Did the /authorize endpoint change? Before i got a 302, and now i'm getting a 200 OK

Questions OAuth/OIDC
1

I’ve implemented around 2017 a process in .net, that invoked the /authorize endpoint, and would receive a 302 response.
Afterwards, i would get the Location/AbsoluteUri, which would give me the Identity Provider URL that i would use to authenticate the user.

The code was implemented as:

private async Task<string> GetIdentityProviderUrl(WebFingerIdentityDto dto, string redirectUri, string state)
{
    var nonce = Guid.NewGuid().ToString();
    var idp = dto.links.First()?.properties?.oktaIdpId;

    var queryParameters = new Dictionary<string, string>
    {
        {"idp", idp},
        {"client_id", _clientId},
        {"response_type", "token id_token"},
        {"response_mode", "fragment"},
        {"state", state},
        {"nonce", nonce},
        {"scope", Scopes}
    };

    var url = $"{QueryHelpers.AddQueryString(AuthorizeUrl, queryParameters)}&redirect_uri={redirectUri}";

    using var client = _clientFactory.CreateClient("okta");
    using var response = await client.GetAsync(url);

    if (!HttpStatusCode.Found.Equals(response.StatusCode))
        throw new HttpResponseException(response.StatusCode, response.ToString());

    if (string.IsNullOrEmpty(response.Headers.Location?.AbsoluteUri))
        throw new HttpResponseException(HttpStatusCode.Forbidden, "Could not obtain Location Header.");

    var queryParams = HttpUtility.ParseQueryString(response.Headers.Location?.AbsoluteUri);

    var error = queryParams.Get(ErrorKey);
    if (!string.IsNullOrEmpty(error))
        throw new HttpResponseException(HttpStatusCode.Forbidden, queryParams.Get(ErrorDescKey));

    return response.Headers.Location?.AbsoluteUri;
}

The authorize URL is something like:
https://dev-xxx.okta.com/oauth2/default/v1/authorize?idp=0oahd5oxxxpVeVXXhe5d7&client_id=0oahxxxwvoGT8i3qW5d7&response_type=token%20id_token&response_mode=fragment&state=1111&nonce=15e7641d&scope=openid&redirect_uri=https://some-url.net/callback

We had a problem with our Okta server, so we had to configure a new Application in Okta, which we configured correctly.

BUT, as soon as we tried to login, the above code no longer return 302, but instead, it returns a 200 OK.

Any idea what can be the problem? Did the /authorize API changed, and the response is not the same as before?

This is causing us a lot of problems as our clients aren’t being able to login.

Thank you in advance.

1 Like
2

You should receive a 200 for the authorize request when the user does not yet have an Okta session, as at that point the login widget will be rendered on the Okta hosted login page so that the user can authenticate.

Once they have completed authentication (or if they already have an existing session created that will meet your application’s Authentication Policy requirements), then Okta will 302 redirect back to the provided redirect_uri.

3

Thank you for you quick response.

Please note:

1 - This was working before, has the /authorize process changed?
2 - I’m not using the Okta hosted login page

Also, our users are stored in AzureAD, so we created an Identity Provider with the required OIDC settings.

In this scenario, is it required to have the Okta session before calling the /authorize endpoint?
And if so, which credentials should i use, given my users are in AzureAD?

Thank you!

4

Do you have first and last name filled in on the user account? I also was having this issue and just found that users with first and last name got the 302 while users missing either field got the 200.

I tried changing the profile mapping rules for the app, but have not found a solution yet. The only thing that is working for me is to add BOTH first and last name values.

5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.