Okta on Ruby on Rails application

Hello all,

We have implemented a full flow with Okta on a Ruby on rails app using the Devise and Omniauth-okta gem.

It worked perfectly fine, until we had to change it to allow multi-tenancy.

Since Okta uses a set of credential for every app, we need to know those credentials when going to the Okta SSO. This is an issue, because the omniauth-okta gem describes to use an initialiser that is static. We have circumvented that, and we can get the right set of credentials going to Okta, but in return, we get no user information or any useful information, indeed.

Is there any possible way of knowing which user has logged in with the url params state and code


I am not familiar with this library.
In general a backend server when it generates an authorize URL to redirect the client too will generate a unique state value and save this value with any needed stateful information about the current client.

After the client authenticates against the OAuth provider (Okta) and redirects back to the app the server will match this state value with one it saved before, or reject if the state value is unknown.

My guess is the library is expecting to only work with a single provider, therefore when a browser redirects back with state/code there is no way to know which provider to make the /token call to?

If the above is true then when the state value is generated and the authorize request URL is created your backend should save which provider it is using so when the client redirects back it knows which token endpoint to exchange the code for and with which credentials.
This most likely means you need to make modifications to the library.

Another alternative which should work would be to do an implicit flow if the library allows it. This way on redirect back to the server in addition to code/state would be either the id/access token which could be decoded to see which provider this request came from.
Implicit flows are considered less secure however!

Thank You,