Assign users to app using .NET SDK

dotnet

#1

Hi the Okta Community,

We are currently trying Okta, and in particular the Okta .NET SDK, to build an iOS and Android application connected through a WCF web service to a .NET backoffice.

  • The question here is: what does it mean to assign an Okta user to an application? Compared to an unassigned user for example.

  • Then, is it possible to assign a user to an application through the Okta .NET SDK?

Thank you for your help.

Best regards,

Antoine.


#2

Hi Antoine,

Can you give me some more details about your application? Are you using Okta for user management instead of a local user table? How do users log in with Okta?

If an Okta User is assigned to an Application, they can log in (or generate tokens) for that application. If they are not assigned, they can’t log in or get tokens.

This is important if you have multiple applications and only some users should have access to certain applications.

It’s possible, but not super easy since the .NET SDK doesn’t natively support the Apps API and the /v1/apps/${applicationId}/users endpoint you’d need to call to assign a user. This is the next API we are planning to add support for to the .NET SDK.

In the meantime, you could use the raw oktaClient.Post() method to call that endpoint manually. It isn’t as pretty as an oktaClient.Applications.AssignUser() method, but it would work. :slight_smile: Let me know if you need help with that.


#3

Hi Nate,

I wil talk about:

  • “The application” for the whole “mobile apps + DB + web services + backoffice” system
  • “The mobile app” to just talk about the iOS and Android mobile apps

We would like to use Okta for the user management part of our application. In our mind, our database will not contains any user table (or just a very simple one with Id and email maybe).

Globally, Our application will be composed of:

  • An iOS and Android mobile app provinding some services to our users (like the eBay app for example)
  • An ASP.NET MVC backoffice provinding some management functions to our agents
  • A WCF web service providing all user functions to the mobile app

At the end, we want to use Okta through the WCF web service. This web service will provide “Register”, “Login”, “LostPassword” and other “user management” methods to the mobile app.


Assign a user to an app: If think it’s now clear for us what it means to assing a user. Thanks.

For the moment we will integrate Okta in only one application.

  • Is there a solution to auto-assign users to the single existing Okta application in the Okta backoffice? Otherwise we will try the oktaClient.Post() method.

We have other questions and suggestions about how to implement these “user management” methods into our WCF web services. It’s now maybe easier to continue here than opening Github issues.

Register: we have already implement a “Register” method into our WCF web service. The method creates new Okta user. The only remark here is, the only way to know that an email is already used is to wait for an exception.

  • Do you think you could add an IsUserExists(email, appId) method into the SDK?

For the moment we do:

private async Task<bool> IsEmailAlreadyUsed(string email)
        {
            try
            {
                var user = await this.oktaClient.Users.GetUserAsync(email);

                return user != null;
            }
            catch(Okta.Sdk.OktaApiException)
            {
                //If the user with the specified email do not exists yet, the SDK throw an Okta.Sdk.OktaApiException
                return false;
            }
        }

Log in: we have open a case in the Okta help center to know how to use the SDK to check if a user exists with its email/password, sent from a simple log in form into the mobile app. The answer was:

I got in touch with a developer about this function and unfortunately this cannot be done , you can’t use the user’s password in any way at this point , I hope this doesn’t block you

  • Do you think you could add an IsUserExists(email, password, appId) method into the SDK?
  • Or maybe a new GetUserAsync() overload with email, password parameters

Our login method for the moment:

public async Task<LogInResult> LogIn(string email, string password)
        {
            if (string.IsNullOrWhiteSpace(email) == false
                && string.IsNullOrWhiteSpace(password) == false)
            {
                try
                {
                    var user = await this.oktaClient.Users.GetUserAsync(email);

                    bool result = user != null && user.Credentials.Password // ? ....

                    if (result == true)
                    {
                        return new LogInResult()
                        {
                            ResultState = user.Activated.HasValue == true ? ELogInResult.Success : ELogInResult.NotActivatedUser
                        };
                    }
                }
                catch (Exception e)
                {
                    //TODO log e
                    return new LogInResult()
                    {
                        ResultState = ELogInResult.UnexpectedError
                    };
                }
            }

            return new LogInResult()
            {
                ResultState = ELogInResult.InvalidCredentials
            };
        }

I think that’s all for the moment :smile:

Thanks again for your help.

If there is anything I’ve not clearly explained do not hesitate to let me know.

Best regards,

Antoine Boulinguez.


#4

If you want users to automatically be added to an application, use either the Everyone group or a custom group:

  • If you want everyone to be assigned to the application, assign the Everyone group to the application.
  • If you want many (but not all) users assigned to the application, create a custom Group and assign that to the application. Then add as many users as you want to that group.

Fortunately, the Groups API is already supported in the .NET SDK :slight_smile:

You can check this yourself by doing a filter search using the email address. In the .NET SDK, you can use the ListUsers method:

var userExists = await client.Users.ListUsers(q: "testanother@example.com", limit: 1).Any();

That should be faster and cleaner than catching an exception if the user doesn’t exist.

If I’m understanding correctly, you need to send the user’s login and password to Okta to actually perform the authentication. Here is how you can do this:

  • The architecture we recommend is an OpenID Connect redirect flow. For mobile apps, you can use the authorization code flow with PKCE: open a browser, show a login page, then redirect back to the app with access and ID tokens for the user. In this case, authenticating the user isn’t a concern of your backend service; your backend service just needs to verify incoming tokens issued by Okta.
  • If you can’t fit your system into this architecture, you can use our Authentication API to directly log a user in by sending their login and password via an API call. In this case, your backend needs to handle things like keeping track of a session for the user.

We have an overview of authentication approaches if you want to read more.

The latter (Authentication API) isn’t yet supported by the .NET SDK, but you could make HTTP calls to the authentication endpoint. We will be building some tools to make this super easy from .NET later this year. :slight_smile:

Sorry this was so long! Hope this info is helpful.


#5

Done and done. It works perfectly, thanks. :+1:


I’m currently trying to implement the authorization code flow with PKCE into a Xamarin Forms mobile app but without any success.

I’ve decribe the situation here: SSO in Xamarin Cross Platform mobile app

Thanks for your help @nate.barbettini.

Best regards,

Antoine.


#6

FYI, the Apps API is now supported as of .NET SDK 1.0-alpha8: https://github.com/okta/okta-sdk-dotnet#get-an-application