for this application? Can you describe briefly what the application is and who will use it? (internal employees, or external customers)

MatthewFetzer · January 14, 2019, 6:22pm

Hi @nate.barbettini

I got this as a response

{"errorCode":"E0000015","errorSummary":"You do not have permission to access the feature you are requesting","errorLink":"E0000015","errorId":"oaebrKuQegGTZK2snkcJEmNBg","errorCauses":[]}

I’m guessing thats a bad resposne? So is there something in the configurations that needs to be changed?

As for your other question were just using the built in Okta widget to login our users to our internal application. Were not really needing anything beyond just the login portion for now. I was hoping it can handle the following

Login users via the okta widget
Validate the session token returned from the okta widget login is legitimate (My understanding is this is done via the challenge step. )
Auto logon users with active okta sessions.
Create Identity User session when login is validated.

Thanks!

nate.barbettini · January 16, 2019, 5:52pm

That makes sense, thanks for the background detail. Quick sanity check, when you say it’s an internal application, I assume that means that users = employees?

For an internal application, you’ll need to make one change. This default:

github.com

okta/okta-aspnet/blob/master/Okta.AspNet.Abstractions/OktaWebOptions.cs#L18


namespace Okta.AspNet.Abstractions
{
public class OktaWebOptions
{
    public static readonly string DefaultAuthorizationServerId = "default";


    public static readonly TimeSpan DefaultClockSkew = TimeSpan.FromMinutes(2);


    public string OktaDomain { get; set; }


    public string AuthorizationServerId { get; set; } = DefaultAuthorizationServerId;


    public TimeSpan ClockSkew { get; set; } = DefaultClockSkew;
}
}

Is meant for external applications. You’ll need to specify an AuthorizationServerId in your options block:

app.UseOktaMvc(new OktaMvcOptions()
        {
            OktaDomain = ConfigurationManager.AppSettings["OktaOrgUrl"],
            AuthorizationServerId = string.Empty,
            // ...

I know that looks a little silly, but the reason behind it is: external applications use Custom Authorization Servers (with an authorization server ID), but internal applications use Okta as an authorization server (with no authorization server ID).

Let me know if that gets you up and running. Sorry that this isn’t called out better in the readme! We are working on better documentation for these libraries right now.

MatthewFetzer · January 16, 2019, 8:59pm

Hi @nate.barbettini

I made that change and that did seem to get me past that 401 but I am now getting this

I tried with the value of RedirectUri in the startup code with
RedirectUri = "http://localhost:64116/authorization-code/callback
and
RedirectUri = "/authorization-code/callback

I also added http://localhost:64116/authorization-code/callback to our whitelist but still no luck.

Is it maybe another redirect url parameter I am not setting up correct?

Thanks!

MatthewFetzer · January 16, 2019, 11:41pm

@nate.barbettini Nevermind, it appears I just had existing session cookies which was messing up the redirect. Im getting a authorized identity user now by adding that AuthorizationServerId part. I will update this thread if I get the rest to work or if I have anymore issues. Thanks for the help!