Okta + MVC web application + Authorization grant flow

Hi Team,

I want to develop MVC web application as a client and Okta as OIDC provider.
I am new in MVC but i have knowledge of c# and .Net

I have already registered our application in okta server for authorization code .
Want some sample code in MVC web application that communicate with Okta server for receiving token and userinfo.

Here are some endpoints that need to consume in our client application:
{“issuer”:“https://dev-310258.okta.com/oauth2/default",“authorization_endpoint”:“https://dev-310258.okta.com/oauth2/default/v1/authorize”,“token_endpoint”:“https://dev-310258.okta.com/oauth2/default/v1/token”,“registration_endpoint”:“https://dev-310258.okta.com/oauth2/v1/clients”,“jwks_uri”:“https://dev-310258.okta.com/oauth2/default/v1/keys”,“response_types_supported”:[“code”,“token”,“id_token”,"code id_token”,“code token”,“id_token token”,“code id_token token”],“response_modes_supported”:[“query”,“fragment”,“form_post”,“okta_post_message”],“grant_types_supported”:[“authorization_code”,“implicit”,“refresh_token”,“password”,“client_credentials”],“subject_types_supported”:[“public”],“scopes_supported”:[“openid”,“profile”,“email”,“address”,“phone”,“offline_access”],“token_endpoint_auth_methods_supported”:[“client_secret_basic”,“client_secret_post”,“client_secret_jwt”,“private_key_jwt”,“none”],“claims_supported”:[“ver”,“jti”,“iss”,“aud”,“iat”,“exp”,“cid”,“uid”,“scp”,“sub”],“code_challenge_methods_supported”:[“S256”],“introspection_endpoint”:“https://dev-310258.okta.com/oauth2/default/v1/introspect",“introspection_endpoint_auth_methods_supported”:[“client_secret_basic”,“client_secret_post”,“client_secret_jwt”,“private_key_jwt”,“none”],“revocation_endpoint”:“https://dev-310258.okta.com/oauth2/default/v1/revoke”,“revocation_endpoint_auth_methods_supported”:[“client_secret_basic”,“client_secret_post”,“client_secret_jwt”,“private_key_jwt”,“none”],“end_session_endpoint”:“https://dev-310258.okta.com/oauth2/default/v1/logout”,“request_parameter_supported”:true,“request_object_signing_alg_values_supported”:[“HS256”,“HS384”,“HS512”,“RS256”,“RS384”,“RS512”,“ES256”,“ES384”,"ES512”]}


I want to make client to Implement the Authorization Code Flow with Okta.
Also want to get user information with their roles in our application.

Case: I am login with my PC using LDAP login and click on my webapplication name as "TestOIDCApp " then my app will detect the username and password and login automatically.

Okta has a few quickstart guides for .NET implementations but may I recommend using .NET core.
Older .NET does not support authorization code flows.

Extra info: https://developer.okta.com/code/dotnet/aspnetcore/

Thanks For the quick response.

.net Core application is not running , its getting errors.
like Access token not authorized .

OIDC-Client

Is anybody there to help me for resolving this .

Hi Sander,

Please help me to run existing application bug free.

Also tell me about scopes? what is this and how to manage in our existing application?

That is my example and I am using custom scopes.
openid profile
try those 2.

Thanks for the help dear.
After change the scope as per above , main page redirect to Okta login page.
Once login on that page , redirect to the below url:

How can we use this code to get the ID token after Authorization code received.
What should be the next step, after receive the token i want to redirect to the main page .

Your support is very much valuable to me a lot.

Have a look at the callback url (placed in homecontroller). There should be something that calls getToken(code).

You are right dear, i have received the access token after exchange the authorization code,
but after received the token need to display user profile in some sample page.

Only access token is received but how to get "“id_token” and "“refresh_token” as per same as below sample:

{
“access_token”: “NWE4Nzg2ZDEtNzQyMS00ZDViLThjMjctMGQwNjlmZjU5MWNkBGjFElT7CWzl0d…”,
“expires_in”: 3600,
“id_token”: “eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IkpSY080bnhzNWpnYzhZZE43STJoTE80V…”,
“token_type”: “Bearer”,
“refresh_token”: “897987AGBEtNzQyMS00ZDViLThjMjctMGQwNjlmZjU5MWNkBGjFElT7CWzl0d…”
}

How and where to use /userinfo endpoint in existing code?
Also help me about the below code , in our existing client code want to add /userinfo endpoint.

Please share the source code for this.

Hi @bhavyakhanna,

We have several examples on GH, check out the following links:

Also, I recommend to check out our guides where you can find step-by-step instructions to get started: https://developer.okta.com/docs/guides/sign-into-web-app/aspnet/before-you-begin/.

I hope this helps!

Hi,

I have checked out the below guide earlier , but i am getting confused.
NO CallBack URL endpoint is mentioned in the ASP.Net web form example.

As such no single article that can describe a to z ,i mean Authorization grant flow using OIDC protocol to authenticate the user without opening the login page in .NET MVC Web application.

Just need to authenticate my ASP.net web application with OKta server via Back channel authentication and get user profile from the server.

Please share the step by step guide code according to my problem.

Thanks !!!

Hi,

Sorry, I missed the part you are using LDAP for login. I haven’t tried this by myself before, but let me share some resources that might help you.

There’s a guide to implement the Authorization grant flow, you can check it out here: https://developer.okta.com/docs/guides/implement-auth-code/overview/.

Regarding using OIDC and skipping the Okta login page, you can use OWIN which should make your life easier. It has an AuthenticationMode property that you can set to AuthenticationMode.Passive, so it wouldn’t try to authenticate to Okta immediately.

Anyways, I suggest you contact support@okta.com (or open a support ticket via https://developer.okta.com/contact/). They can help you with your application to troubleshoot this issue.

Hi,
Yes i am using LDAP for login, but no sample given in okta solution guide.
In some example Redirect URI definition is not mentioned and some example some endpoints are missing.
Please help me to share full fledged example code with OWIN.

Regards,
Bhavya khanna

If you are using the tokenservice in my example, you also have a class called OktaToken, this is where I map the json you just posted. If you add 2 more properties for refresh_token and id_token then you will also have it in an object. Originally I only return the access_token (in GetToken method, there you see it return token.access_token or something like that). Instead of doing that you can also just return the entire OktaToken object and take out whatever you need in your method.

If you got above json, you basically authenticated the user…

The easiest option is to use implicit flow for ASP.net (not authorization code), less secure but that is only available for the older framework

I understand the above, but what is the best way to Authenticate with okta via LDAP login.

Scenario: User login via LDAp in the system , after loggedin hit the application URL and then authenticate the user with okta at backend with OIDC and show the main application infront of user.

Thanks !!!

Okta supports delegathed authentication for LDAP. If you set that up a user can login using his LDAP credentials from the okta login screen and he will be authenticated. No fancy setup needed, the flow works exactly the same as a normal login but behind the screens okta will check the credentials with LDAP.

https://help.okta.com/en/prod/Content/Topics/Security/Security_Authentication.htm

Ok, giving information is very useful.

But forgot all the things, first of all just focus on our “client” application.

  1. List item

Only need to display user information which is getting in “access token” after authorization.

  1. List item

As per below your comment"
“The cool thing is that you can start using claim based protection. This also ensures you have SSO. Once you have an Okta session, Okta will keep sending you access tokens so the user is not prompted with a login screen everytime.”

I also want that user is not prompted okta login page again and again.

Just help me on that part only.!!

@Ironhide, please share the updated code that display the userinfo into samplepage.

do changes in same “client” code.

Please share today, because its urgent for me.
Thanks!!!