I have an API written in .net that uses swagger to test the API. Once the API is loaded, if I click on the Authorize button, it shows the following config:
Now if I select to login using email and code, it redirects to my API just fine after authentication. But when I choose my google IdP it only ever redirects me to the okta dashboard of the user that signed in.
I’ve done some experiments and discovered that if I use the following url to test the connection:
It accurately loads the google account login, and when I authenticate it redirects me properly.
However, when I go through swagger, and then I select “Sign in with Google” it brings me to:
https://okta-devok12.okta.com/sso/idps/****** and when I authenticate it drops me at my user’s okta account dashboard instead of navigating to the redirect_uri passed from swagger.
Can you clarify what exactly your application is doing that results in the user using a “Sign in with Google” button? Does your application have an embedded widget that is being used to handle authentication?
If you’re not using an embedded widget, is your application just designed to redirect to Okta via an /authorize request? If so, can you share what this /authorize request looks like (I assume it does not have an idp parameter being passed)?
The base authorization URL is: https://dev-[masked].okta.com/oauth2/default/v1/authorize (I masked the subdomain for this thread)
The URL it sends me to is:
https://dev-[masked].okta.com/oauth2/default/v1/authorize?response_type=code&client_id=[masked]&redirect_uri=https%3A%2F%2Flocalhost%3A7151%2Fswagger%2Foauth2-redirect.html&scope=openid&state=TW9uIE1heSAxMyAyMDI0IDE0OjQ1OjU1IEdNVC0wMzAwIChBdGxhbnRpYyBEYXlsaWdodCBUaW1lKQ%3D%3D&realm=https%3A%2F%2Fdev-[masked].okta.com&code_challenge=KvDC4CmYXo_FQv_knJh4IzBt9EcCKQW8v7kcOBmrRdI&code_challenge_method=S256&nonce=nonce
Hmm, routing through the Okta Hosted Login experience should ensure that users are routed back to the target application (via the redirect_uri).
And this redirect back to the dashboard happens every time any Federated (logging in through an external Identity Provider) user logs into your application?
If you instead make a manual /authorize request (instead of having your swagger app generate the URL), do you see the same behavior?
If I use the above URL, it directs any user to their okta dashboard.
If I generate it using the steps indicated in your documentation:
https://dev-[masked].okta.com/oauth2/v1/authorize?client_id=[masked]&response_type=id_token&response_mode=fragment&scope=openid%20email&redirect_uri=https%3A%2F%2Flocalhost%3A7151%2Fswagger%2Foauth2-redirect.html&state=WM6D&nonce=YsG76jo
I get the same behavior (redirected to okta dashboard)
If I include idp=0oa9adyj3vyqRoaAf5d7 then it forces me to use google to authenticate (not the behavior I want, I’d like to have the option) BUT it does redirect me to my site properly.