Okta.AspNet and ASP.NET External Login


#1

I’ve got the Okta.AspNet package working with a barebones (i.e., created w/No Authentication) ASP.NET (not Core) MVC app. Works great, and was easy to setup!

Problem is, we’ve got some existing systems that are already using ASP.NET Identity to manage users. Some users are part of our org and some aren’t, so supporting the former via Okta and the latter as-is would be ideal.

I tried integrating the Okta.AspNet package into a fresh ASP.NET MVC app created with Individual User Accounts. It shows up as an external login option (the button is labeled “OpenIdConnect”, but that’s minor). I can click it, get redirected to our Okta login page, login, and jump back. But while all my claims appear to be pulled back (as seen in a Fiddler trace), AuthenticationManager.GetExternalLoginInfoAsync() in AccountController.ExternalLoginCallback() always returns null. AuthenticationManager.AuthenticationResponseGrant is null, which probably explains that, but it means my login info isn’t making it through the pipeline.

I realize I’ll probably need to post the ConfigureAuth() contents, but wanted to quickly check whether this is a supported config at all, or if someone else has hit this and knows of something simple I might’ve missed. Thanks!


#2

Hi, did you ever fix this?


#3

I have not, and I noticed you’re having a similar issue. I thought I might have more luck with ASP.NET Core (despite not being able to upgrade our sites right now), if only because I know better how to get it to log verbosely, but it’s the same problem with a fresh app there.

Trying to mesh ASP.NET Identity with with Okta’s NuGet package there’s some kind of disconnect where the response comes back with claims, but those never make it far enough for the auth system to notice. If I strip out the Identity setup bits of the Configure* functions, the Okta part works. I get a user and claims and could then link that to some EF entries for local roles, etc. But trying to add Identity back in (for the non-org users), Okta users again aren’t seen by the system.

I’m not sure what I can do to get more logging of the process. I’ve got the Microsoft.Owin bits writing what I can.


#4

I switched to the vanilla OpenIdConnect Oauth code from Microsoft and eventually got it working - I had to download the OpenIdConnect source and step through it to see where I was going wrong.

Here’s a link to a Stackoverflow answer I put up yesterday that has my startup.auth.vb source in it - the key to me was getting the ResponseType correct (it was only returning a code, not a code + id_token. It now works interchangeably with Auth0 and Okta, so seems pretty solid.

The code is actually logging errors, but I couldn’t find where they were going to - way to go Microsoft. If this approach doesn’t solve your problem I’d download the OpenIdConnect source from github, add the project to your code and call it instead of the Nuget package - you’ll be able to debug where the system is throwing and work out what you need to do to fix it.

Good luck!