Replace ADFS with Okta

fredfrag · March 9, 2021, 5:52pm

Hi All

over Christmas I took our existing company app .net MVC, removed ADFS authentication and added Okta in a development environment. After a bit of playing with web.config it was working.

Today I picked the project back up to move to UAT testing and it wont work in the development environment. The error is Response status code does not indicate success: 401 (Unauthorized).

After a couple of days testing and trying several samples like okta-aspnet-mvc-example i’m at a lost as to what the issue is.

I have read about an authorisation server which defaults to “default” but I cannot find that in the Okta admin console.

I’m at a loss at the moment and welcome any suggestions

kind regards

Paul

warren · March 9, 2021, 7:50pm

It looks like the sample assumes you are using a developer preview org with a custom authorization server named “default”.

github.com

oktadeveloper/okta-aspnet-mvc-example/blob/master/OktaAspNetExample/Web.config#L16


<configuration>
  <appSettings>
    <add key="webpages:Version" value="3.0.0.0" />
    <add key="webpages:Enabled" value="false" />
    <add key="ClientValidationEnabled" value="true" />
    <add key="UnobtrusiveJavaScriptEnabled" value="true" />
    
    <!-- 1. Replace these values with your Okta configuration -->
    <add key="okta:ClientId" value="{clientId}" />
    <add key="okta:ClientSecret" value="{clientSecret}" />
    <add key="okta:OrgUri" value="https://{yourOktaDomain}.com/oauth2/default" />
    
    <!-- 2. Update the Okta application with these values -->
    <add key="okta:RedirectUri" value="http://localhost:8080/authorization-code/callback" />
    <add key="okta:PostLogoutRedirectUri" value="http://localhost:8080/Account/PostLogout" />
    
  </appSettings>
  <system.web>
    <compilation debug="true" targetFramework="4.6.1" />
    <httpRuntime targetFramework="4.6.1" />
    <httpModules>

https://developer.okta.com/docs/concepts/auth-servers/#default-custom-authorization-server

If you paste the discovery endpoint in the browser (https://${yourOktaDomain}/oauth2/default/.well-known/openid-configuration, do you see a json payload with an issuer value or do you see an error such as "You do not have permission to access the feature you are requesting"?

fredfrag · March 9, 2021, 8:57pm

Hi Warren

result was

{“errorCode”:“E0000015”,“errorSummary”:“You do not have permission to access the feature you are requesting”,“errorLink”:“E0000015”,“errorId”:“oaeETas7wFYT3mnlYhhzoYhoQ”,“errorCauses”:}

warren · March 9, 2021, 9:56pm

It sounds like the API Access Management feature might have been disabled on your developer preview org. You might want to open a support ticket with Okta to confirm that.

Alternatively, you could try to modify the “okta:OrgUri” to your Okta org url without the /oauth2/default and see if the code would work with the org authorization server.

fredfrag · March 10, 2021, 5:47pm

Hi

so it turns out that the trial account has authorisation server enabled. Therefore my code worked due to a feature that is now NOT enabled on the live production okta account.

And to top it off you have to pay more money for that feature. Lost for Words!