I have a free OKTA developer’s account to test two Python Flask applications in development so teh authentication can later be put into production with Driscoll’s corporate account.
I was able to do this for the first app but unable to do this for a second very similar app. I could use some developer help to make sure I have not overlooked something.
It uses okta version .004 (UserClients version).
Thanks for any help, Phil
I should also mention I am getting the following error message when trying to access the second, unsuccessful application: I would be happy to grant access to support to kook at my settings or have a meeting.
Thanks You’
Dr. Phillip McClurg
Senior Informatics Manager
Driscoll’s Global R&D
404 N0t Found
Not Found
The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.
Hi @pmcclurg - it looks like maybe there’s an issue with how you’re forming that URL. The URL path is your dev-30359346 domain.
https://sjcbiobox.driscolls.com:9460/dev-30359346.okta.com
Perhaps there’s an issue going on with hard coding clashing with environment variables?
Also as a side note, it’s generally recommended state is a randomized string. It looks like you are passing a JWT in state which potentially could be exploited by an attacker.
Here is part of my client,secrets.json file:(excluidng client_id and client_secret
"auth_uri": "dev-30359346.okta.com/oauth2/default/v1/authorize",
"token_uri": "https://dev-30359346.okta.com/oauth2/default/v1/token",
"issuer": "https://dev-30359346.okta.com/oauth2/default",
"userinfo_uri": "https://dev-30359346.okta.com/oauth2/default/userinfo",
"redirect_uris": [
"https://sjcbiobox.driscolls.com:9460/oidc/callback"
]
this is the redirect URL (both for login and logout) for the application in my developers account
https://sjcbiobox.driscolls.com:9460/oidc/callback
I’m not sure how the URL is formed as I’m trying to recover an application left by an employee who has left - I used the same approach for the app that works fine with Okta.
Any suggestions what I might do to get around this problem - I’m a backend algorithm engineer who had been sidled with these problems.
Thank you Cale for any help you can provide.
Does this have any relationship to the Initiate login URI : https://localhost:5000 or are we just concerned w2ith the redirect login?
Well I’m most concerned with the /authorize URL. Can you show me where in your code you are handling that auth_uri value from the client_secrets.json?
Hi Cale:
I think this is the code since the app uses oidc:
# OpenID Connect Dynamic Client Registration 1.0
def register_client(provider_info, redirect_uris):
“”"
This function registers a new client with the specified OpenID Provider,
and then returns the regitered client ID and other information.
:param provider_info: The contents of the discovery endpoint as
specified by the OpenID Connect Discovery 1.0 specifications.
:type provider_info: dict
:param redirect_uris: The redirect URIs the application wants to
register.
:type redirect_uris: list
:returns: An object containing the information needed to configure the
actual client code to communicate with the OpenID Provider.
:rtype: dict
:raises ValueError: The same error as used by check_redirect_uris.
:raises RegistrationError: Indicates an error was returned by the OpenID
Provider during registration.
… versionadded:: 1.0
“”"
client_type = check_redirect_uris(redirect_uris)
submit_info = {‘redirect_uris’: redirect_uris,
’application_type’: client_type,
’token_endpoint_auth_method’: ‘client_secret_post’}
headers = {‘Content-type’: ‘application/json’}
resp, content = httplib2.Http().request(
provider_info[‘registration_endpoint’], ‘POST’,
json.dumps(submit_info), headers=headers)
if int(resp[‘status’]) >= 400:
raise Exception('Error: the server returned HTTP ’ + resp[‘status’])
client_info = _json_loads(content)
if ‘error’ in client_info:
raise Exception('Error occured during registration: %s (%s)'
% (client_info[‘error’],
client_info.get(‘error_description’)))
json_file = {‘web’: {
’client_id’: client_info[‘client_id’],
’client_secret’: client_info[‘client_secret’],
’auth_uri’: provider_info[‘authorization_endpoint’],
’token_uri’: provider_info[‘token_endpoint’],
’userinfo_uri’: provider_info[‘userinfo_endpoint’],
’redirect_uris’: redirect_uris,
’issuer’: provider_info[‘issuer’],
}}
return json_file
But honestly, I could be wrong - all the other occurrences of “auth_uri” in the code are not referenced - except client_secrets.com.
And for additional info the top URL is what is formed for the “bad” app, and the second for the good “app” that reaches the okta credentials
Interesting…
For the good app it first shows
for a few seconds and then the url (and succeeding)
The bad app is putting both of these together (and failing)
-Phil
Anyway it looks like some code inside the algorithm doing this which of course is not your responsibility - I guess I was hoping there was something in the okta config that I needed to change - Thanks Cale and have a good evening.
Hi Cale:
I was able to resolve this following your advice - above I had
“auth_uri”: “dev-30359346.okta.com/oauth2/default/v1/authorize”
noticing I had missed the beginning part of the URL so I changed it to
“auth_uri”: “https://dev-30359346.okta.com/oauth2/default/v1/authorize”
and now all works - you don’t know how much this means to us as two critical path pieces of software were blocked by a previous employee’s OKTA account and now we are good to go.
My deepest appreciation, Phil
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.