OIDC login redirect not working

I followed sample OIDC app, created an application at https://dev-85466444-admin.okta.com and was able to write some code locally to test it out. Everything worked and dev okta was able to redirect to my local box.

When my IT team tried to set me up with corporate Okta app, okta wont redirect the call back to my application. use is landing in okta home page. Here is the code that gets passed from browser-

global $OAUTH2_CLIENT_ID, $ISSUER;
session_start();
$_SESSION['state'] = hash('sha256', microtime(TRUE).rand().$_SERVER['REMOTE_ADDR']);
$query = http_build_query([
    'client_id' => $OAUTH2_CLIENT_ID,
    'response_type' => 'code',
    'response_mode' => 'query',
    'scope' => 'openid profile',
    'redirect_uri' => 'http://10.14.80.123/myapp/restapi/v1/auth/okta/callback',
    'state' => $_SESSION['state'],
    'nonce' => microtime()
]);
header('Location: ' . $ISSUER . '?' . $query);
exit();

Where, $OAUTH2_CLIENT_ID is the client id you get after creating the OIDC app, and $ISSUER is https://mycompany.okta.com. The url http://10.14.80.123/myapp/restapi/v1/auth/okta/callback is set as login redirect url in the OIDC settings. The browser redirects to my organization’s okta app but upon authentication, instead of redirecting user back to my application, user lands on okta home page https://mycompany.okta.com/app/UserHome

Am I doing anything wrong? Have the parameters changed?

The IP address in your redirect_uri is a private IP address… just want to verify that is where you want users going on the corporate network when they login.

Thanks for responding. Yes the IP address is private, since we are testing the setup. Once the setup works successfully, we planned to change to the actual VIP urls.

These are your parameters to the /authorize endpoint, right? Do you see any errors occurring during these redirections (from your app to Okta, from Okta back to your app), either in Okta or the brwoser?

  1. If I try the authorize endpoint, like this-
    https://mycompany.okta.com/v1/authorize?client_id=redacted&response_type=code&response_mode=query&redirect_uri=http%3A%2F%2F10.14.80.123%2Fmyapp%2Frestapi%2Fv1%2Fauth%2Fokta%2Fcallback&state=redacted&nonce=redacted

    I get 404 page not found.

  2. If I try without authorize endpoint, like this-
    https://mycompany.okta.com/?client_id=redacted&response_type=code&response_mode=query&redirect_uri=http%3A%2F%2F10.14.80.123%2Fmyapp%2Frestapi%2Fv1%2Fauth%2Fokta%2Fcallback&state=redacted&nonce=redacted

    I get to okta login page and upon successful login, land up on my company’s okta home instead of getting back in my app specified as redirect url. No errors.

ah, looks like you’re not using the right base url here, which would explain the 404 you see AND why the second URL only results in users logging into your okta org and not your OIDC app.

Can you try using a url like the below instead, that way the request is being made to the authorization server? Note the /oauth2 in the request path, which is missing from your 1st example

https://mycompany.okta.com/oauth2/v1/authorize?client_id=redacted&response_type=code&response_mode=query&redirect_uri=http%3A%2F%2F10.14.80.123%2Fmyapp%2Frestapi%2Fv1%2Fauth%2Fokta%2Fcallback&state=redacted&nonce=redacted

@andrea I had tried /oauth2/default/v1/authorize but not /oauth2/v1/authorize. I will be able to test this out on Monday and confirm whether it works. Thanks for your inputs.