APIM Login redirect URI error

jacquesvg · September 23, 2023, 10:59am

Hi, I’m trying to setup Okta OAuth 2.0 authentication on Azure API manager.

When triggering the authorization attempt from the API portal I get the following error:

“400 Bad Request Your request resulted in an error. The ‘redirect_uri’ parameter must be a Login redirect URI in the client app settings: https://{org}.okta.com/admin/app/oidc_client/instance/{clientId}#tab-general”

I added the following URL to my okta application Sign-in redirect URIs.
https://{domain}-azapiman.developer.azure-api.net/signin-oauth/code/callback/okta

What else do I need to configure? Please assist.

jacquesvg · September 24, 2023, 3:38pm

Just another comment.

This is the response I get in a browser page
{“code”:“BadRequest”,“message”:“Authorization code grant flow is not supported.”}

when trying this URL https://{domain}-azapiman.developer.azure-api.net/signin-oauth/code/callback/okta

jacquesvg · September 27, 2023, 9:43am

Issue is related to a bug on the APIM developer portal

github.com/Azure/api-management-developer-portal

Missing 'state' parameter for Developer Portal OAuth authorization

opened 09:18AM - 27 Sep 23 UTC

jacquesvg

**Bug description** The ‘state’ parameter is not appended to the request URL wh…en requesting oauth authorization from the developer portal even though “Support state parameter” is selected in the OAuth configuration. Okta oauth requires the ‘state’ parameter. **This is the request URL sent from the Developer Portal:** https://<Oktaserver>.okta.com/oauth2/aus3d28cn6UPLknbA417/v1/authorize?response_type=code&client_id=<ClientId>&code_challenge_method=S256&code_challenge=owcExgqifVaRmsv6TUngu9LFuw7qN4FOTu9VHScKIA4&redirect_uri=https://<APIname>-azapiman.developer.azure-api.net/signin-oauth/code-pkce/callback/okta&scope=openid+profile+email+offline_access **Okta response payload** error: invalid_request error_description: The authentication request has an invalid 'state' parameter. **Reproduction steps** 1. Setup APIM with any API 2. Add a new OAuth 2.0 configuration 3. Complete the configuration setup and make sure to tick "Support state parameter" 4. Go to API setting and select your new oauth configuration as the authorization method. 5. Publish your Developer Portal 6. Broswe to you API details page in the Developer Portal and select the authorization combo option. 7. If configured correctly you should see an authorization popup 8. Investigate that URL **Expected behavior** The ‘state’ parameter should be appended as query parameter '&state=state' https://<Oktaserver>.okta.com/oauth2/aus3d28cn6UPLknbA417/v1/authorize?response_type=code&client_id=<ClientId>&code_challenge_method=S256&code_challenge=owcExgqifVaRmsv6TUngu9LFuw7qN4FOTu9VHScKIA4&redirect_uri=https://<APIname>-azapiman.developer.azure-api.net/signin-oauth/code-pkce/callback/okta&scope=openid+profile+email+offline_access&state=state **Additional context** Related bug https://github.com/Azure/api-management-developer-portal/issues/208 Confirmed as a bug by Microsoft support on my original ticket https://learn.microsoft.com/en-us/answers/questions/1376198/how-to-set-state-parameter-for-api-developer-porta