'Sign up with google' button redirecting to Okta sign in page

Questions OAuth/OIDC
, ,
1

Hi all,

Looking for some help with the implementation of a ‘sign up with google’ button. Currently, we have an Angular application hooked up to a Spring boot application that is set up with Okta as an oauth client.

We have an Okta hosted sign in page that allows us to sign into okta using okta creds. We also have a ‘Sign in with google’ button on the Okta hosted sign in page.

Additionally, we have created a custom signup/registration page for users built in Angular. This sign up page contains a ‘Sign up with google’ button that will log the user in using our configured Google IDP and if the user does not already exist, we have JIT set up to create the user in Okta.

Here is the problem…

Using the Okta provided authorization and callback urls for the IDP, I am successfully redirected to google to choose an account but when I am redirected to the callback url at Okta, I just keep getting 400 bad request stating Social transaction expired. IDP unknown access_denied. URI (https://testsite.okta.com/oauth2/v1/authorize/callback)

Instead of using the Okta callback url, I have tried using the login redirect uri specified by spring boot ( http://localhost:8080/login/oauth2/code/okta), but when we are redirected there, we are shown the error Reason: [authorization_request_not_found]. This is due to the initial authorization request (http://localhost:8080/oauth2/authorization/okta) not happening prior to the Okta authorization url being invoked.

Not sure how to proceed here…

2

Hello,

  1. First question is when a user downloads the Angular application from your Spring boot app (assuming this is where it is downloaded from), if a user chooses to sign-in to Okta I assume they are redirected to the Okta hosted login page, not a self hosted login page from the Angular application?
  2. If the above is true does the Angular application make a call to your Spring app, your Spring app then redirects the browser to /authorize into Okta, after auth Okta redirects the browser back to Spring to handle the tokens?
  3. Assuming the above is also true then you might try setting up the register page to do the same thing when a user chooses sign-in with Google. The only difference would be when the Spring app generates the /authorize call have it add the parameter idp which would contain your Google IdP id from Okta. This should /authorize the user into Okta, Okta redirects to Google, auth with Google, back to Okta where user is JIT, back to your Spring app where is gets the tokens and the user is logged in. See authorization parameters.
2 Likes
3

Hi Erik,

Thank you so much for the incredible insight. Your intuition was 100% correct. For others who may come across this post, the issue has been resolved by creating a custom OAuth2AuthorizationRequestResolver in spring that adds the idp query parameter when redirecting to Okta.

  1. We are using the Okta hosted login page, but registration is a fully custom experience (Not using self service registration).

  2. Our Angular app does make an authorization call to our Spring app to authenticate a user against Okta.

  3. Just a note here. I wish the docs were a bit more clear on an approach like this. You can choose Spring/Angular when looking through Okta documentation. I just wish the documentation continues past testing the external idp using the Okta provided urls.

Really appreciate the help here! Thank you!

1 Like
4

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.