I followed sample OIDC app, created an application at https://dev-85466444-admin.okta.com and was able to write some code locally to test it out. Everything worked and dev okta was able to redirect to my local box.
When my IT team tried to set me up with corporate Okta app, okta wont redirect the call back to my application. use is landing in okta home page. Here is the code that gets passed from browser-
Where, $OAUTH2_CLIENT_ID is the client id you get after creating the OIDC app, and $ISSUER is https://mycompany.okta.com. The url http://10.14.80.123/myapp/restapi/v1/auth/okta/callback is set as login redirect url in the OIDC settings. The browser redirects to my organization’s okta app but upon authentication, instead of redirecting user back to my application, user lands on okta home page My Company - Sign In
Am I doing anything wrong? Have the parameters changed?
The IP address in your redirect_uri is a private IP address… just want to verify that is where you want users going on the corporate network when they login.
Thanks for responding. Yes the IP address is private, since we are testing the setup. Once the setup works successfully, we planned to change to the actual VIP urls.
These are your parameters to the /authorize endpoint, right? Do you see any errors occurring during these redirections (from your app to Okta, from Okta back to your app), either in Okta or the brwoser?
If I try the authorize endpoint, like this- https://mycompany.okta.com/v1/authorize?client_id=redacted&response_type=code&response_mode=query&redirect_uri=http%3A%2F%2F10.14.80.123%2Fmyapp%2Frestapi%2Fv1%2Fauth%2Fokta%2Fcallback&state=redacted&nonce=redacted
I get 404 page not found.
If I try without authorize endpoint, like this- https://mycompany.okta.com/?client_id=redacted&response_type=code&response_mode=query&redirect_uri=http%3A%2F%2F10.14.80.123%2Fmyapp%2Frestapi%2Fv1%2Fauth%2Fokta%2Fcallback&state=redacted&nonce=redacted
I get to okta login page and upon successful login, land up on my company’s okta home instead of getting back in my app specified as redirect url. No errors.
ah, looks like you’re not using the right base url here, which would explain the 404 you see AND why the second URL only results in users logging into your okta org and not your OIDC app.
Can you try using a url like the below instead, that way the request is being made to the authorization server? Note the /oauth2 in the request path, which is missing from your 1st example
@andrea I had tried /oauth2/default/v1/authorize but not /oauth2/v1/authorize. I will be able to test this out on Monday and confirm whether it works. Thanks for your inputs.
src/JwtVerifier.php:99
throw new \DomainException("Could not access a valid JWKS_URI from the metadata. We made a call to {$this->wellknown} endpoint, but jwks_uri was null. Please make sure you are using a custom authorization server for the jwt verifier.");
Does your Okta tenant have the API Access Management SKU? This feature allows you to use/create custom authorization servers, which are required for OAuth use cases where you need to locally validate access tokens. Developer orgs will have this feature enabled by default, but your paid tenant doesn’t seem to have the required SKU.
If you need to be able to validate access tokens to protect your own resource server, ou/your Okta admin may wish to discuss the API Access Management feature with your Okta Account Manager.
I am using https://dev-redacted.okta.com/oauth2/v1/authorize?client_id=0oaredacted5d7&redirect_uri=http%3A%2F%2Fredacted&scope=openid+email&access_type=offline&response_type=code&state=eyJjredactedfQ%3D%3D .
It redirects me to https://dev-redacted.okta.com/login/login.htm?fromURI=/oauth2/v1/authorize/redirect?okta_key=Xagredactedb1Q .
When I sign in with Google, user lands on okta home page.
Are you using a self-hosted widget? Can you take a look at this guide?
All social auth providers will redirect the user back to the Okta dashboard unless the user is authenticating through that provider on an Okta-hosted sp-initated flow or your custom widget is configured to redirect them appropriately.
The Initiate login URI is unrelated to what you’re describing. That setting only applies if you have “Login initiated by” set to “Either Okta or App” and tells Okta where the tile for the app on the end-user dashboard should redirect the user to. More details about this option here: Create OIDC app integrations using AIW | Okta
I recommend starting a new thread so we can investigate the issue you are encountering, because it may be different than the one Justin was seeing.
