OIDC Authentication works in local machine but not in Github

Hi All,

We are trying to integrate our application with Okta but unable to do so… Application works perfectly fine in my local machine., but when we try to build application repository using github actions then it fails.

The only change here is, we build our application from github using github actions, once build is done then we insert container image to AWS ECS Repository as a single artifact.

I am not sure what is wrong here, Can you please help us with this.

I am also attaching screenshots below, which states the semantics we are following (as per okta dev documentation) to have this application deployed from github.

Authentication flow:

OIDC Object Used:

Thanks,
Mateen

Interesting - Are there any specific errors you can point to? Which SDK(s) are you using?

Hi There, Thanks for looking into this…

Our application front end is build using reactjs with backend as nodejs (version 10, which is express application). We are using
oidc-middleware and jwt-verifier node packages to have this running.

I don’t see any errors github build because build is failing since its running for long time which is more than 30 mins, generally it should complete in 14 mins and since github build happens on github server we don’t see any logs.

Interestingly… when i comment in code app.use(’*’, okta.ensureAuthenticated()), then deployment is getting completed (in ~14 mins)… but during runtime we see error (and in my local machine i can run this application without commenting this line).

Below is log from browser.

Below is code we are using for achieving this.

Click here to see code

const express = require(“express”);
const logger = require("./logger");
var bodyParser = require(“body-parser”);
var cors = require(“cors”);
const argv = require("./argv");
const port = require("./port");
const setup = require("./middlewares/frontendMiddleware");
const session = require(‘express-session’);
const { ExpressOIDC } = require(’@okta/oidc-middleware’);
const isDev = process.env.NODE_ENV !== “production”;
var helmet = require(“helmet”);
var Router = require("./app/routes/index");
var rfs = require(“rotating-file-stream”);
var path = require(“path”);
var morganBody = require(“morgan-body”);

var {oidc,} = require("./config"); //Okta credentials are here
const fetch = require(“node-fetch”);
const SimpleLDAP = require(“simple-ldap-search”).default;
SimpleLDAP.LDAP_OPT_X_TLS_NEVER = 1;
process.env[“NODE_TLS_REJECT_UNAUTHORIZED”] = 0;

const app = express();
const okta = new ExpressOIDC(oidc)

app.use(session({
secret: ‘MyS3sssion SE1c7et’,
resave: true,
saveUninitialized: false
}));

function authenticationRequired(req, res, next) {
req.headers[‘content-type’] = ‘text/html’;
okta.ensureAuthenticated()
next();
}

app.use(bodyParser.json()); //parsing request body
morganBody(app);
morganBody(app, { stream: accessLogStream, noColors: true });
app.use(
bodyParser.urlencoded({
extended: true,
})
); //parsing request queries
// Setting up request headers to support Angular applications
app.use(v1_base_path, express.static(“public”));

app.use(
cors({
origin: “*”,
exposedHeaders: [“GET,HEAD,PUT,PATCH,POST,DELETE”],
methods: “GET,PUT,POST,DELETE”,
preflightContinue: false,
optionsSuccessStatus: 204,
})
);

// app.use(v1_base_path, authenticationRequired, Router);
app.use(okta.router);
app.use(’*’, okta.ensureAuthenticated())

/**

  • An example route that requires a valid access token for authentication, it
  • will echo the contents of the access token if the middleware successfully
  • validated the token.
    */
    app.get("/healthcheck", (req, res) => {
    res.json({
    message: “Success!!!”,
    });
    });

app.post("/oauth/initiate", (req, res, next) => {
req.headers[‘content-type’] = ‘text/html’;
okta.ensureAuthenticated()
const emailId = req.userContext && req.userContext.userinfo.email;
const userName = emailId.replace(’@logitech.com’, ‘’)
console.log(Loggedin User ${userName})
return res.json({ statusCode: 200, statusMessage: Loggedin User ${userName}, userName: userName });
});

setup(app, {
outputPath: path.resolve(process.cwd(), “build”),
publicPath: “/”,
});

// get the intended host and port number, use localhost and port 3000 if not provided
const customHost = argv.host || process.env.HOST;
const host = customHost || null; // Let http.Server use its default IPv6/4 host
const prettyHost = customHost || “localhost”;

// use the gzipped bundle
app.get("*.js", (req, res, next) => {
req.url = req.url + “.gz”; // eslint-disable-line
res.set(“Content-Encoding”, “gzip”);
next();
});

okta.on(‘ready’, () => {
app.listen(port, () => {
logger.appStarted(port, prettyHost)
console.log(":):):slight_smile: App started on", prettyHost, “on port”, port)
});
});

okta.on(‘error’, err => {
console.error('OIDC ERROR: ', err);
})

Thanks,
Mateen

It looks like you need to add the domain your app is hosted on as a Trusted Origin for CORS and Redirects.

Hi Andrea, thanks for looking into this.

We have given below config for cors and redirects. Despite that its not working.

Thanks,
Mateen

Hi All,

It’s been a while, we are trying this, Can anyone please help me with this request.

Are you making an AJAX request to the /authorize endpoint? Per our docs, the authorize endpoint does not support AJAX requests and the user-agent must be redirected to this endpoint to initiate the OIDC flow.

Hi Andrea,
I am not directly requesting it. Its requested from node libraries i guess, my issuer uri is https://logitech.okta.com/.

below is complete oidc config we are using.
oidc: {
client_id: '*’,
client_secret: '
,
issuer: ‘https://logitech.okta.com/’,
appBaseUrl: ‘https://dev-customermdm.logitech.com’,
scope: ‘openid profile email’,
callback: ‘/authorization-code/callback’,
redirect_uri: ‘https://dev-customermdm.logitech.com/authorization-code/callback
}

Can you open a support case by using the support portal or by emailing developers@okta.com? Someone will likely need to review your application and the calls it is making a bit further.

Thanks a lot … i opened support case.

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.