OIDC login redirect not working

I followed sample OIDC app, created an application at https://dev-85466444-admin.okta.com and was able to write some code locally to test it out. Everything worked and dev okta was able to redirect to my local box.

When my IT team tried to set me up with corporate Okta app, okta wont redirect the call back to my application. use is landing in okta home page. Here is the code that gets passed from browser-

global $OAUTH2_CLIENT_ID, $ISSUER;
session_start();
$_SESSION['state'] = hash('sha256', microtime(TRUE).rand().$_SERVER['REMOTE_ADDR']);
$query = http_build_query([
    'client_id' => $OAUTH2_CLIENT_ID,
    'response_type' => 'code',
    'response_mode' => 'query',
    'scope' => 'openid profile',
    'redirect_uri' => 'http://10.14.80.123/myapp/restapi/v1/auth/okta/callback',
    'state' => $_SESSION['state'],
    'nonce' => microtime()
]);
header('Location: ' . $ISSUER . '?' . $query);
exit();

Where, $OAUTH2_CLIENT_ID is the client id you get after creating the OIDC app, and $ISSUER is https://mycompany.okta.com. The url http://10.14.80.123/myapp/restapi/v1/auth/okta/callback is set as login redirect url in the OIDC settings. The browser redirects to my organization’s okta app but upon authentication, instead of redirecting user back to my application, user lands on okta home page https://mycompany.okta.com/app/UserHome

Am I doing anything wrong? Have the parameters changed?

The IP address in your redirect_uri is a private IP address… just want to verify that is where you want users going on the corporate network when they login.

Thanks for responding. Yes the IP address is private, since we are testing the setup. Once the setup works successfully, we planned to change to the actual VIP urls.

These are your parameters to the /authorize endpoint, right? Do you see any errors occurring during these redirections (from your app to Okta, from Okta back to your app), either in Okta or the brwoser?

  1. If I try the authorize endpoint, like this-
    https://mycompany.okta.com/v1/authorize?client_id=redacted&response_type=code&response_mode=query&redirect_uri=http%3A%2F%2F10.14.80.123%2Fmyapp%2Frestapi%2Fv1%2Fauth%2Fokta%2Fcallback&state=redacted&nonce=redacted

    I get 404 page not found.

  2. If I try without authorize endpoint, like this-
    https://mycompany.okta.com/?client_id=redacted&response_type=code&response_mode=query&redirect_uri=http%3A%2F%2F10.14.80.123%2Fmyapp%2Frestapi%2Fv1%2Fauth%2Fokta%2Fcallback&state=redacted&nonce=redacted

    I get to okta login page and upon successful login, land up on my company’s okta home instead of getting back in my app specified as redirect url. No errors.

ah, looks like you’re not using the right base url here, which would explain the 404 you see AND why the second URL only results in users logging into your okta org and not your OIDC app.

Can you try using a url like the below instead, that way the request is being made to the authorization server? Note the /oauth2 in the request path, which is missing from your 1st example

https://mycompany.okta.com/oauth2/v1/authorize?client_id=redacted&response_type=code&response_mode=query&redirect_uri=http%3A%2F%2F10.14.80.123%2Fmyapp%2Frestapi%2Fv1%2Fauth%2Fokta%2Fcallback&state=redacted&nonce=redacted

@andrea I had tried /oauth2/default/v1/authorize but not /oauth2/v1/authorize. I will be able to test this out on Monday and confirm whether it works. Thanks for your inputs.

The endpoint https://mycompany.okta.com/oauth2/v1/authorize worked and redirected back to my application. Thanks Andrea,

My application is now able to exchange code for a jwt token. But when it tries to validate the jwt token using JwtVerifier, its failing at okta-jwt-verifier-php/JwtVerifier.php at develop · okta/okta-jwt-verifier-php · GitHub

src/JwtVerifier.php:99
            throw new \DomainException("Could not access a valid JWKS_URI from the metadata.  We made a call to {$this->wellknown} endpoint, but jwks_uri was null. Please make sure you are using a custom authorization server for the jwt verifier.");

In the debug session i checked the value of $this->wellknown =
“https://mycompany.okta.com/oauth2/.well-known/oauth-authorization-server”

We are probably missing some sort of setup step, or something thats supposed to run at the endpoint is not running. Any idea what it could be?

Does your Okta tenant have the API Access Management SKU? This feature allows you to use/create custom authorization servers, which are required for OAuth use cases where you need to locally validate access tokens. Developer orgs will have this feature enabled by default, but your paid tenant doesn’t seem to have the required SKU.

More details about this limitation here: https://support.okta.com/help/s/article/Signature-Validation-Failed-on-Access-Token

If you need to be able to validate access tokens to protect your own resource server, ou/your Okta admin may wish to discuss the API Access Management feature with your Okta Account Manager.

I have a similar problem.

I am using https://dev-redacted.okta.com/oauth2/v1/authorize?client_id=0oaredacted5d7&redirect_uri=http%3A%2F%2Fredacted&scope=openid+email&access_type=offline&response_type=code&state=eyJjredactedfQ%3D%3D .

It redirects me to https://dev-redacted.okta.com/login/login.htm?fromURI=/oauth2/v1/authorize/redirect?okta_key=Xagredactedb1Q .

When I sign in with Google, user lands on okta home page.

Am I doing anything wrong?

Are you using a self-hosted widget? Can you take a look at this guide?

All social auth providers will redirect the user back to the Okta dashboard unless the user is authenticating through that provider on an Okta-hosted sp-initated flow or your custom widget is configured to redirect them appropriately.

Thanks @andrea . I am not using a self-hosted widget. I was trying to setup google login and I found what I needed in Social Login overview | Okta Developer and Identity Provider routing rules

1 Like