I am tryingg to implement my own authentication with Okta
But when I am trying to reach this url with unregisted user (ie without any cookie) by this url
https://{custom_domain}/oauth2/v1/authorize?response_type=code&client_id={reducted}&redirect_uri=http%3A%2F%2Flocalhost%3A4200%2Fsilent-refresh.html&scope=email%20openid%20profile%20groups&code_challenge=X3RJu7mg6xTUFmC_yqBGcnsivjjEtWxX_k3eJXONF-M&code_challenge_method=S256
I am getting 302 Redirect from Okta
https://{custom_domain}/login/login.htm?fromURI=/oauth2/v1/authorize/redirect?okta_key=Q-Tmugh8uPFRXJmsrC890I_VAGRZ9BTXLMCumLSXw8o
Is it possible to change this behaviour? And got some 401 error for example?
I was able to understand that I need to change my url to https:// ${yourOktaDomain}/oauth2/${authorizationServerId} /.well-known/openid-configuration
Now I have another question for non-authenticated user (ie no cookie).
What should I do to understand that I need to forward user to custom login page
- This URL do not make any redirects, it’s just returning 200 OK co with this https://CUSTOM_DOMAIN/oauth2/default/v1/authorize?response_type=code&client_id=TESTCLIENTID&state=state-296bc9a0-a2a2-4a57-be1a-d0e2fd9bb601&nonce=g5ly497e8ps&redirect_uri=http%3A%2F%2Flocalhost%3A4200%2Fsilent-refresh.html&scope=email%20openid%20profile&code_challenge=NjNQjKN4dMm0YWz-dtjJks4CYsZZAmxUaY-hfSxYY6s&code_challenge_method=S256
<script type="text/javascript">
// "config" object contains default widget configuration
// with any custom overrides defined in your admin settings.
var config = OktaUtil.getSignInWidgetConfig();
// Add the below line
config['features.registration'] = false;
// Render the Okta Sign-In Widget
var oktaSignIn = new OktaSignIn(config);
oktaSignIn.renderEl({ el: '#okta-login-container' },
OktaUtil.completeLogin,
function(error) {
// Logs errors that occur when configuring the widget.
// Remove or replace this with your own custom error handler.
console.log(error.message, error);
}
);
- This code (with prompt=none) redirects me with 302 code and specify this error
https://CUSTOM_DOMAIN/oauth2/default/v1/authorize?response_type=code&client_id=TESTCLIENTID&state=state-296bc9a0-a2a2-4a57-be1a-d0e2fd9bb601&nonce=g5ly497e8ps&prompt=none&redirect_uri=http%3A%2F%2Flocalhost%3A4200%2Fsilent-refresh.html&scope=email%20openid%20profile&code_challenge=NjNQjKN4dMm0YWz-dtjJks4CYsZZAmxUaY-hfSxYY6s&code_challenge_method=S256
The+client+specified+not+to+prompt%2C+but+the+user+is+not+logged+in.
Can I treat this error as indicator for this login requirement or there is another way? I do not want to bind to some magic error constants as they might be changed in future by Okta
You are mixing here 2 things:
-
when browser doesn’t have a cookie, that means that a user is unauthenticated and not unregistered. So when you hit /authorize Okta your user will be sent to login page to authenticate them
-
if the user presents non valid credentials, that’s where they will be stopped with a message that they entered wrong credentials
You are right, I am in option 1 - user is not authenticated.
As I don’t use Okta js package for my app and have custom login page, my questions is what is the desired result from Okta when user is making notAuthenticated call to authorize endpoint
What is your full flow, to better understand your situation? And not sure why can’t you run this example on your own to see what a result is in all of your test cases, to get all the answers
If you mean why I cant run them manually - that’s already done, thats results of my application. In case you mean some sample from Okta, I have tried this samples-js-angular/custom-login at master · okta/samples-js-angular (github.com) and unfortunately it’s not my case - here user must first enter login#password which will be passed, while I am emulating situation with authentication for a new user.
My workflow is pretty simple
- On page loading I am trying to do silent refresh with iframe. If user already has been registered and cokie exists, he will be authenticated by Okta.
- In current case when user is a new user without cookie set, I was expecting to get some error somehow - I got it only with prompt=none query param and just want to be sure that it will be same always and somewhere documented.
Never mind, I didn’t notice login_required as an error code, which is per oidc spec.