I managed to get the IdentityServer3 sample working with in memory accounts and google as an external provider. I also (seperately) got the OktaAspNetExample project working. So I tried to combine the 2 by using the OPenIdConnectAuthenticationOptions object in the Configration method from the OktaAspNetExample and added it to the Configuration method in the Identity Server Startup class. So far every time I click on the button to use Okta to log in IdentityServer doesn’t seem to be able to redirect me to Okta. Has anyone tried this approach yet? I can’t seem to find any examples.
I haven’t tried IdentityServer3 + Okta yet myself, but it should work since the former supports OpenID Connect. Are you getting any errors when you click the button? Anything in the logs indicating why it didn’t redirect?
Out of curiousity, what does your architecture look like high-level? Are you running your own authorization server with IdentityServer3 and want it to support both local and external accounts?
To answer the latter question first, the answer is yes. What I was experimenting with is to try and preserve our ability to authenticate some users against our user store but also allow some users to authenticate against Okta.
After some further experimentation I created a custom HttpHandler to configure as a BackchannelHttpHandler. I learned 2 things. The first Uri that seems to be handled is a call to the oidc metadata. The first problem I ran into was that (because I am using .NET 4.5) I had to add code to deal with the fact that Okta turned of TLS 1 and 1.1. So once I got that straightened out I noticed that it came back with a 401 and then did nothing.
I also used JustDecompile form Telerik to poke around the Microsoft.Owin.Google assembly. It looks like a fairly sophisticated API to allow users to perform external OIDC authentication. My guess is that it might take building something similar but using Okta URIs and fragments etc.
One other thing I was able to get working was using Okta as an external source but using the SustainSys SAML2 package installed. This works with IdS3. However, I’m still experiencing some issues getting all the claims added to the ClaimsIdentity. Not sure what I have to do there.
In any case the Okta example code works but it assumes that the app is only using the Okta site as the source of authentication and that the app talks directly to Okta instead of using IdS3 as a middle-man.
That’s correct, so far we’ve been building samples that focus on the use case of using Okta as an identity provider for a single application. We plan on building more samples for things like federation, but that’ll be a bit down the road.
I know for sure that this library can work with Okta: Microsoft.Owin.Security.OpenIdConnect
You can see a working example in the ASP.NET 4.x quickstart or the ASP.NET 4.x sample. I’m not sure if that helps with your connection to IdentityServer3?
Thanks. As I said I got the ASP.NET 4.x sample you linked to working just fine. What I attempted to do is copy the startup code that creates the open id connect options object into the startup config function to configure external IdPs. I get a 401 error after trying to retrieve the metadata JSON. Maybe I just need to redirect to the login page at that point. But my sense is it may get more involved after that even if that happens to work. So for now I’ll forgo IdentityServer3. Thanks.