We have a .NET Core 2.1 REST service that handles Windows and Forms authentication and I’m looking to extend it to handle Okta authentication as well. This service has no UI and is used by our web applications to handle authenticating users either through their domain account or through supplied username/password credentials stored in our DB.
In Okta’s case we would be taking their account login credentials from a form on a login page and passing them to our service to process via communicating with Okta. We specifically don’t want to interface with Okta from the application containing the UI, so the request has to be sent to our authentication service first.
The issue I’m having involves storing the session/cookie data to persist authentication between REST calls, and I would like some guidance on how the service needs to be configured.
Here’s the relevant content in my Startup.cs which is largely copy/pasted from the Okta github examples (please forgive any formatting errors this is my first time posting to the forms ):
public void ConfigureServices(IServiceCollection services)
{
...
`if (appSettings.UseOkta)
{
services.Configure<CookiePolicyOptions>(options =>
{
options.CheckConsentNeeded = context => true;
options.MinimumSameSitePolicy = SameSiteMode.None;
});
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie()
.AddOktaMvc(new OktaMvcOptions()
{
// Replace these values with your Okta configuration
OktaDomain = Configuration.GetValue<string>("Okta:OktaDomain"),
ClientId = Configuration.GetValue<string>("Okta:ClientId"),
ClientSecret = Configuration.GetValue<string>("Okta:ClientSecret"),
});
}`
...
services.AddMvc();
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
...
app.UseCookiePolicy();
app.UseAuthentication();
app.UseMvc();
}
Then I have a POC API controller with an endpoint that should handle authenticating with Okta and storing user data (ultimately the logic is going to be pulled into a separate service class to handle interfacing with Okta).
[HttpPost("SignIn")]
public IUser SignIn(UserCreds user)
{
var authClient = new AuthenticationClient(new OktaClientConfiguration
{
OktaDomain = _config.GetValue<string>("Okta:OktaDomain"),
Token = _config.GetValue<string>("Okta:ApiToken")
});
var authnOptions = new AuthenticateOptions()
{
Username = user.Username,
Password = user.Password,
};
var authnResponse = authClient.AuthenticateAsync(authnOptions).Result;
var oktaUser = oktaClient.Users.GetUserAsync(user.Username).Result;
// Generate list of claims based on returned user groups and assign to "claims" obj.
var identity = new System.Security.Claims.ClaimsIdentity(claims, AuthenticationTypes.Federation);
var authProperties = new AuthenticationProperties
{
AllowRefresh = true,
IsPersistent = true,
ExpiresUtc = authnResponse.ExpiresAt,
};
var userPrincipal = new System.Security.Claims.ClaimsPrincipal(identity);
HttpContext.User = userPrincipal;
HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, userPrincipal, authProperties).Wait();
return oktaUser;
}
After that’s all run and I step through the process I can check the HttpContext.User.Identity object to see IsAuthenticated is set to true. However, on subsequent calls to the service IsAuthenticated is false and the claims aren’t attached to the user.
What am I missing for this workflow?