Hi I’m developing a MVC application that will support both the default ASP.NET identity for users and Okta external authentication for employees.
When I log in to Okta for first time, the application lets me create a local identity account to sync the two together. The log in portion seems to working well.
I looked at this project samples-aspnet/okta-hosted-login at master · okta/samples-aspnet · GitHub and implemented the code with the .net identity but something is wrong with the log out.
When I try to log out, I’m getting this error on the /oauth2/v1/logout url:
{“errorCode”:“invalid_client”,“errorSummary”:“A client_id must be provided in the request.”,“errorLink”:“invalid_client”,“errorId”:“oaeflMoiwOGQ6-0YJPOMSfImg”,“errorCauses”:}
Reading up it says the logout needs a id_token_hint passed, but I’m confused on how to do that. Can someone help point me in the right direction?
Startup.Auth.cs
public void ConfigureAuth(IAppBuilder app)
{
app.CreatePerOwinContext(ApplicationDbContext.Create);
app.CreatePerOwinContext(ApplicationUserManager.Create);
app.CreatePerOwinContext(ApplicationSignInManager.Create);
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
Provider = new CookieAuthenticationProvider
{
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(30),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
}
});
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
app.UseTwoFactorSignInCookie(DefaultAuthenticationTypes.TwoFactorCookie, TimeSpan.FromMinutes(5));
app.UseTwoFactorRememberBrowserCookie(DefaultAuthenticationTypes.TwoFactorRememberBrowserCookie);
// OKTA
app.UseOktaMvc(new OktaMvcOptions()
{
OktaDomain = ConfigurationManager.AppSettings["okta:OktaDomain"],
ClientId = ConfigurationManager.AppSettings["okta:ClientId"],
ClientSecret = ConfigurationManager.AppSettings["okta:ClientSecret"],
RedirectUri = ConfigurationManager.AppSettings["okta:RedirectUri"],
PostLogoutRedirectUri = ConfigurationManager.AppSettings["okta:PostLogoutRedirectUri"],
GetClaimsFromUserInfoEndpoint = true,
Scope = new List<string> { "openid", "profile", "email" },
AuthorizationServerId = "",
});
}
}
Log off
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult LogOff()
{
if (HttpContext.User.Identity.IsAuthenticated)
{
AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie, CookieAuthenticationDefaults.AuthenticationType, OktaDefaults.MvcAuthenticationType);
}
return RedirectToAction("Index", "Home");
}
PostLogout
public ActionResult PostLogout()
{
return RedirectToAction(“Index”, “Home”);
}