"/well-known/" - not present on our production Okta?

Questions
1

Hi

I am trying some of the oauth examples, and all works with my developer account, but when moving it to our production, all Okta libs fails when calling : 'https://xxxx.okta.com/oauth2/default/.well-known/xxxx (404 without /default)

I basically just want to use Okta authenticate with my app - we have lots of other integrations using Okta.

Errors:

{“errorCode”:“E0000015”,“errorSummary”:“You do not have permission to access the feature you are requesting”,“errorLink”:“E0000015”,“errorId”:“xxxxxxxxxxxxxxxxxxxxxxx”,“errorCauses”:}

Using the Golang example, it crashes like this:

2020/12/07 13:22:09 http2: panic serving 10.45.32.235:50128: interface conversion: interface {} is nil, not string
goroutine 55 [running]:
net/http.(*http2serverConn).runHandler.func1(0xc000300018, 0xc0001bff8e, 0xc000102a80)
/usr/local/Cellar/go/1.14.6/libexec/src/net/http/h2_bundle.go:5713 +0x16b
panic(0x1431f80, 0xc0003030b0)
/usr/local/Cellar/go/1.14.6/libexec/src/runtime/panic.go:969 +0x166

Any clues?

Thanks
Felix

2

You most likely do not have a “Default” custom authorization server to use, which you can confirm if you try to go to that same well-known URL in browser. If you see an error saying “You do not have permission to access the feature you are requesting,” then you will not be able to use the Default server, as you do not have a license (API Access Management) that grants you the ability to use Default or other custom authorization servers.

If you are working on an authentication use case, you can instead try to see if the built-in Org Authorization server (available without the extra API Access Management license) will work for your application. Your metadata endpoint will instead be https://xxxx.okta.com/.well-known/openid-configuration.

Note that there are limitations around what you can do with the Org Authorization server versus a custom one. See this article for more details about the difference between the two types of server and this article about why you may need to use a custom server.

3

Hi

Thanks a lot, when running the golang okta sample, it have issues :slight_smile:

It do redirect the login to Okta and when it run the callback, it redirects a few times and end out with this dump:

2020/12/07 23:13:50 Environment Variable file (.env) is not present. Relying on Global Environment Variables

2020/12/07 23:15:09 http2: panic serving 10.0.0.224:51230: interface conversion: interface {} is nil, not string
goroutine 28 [running]:
net/http.(*http2serverConn).runHandler.func1(0xc0001325e8, 0xc000183f8e, 0xc000102f00)
/usr/local/Cellar/go/1.14.6/libexec/src/net/http/h2_bundle.go:5713 +0x16b
panic(0x1432000, 0xc000217230)
/usr/local/Cellar/go/1.14.6/libexec/src/runtime/panic.go:969 +0x166
github.com/okta/okta-jwt-verifier-golang.(*JwtVerifier).decodeJwt(0xc000183b28, 0xc0004b3680, 0x411, 0x14a2901, 0x0, 0x0, 0x0)
/Users/felixn/go/src/github.com/okta/okta-jwt-verifier-golang/jwtverifier.go:132 +0x1e4
github.com/okta/okta-jwt-verifier-golang.(*JwtVerifier).VerifyIdToken(0xc000183b28, 0xc0004b3680, 0x411, 0x185b860, 0xc00013c878, 0x0)
/Users/felixn/go/src/github.com/okta/okta-jwt-verifier-golang/jwtverifier.go:147 +0x9a
main.verifyToken(0xc0004b3680, 0x411, 0x14b06ad, 0x1f, 0xc0004961e0)
/Users/felixn/git/iit-applications/it/auth-okta-paloalto/samples-golang/okta-hosted-login/main.go:215 +0x1d6
main.AuthCodeCallbackHandler(0x1549b80, 0xc0001325e8, 0xc00019a900)
/Users/felixn/git/iit-applications/it/auth-okta-paloalto/samples-golang/okta-hosted-login/main.go:98 +0x290
net/http.HandlerFunc.ServeHTTP(0x14c4d20, 0x1549b80, 0xc0001325e8, 0xc00019a900)
/usr/local/Cellar/go/1.14.6/libexec/src/net/http/server.go:2041 +0x44
net/http.(*ServeMux).ServeHTTP(0x182fe60, 0x1549b80, 0xc0001325e8, 0xc00019a900)
/usr/local/Cellar/go/1.14.6/libexec/src/net/http/server.go:2416 +0x1a5
net/http.serverHandler.ServeHTTP(0xc00017e1c0, 0x1549b80, 0xc0001325e8, 0xc00019a900)
/usr/local/Cellar/go/1.14.6/libexec/src/net/http/server.go:2836 +0xa3
net/http.initALPNRequest.ServeHTTP(0x154adc0, 0xc0001aa690, 0xc00017d180, 0xc00017e1c0, 0x1549b80, 0xc0001325e8, 0xc00019a900)
/usr/local/Cellar/go/1.14.6/libexec/src/net/http/server.go:3410 +0x8d
net/http.(*http2serverConn).runHandler(0xc000102f00, 0xc0001325e8, 0xc00019a900, 0xc0001e0120)
/usr/local/Cellar/go/1.14.6/libexec/src/net/http/h2_bundle.go:5720 +0x8b
created by net/http.(*http2serverConn).processHeaders
/usr/local/Cellar/go/1.14.6/libexec/src/net/http/h2_bundle.go:5454 +0x4e1

token is not valid: you must provide a jwt to verify

Felix

4

If you are using the org authorization server, then you might be running into the issue described in this article where you can’t validate the token locally. https://support.okta.com/help/s/article/Signature-Validation-Failed-on-Access-Token

If possible, I recommend testing with an Okta developer org which will give you a custom authorization server.

1 Like
5

Hi Felix,

Do you have the API Access Management feature activated in your production Org?
The feature is enabled out of the box in Okta Dev instances but not in paid for production tenants.

Also realize the the “default” auth server is just the name of the pre-configured custom authorization server and may or may not exist in your Okta tenant. Either it doesn’t exist because you don’t have the API access Management feature, it was renamed or Deleted, or it is only assigned to specific clients and not the client you are testing with.

Unless you need custom scopes or claims, I’d recommend using the Okta Org Auth Server rather than the default custom auth server. It is included in the basic Okta license and is not an additional feature like custom auth servers which are a part of the API Access Management feature. In other words using the Okta Org Auth server doesn’t cost anything while using the “default” server costs additional user licenses.

You can get the metadata for the Org Auth server with this URL
https://{{envUrl}}.okta.com/.well-known/oauth-authorization-server

Or get specific details for your client app with
https://{{envUrl}}.okta.com/.well-known/oauth-authorization-server?client_id={{clientId}}

Same thing for OIDC just substitute “oauth-authorization-server” with “openid-configuration”

Take a look at this article.
https://support.okta.com/help/s/article/Difference-Between-Okta-as-An-Authorization-Server-vs-Custom-Authorization-Server?language=en_US

1 Like