Need help with the OpenID Connect application


#1

Dear people,
I have started to use Okta and I have couple of newbie questions.
I have tried to create the OpenID Connect application without a success.
According to the article I should select what type of application SWA or SAML 2.0, or OpenID Connect.
https://support.okta.com/help/Documentation/Knowledge_Article/Using-the-App-Integration-Wizard-1111708899

But when I press on “Add application” I can see the following options:
Native
Single-Page App
Web
Service
What option should I select to create the OpenID Connect application?

Can you provide me the updated link?

Thanks in advance,
Michael


#2

Hey @michael!

Head on over to our quick start guide, pick your language (and how you want your users to log in) and the guide should walk you through everything else.

To answer your question though, pick Web

Keep us posted!


#3

In addition to what @bdemers said, you can read through the following link to understand which flow/app you will need to create based on your requirements - https://developer.okta.com/authentication-guide/implementing-authentication/


#4

@bdemers what kind of application you are going to integrate the OKTA api that one you have to choose. After you will get option further next step to choose the Openid option.


#5

Thanks,
I will happy for couple of additional clarifications:

I have created the application testopenid.
What is the URL to get the openid-configuration?
According to the spec it should be something .well-known/openid-configuration
I have tried the URL below but get 404:
https://<mydomain>.oktapreview.com/testopenid/.well-known/openid-configuration

Please help.


#6

can you share more info, what kind of application you are going to use and what kind of method you have choosen


#7

I have selected the Web application and leave defaults according to the suggested article :

Please let me know if you need any additional clarifications


#8

I have tried the URL below but get 404:
https://.oktapreview.com/testopenid/.well-known/openid-configuration

It should look like this:

https://{{YOUR_ORG}}.oktapreview.com/oauth2/default/.well-known/openid-configuration?client_id={{YOUR_CLIENT_ID}}

#9

Thanks!
In fact I was able to use the following URL:
https://{{YOUR_ORG}}.oktapreview.com/oauth2/default/.well-known/openid-configuration

issuer “https://{{YOUR_ORG}}.oktapreview.com/oauth2/default”
authorization_endpoint “https://{{YOUR_ORG}}.oktapreview.com/oauth2/default/v1/authorize”
token_endpoint “https://{{YOUR_ORG}}.oktapreview.com/oauth2/default/v1/token”
userinfo_endpoint “https://{{YOUR_ORG}}.oktapreview.com/oauth2/default/v1/userinfo”
registration_endpoint “https://{{YOUR_ORG}}.oktapreview.com/oauth2/v1/clients”
jwks_uri “https://{{YOUR_ORG}}.oktapreview.com/oauth2/default/v1/keys”

Is the .well-known configuration related to a client?

When I have tried to access to
https://{{YOUR_ORG}}.oktapreview.com/oauth2/default/.well-known/openid-configuration?client_id=testopenid

I got the following error:

errorCode “E0000007”
errorSummary “Not found: Resource not found: testopenid (PublicClientApp)”
errorLink “E0000007”
errorId “oaeAS0AZWMFQz-QLJ2dclPt4w”
errorCauses []

#10

Grab the client_id from the application screen and you should be set:


#11

Thanks!
Most endpoints (except registration_endpoint and jwks_uri) the same:

issuer “https://{{YOUR_ORG}}.oktapreview.com/oauth2/default”
authorization_endpoint “https://{{YOUR_ORG}}.oktapreview.com/oauth2/default/v1/authorize”
token_endpoint “https://{{YOUR_ORG}}.oktapreview.com/oauth2/default/v1/token”
userinfo_endpoint “https://{{YOUR_ORG}}.oktapreview.com/oauth2/default/v1/userinfo”
registration_endpoint “https://{{YOUR_ORG}}.oktapreview.com/oauth2/v1/clients/0oaek2aj5jC6gCY3A0h7”
jwks_uri “https://{{YOUR_ORG}}.oktapreview.com/oauth2/default/v1/keys?client_id=0oaek2aj5jC6gCY3A0h7”

#12

Yep! That is correct. Okta has a data model that allows Authorization Servers and Clients to support each other in an M:M relationship.


#13

Tom,
Thank you very much for your help!
I will happy for the additional clarification.

I need to map the login Okta user attribute to the preferred_username claim.

My application is waiting for the user name at the preferred_username claim.

What is the best way to it?
Thanks in advance,
Michael


#14

It should be mapped to that by default:

Are you seeing something different?


#15

Unfortunately in my case the token is without the preferred_username claim.
This is the authorization token:

{
“sub”: “00uejawry54O5kDRU0h7”,
“ver”: 1,
“iss”: “https://{{MY_ORG}}.oktapreview.com/oauth2/default”,
“aud”: “0oaek2aj5jC6gCY3A0h7”,
“iat”: 1523033174,
“exp”: 1523036774,
“jti”: “ID.LRYa1aY7KeeLRZCzHzLOHRjkS9aZhZoFr-iF5KHCqwk”,
“amr”: [
“pwd”
],
“idp”: “00oej9an16nig7brj0h7”,
“auth_time”: 1523033173,
“at_hash”: “VOaT-w2csfAd2Rd5M1wdsw”
}

This is the userinfo token:

{“sub”:“00uejawry54O5kDRU0h7”}

What is wrong?

Please note that I am using the free trial.

Should I use the custom user attributes?
(It is supported in the free trial)
I will appreciate any insights,
Michael


#16

I believe you are looking at the access_token, the preferred_username claim will be in the id_token.

Also, make sure you ask for the openid scope during the authorization request.


#17

Thanks Tom,

Unfortunately the id_token token is empty:

{“sub”:“00uejawry54O5kDRU0h7”}

The authorization request include all required parameters include scope=openid

https://{{MY_ORG}}.oktapreview.com/oauth2/default/v1/authorize?scope=openid&state=cLyFpOaFp4tOunlg5RvACBOMz1i42VTXcUXhdkvSMuo.eb2cec14-5144-48dc-abe2-6d0acb64b3cb&response_type=code&client_id=0oaek2aj5jC6gCY3A0h7&redirect_uri={{MY_REDIRECT_URL}}

Still no guess what is wrong …

I will appreciate any help,
Michael


#18

Hi Tom,
I will happy for your help,
I have debugged the issue and now I understand the root cause.
The userinfo endpoint returns the empty results.
I have configured the endpoint according to .well-known/openid-configuration.
Its URL is https://{{MY_ORG}}.oktapreview.com/oauth2/default/v1/userinfo
But it returns the empty results.

I have tried to call it manually, but it still returns the empty results {}

curl -s --tlsv1 -L -k
-H “Authorization: bearer e…A”
“https://{{MY_ORG}}.oktapreview.com/oauth2/default/v1/userinfo”

Is the userinfo endpoint configured correctly?
Why it returns empty results?

I will appreciate any help,
Michael


#19

Hi Michael,

In addition to openid, you should also add profile & email to the scope.
If you need the groups, add groups to the scope as well.

The id_token will return the user’s profile information only if profile scope is included in the /authorize request.
Refer this link to the set of scopes you can pass - https://developer.okta.com/docs/api/resources/oidc#reserved-scopes

Let us know if this resolves your issue.


#20

Hi vijet,
Thank you for your help!
It works!