Authentication with OKTA openid connect fails to load login page

dotnet

#1

Hi Team,
I am trying to register OKTA with my .NET web application to implement SSO and referred the process from "https://developer.okta.com/quickstart/#/okta-sign-in-page/dotnet/aspnet4 " : MVC 4x. (Also the sample provided here is not working under this link)

Completed all the steps from above url and able to load my applications first page i.e., login page, and provided a button/link to call challenge method, and trying to call the method with [Authorize] attribute.
But it is not opening the OKTA login page

Quick help on this is appreciated.
Thanks.


#2

Hi Nadeem,

Sorry to hear the instructions aren’t working. I’ll take a look.

Can you show your Startup.cs class? When you say it doesn’t open the Okta login page - what happens instead?


#3

Hi Nate.barbettini,

Thanks for the response :slight_smile: .

I am new to OKTA, have placed the wrong the key in web.config . Now able to authenticate properly with OKTA user account but blocked again with below related issue, kindly suggest if i have configured it wrong.

Problem is that in startup.cs AuthorizationCodeReceived is never hit and hence unable to get the claims/userInfo to my application. below is the code from startup.cs

public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
        });

        var clientId = ConfigurationManager.AppSettings["okta:ClientId"].ToString();
        var clientSecret = ConfigurationManager.AppSettings["okta:ClientSecret"].ToString();
        var issuer = ConfigurationManager.AppSettings["okta:Issuer"].ToString();
        var redirectUri = ConfigurationManager.AppSettings["okta:RedirectUri"].ToString();

        app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
        {
            ClientId = clientId,
            ClientSecret = clientSecret,
            Authority = issuer,
            RedirectUri = redirectUri,
            ResponseType = "code",
            UseTokenLifetime = false,
            Scope = "openid profile",
            PostLogoutRedirectUri = ConfigurationManager.AppSettings["okta:PostLogoutRedirectUri"].ToString(),
            TokenValidationParameters = new TokenValidationParameters
            {
                NameClaimType = "name"
            },
            Notifications = new OpenIdConnectAuthenticationNotifications
            {
                **AuthorizationCodeReceived** = async context =>
                {
                    // Exchange code for access and ID tokens
                    var tokenClient = new TokenClient(issuer + "/v1/token", clientId, clientSecret);
                    var tokenResponse = await tokenClient.RequestAuthorizationCodeAsync(
                        context.ProtocolMessage.Code, redirectUri);

                    if (tokenResponse.IsError)
                    {
                        throw new Exception(tokenResponse.Error);
                    }

                    var userInfoClient = new UserInfoClient(issuer + "/v1/userinfo");
                    var userInfoResponse = await userInfoClient.GetAsync(tokenResponse.AccessToken);

                    var identity = new ClaimsIdentity();
                    identity.AddClaims(userInfoResponse.Claims);

                    identity.AddClaim(new Claim("id_token", tokenResponse.IdentityToken));
                    
                    identity.AddClaim(new Claim("access_token", tokenResponse.AccessToken));
                    if (!string.IsNullOrEmpty(tokenResponse.RefreshToken))
                    {
                        identity.AddClaim(new Claim("refresh_token", tokenResponse.RefreshToken));
                    }

                    var nameClaim = new Claim(
                        ClaimTypes.Name,
                        userInfoResponse.Claims.FirstOrDefault(c => c.Type == "name")?.Value);
                    identity.AddClaim(nameClaim);

                    System.Threading.Thread.CurrentPrincipal = new ClaimsPrincipal(identity);

                   context.AuthenticationTicket = new AuthenticationTicket(
                        new ClaimsIdentity(identity.Claims, context.AuthenticationTicket.Identity.AuthenticationType),
                        context.AuthenticationTicket.Properties);
                },

                RedirectToIdentityProvider = context =>
                {
                    if (context.ProtocolMessage.RequestType == OpenIdConnectRequestType.Logout)
                    {
                        var idToken = context.OwinContext.Authentication.User.Claims
                            .FirstOrDefault(c => c.Type == "id_token")?.Value;
                        context.ProtocolMessage.IdTokenHint = idToken;
                    }
                    return Task.FromResult(true);                     
                },
                
            }
        });

#4

Hey @Nadeem, sorry for the delay. Did you make any progress on this?

AuthorizationCodeReceived should get hit, unless the redirect URI is wrong or Okta isn’t redirecting back to your app for some reason. Can you use your browser’s network panel or a tool like Fiddler to watch the network requests? What happens after you log in at Okta and your browser is redirected?


#5

Hello,

Thanks for the reply, the issue is fixed now, able to authenticate properly but now to progress further on my POC with okta, i need to check one scenario which is :
if we have a client who can provide its IdP to connect with OKTA and sends a SAML response to OKTA, can you guide me on how to consume this SAML response through OKTA in my application, is it possible to get the SAML response with below code which we used in Openid connect directly ?
var userInfoClient = new UserInfoClient(issuer + “/v1/userinfo”);
var userInfoResponse = await userInfoClient.GetAsync(tokenResponse.AccessToken);

Or do we need to implement this scenario differently from OKTA openid connect code, if yes, any OKTA examples / samples related to SAML authentication would be of great help.

Thanks


#6

I need more information about the scenario. It sounds like you have:

  • A SAML IdP
  • Okta
  • Your custom application

Is your goal to allow users stored in the SAML IdP to log into your application?


#7

Yes that’s exactly I am trying to achieve: users under SAML IdP logs into my application but through OKTA which supports SSO.


#8

Hello,
Any updates on the thread ? any sample example would be of great help to achieve this with OKTA.


#9

We don’t have any documentation yet on handling an incoming SAML SSO connection from Okta, sorry. We’re planning on building docs and samples, but right now we are focusing on finishing our management SDKs.

I’d recommend looking at the Sustainsys Saml2 library (formerly KentorIT). They have some examples of creating a SAML Service Provider in .NET.