okta/sso not working in new version

[manireddyk]

I have created new dispatch app using new version with proper vue_sso info, when I open url instead of redirecting to the okta website, its either directly opening login page/directly login into the dispatch app with no-user,

Later I tried with aug-img, it worked fine, I feel there is some happend in the okta/sso code, can u check once

[manireddyk]

@mvilanova @kevgliss any thoughts on this issue, I check prev version also same issue, also tried few commits as well, couldnt find correct one

[kevgliss]

A few thoughts:

What is aug-img? Are there any console errors?

We did recently have to make some SSO changes due to the way our internal SSO provider works. It's likely related to that but I need some more info on what variables you're setting and how you are setting them.

[kevgliss]

Here is the relevant PR:

https://github.com/Netflix/dispatch/pull/2732/files

Note, that envvars need to be prefixed with VITE_ instead of VUE_ now.

[manireddyk]

Thanks @kevgliss for ur reply, as you suggested I have tried variable names, still its not working

ip: https://34.100.238.151/ its redirect login page again not redirecting okta

these are my .env okta conf DISPATCH_AUTHENTICATION_PROVIDER_SLUG=dispatch-auth-provider-pkce DISPATCH_JWT_AUDIENCE=0oa7l4rzw1T3eexCl5 DISPATCH_PKCE_DONT_VERIFY_AT_HASH=true DISPATCH_AUTHENTICATION_PROVIDER_PKCE_JWKS=https://dev-7448439.okta.com/oauth2/v1/keys DISPATCH_AUTHENTICATION_PROVIDER_PKCE_CLIENT_ID=0oa7l4rzw1T3eexCl5 VITE_DISPATCH_AUTHENTICATION_PROVIDER_SLUG=dispatch-auth-provider-pkce VITE_DISPATCH_OPEN_ID_CONNECT_URL=https://dev-7448439.okta.com VITE_DISPATCH_CLIENT_ID=0oa7l4rzw1T3eexCl5 VITE_DISPATCH_AUTHENTICATION_PROVIDER_PKCE_CLIENT_ID=0oa7l4rzw1T3eexCl5 VITE_DISPATCH_AUTHENTICATION_PROVIDER_PKCE_OPEN_ID_CONNECT_URL=https://dev-7448439.okta.com/

[manireddyk]

@kevgliss I tried to passed during the build as well, got the same error

[manireddyk]

last 3 values I have doubt and what values should I provide in these variables ? **VITE_SENTRY_APP_KEY VITE_SENTRY_DSN VITE_SENTRY_ENABLED VITE_SENTRY_TAGS** **_DATABASE_CREDENTIAL_PASSWORD XYZ _DATABASE_CREDENTIAL_USER postgres _QUOTED_DATABASE_PASSWORD XYZ**

dispatch server config values

` No JWT Email Override specified. 'email' is expected in the idtoken. Key Value

---

ALEMBIC_CORE_REVISION_PATH /usr/local/lib/python3.9/site-packages/dispatch/database/revisions/core ALEMBIC_INI_PATH /usr/local/lib/python3.9/site-packages/dispatch/alembic.ini ALEMBIC_MULTI_TENANT_MIGRATION_PATH /usr/local/lib/python3.9/site-packages/dispatch/database/revisions/multi-tenant-migration.sql ALEMBIC_TENANT_REVISION_PATH /usr/local/lib/python3.9/site-packages/dispatch/database/revisions/tenant DATABASE_CREDENTIALS postgres:xyzzzz DATABASE_ENGINE_MAX_OVERFLOW 0 DATABASE_ENGINE_POOL_SIZE 20 DATABASE_HOSTNAME testdbxyz.com DATABASE_NAME dispatch DATABASE_PORT 5432 DEFAULT_STATIC_DIR /usr/local/lib/python3.9/site-packages/dispatch/static/dispatch/dist DISPATCH_AUTHENTICATION_DEFAULT_USER mani.k@gmail.com DISPATCH_AUTHENTICATION_PROVIDER_HEADER_NAME remote-user DISPATCH_AUTHENTICATION_PROVIDER_PKCE_JWKS https://dev-7448439.okta.com/oauth2/v1/keys DISPATCH_AUTHENTICATION_PROVIDER_SLUG dispatch-auth-provider-pkce DISPATCH_ENCRYPTION_KEY dispatch@123 DISPATCH_JWT_ALG HS256 DISPATCH_JWT_AUDIENCE 0oa7l4rzw1T3eexCl DISPATCH_JWT_EMAIL_OVERRIDE DISPATCH_JWT_EXP 86400 DISPATCH_JWT_SECRET dispatch@123 DISPATCH_PKCE_DONT_VERIFY_AT_HASH true DISPATCH_UI_URL http://localhost:8080 ENV local ENV_TAGS {} ENV_TAG_LIST LOG_LEVEL DEBUG METRIC_PROVIDERS MJML_PATH /usr/local/lib/python3.9/site-packages/dispatch/static/dispatch/node_modules/.bin SECRET_PROVIDER SENTRY_APP_KEY SENTRY_DSN SENTRY_ENABLED SENTRY_TAGS SQLALCHEMY_DATABASE_URI postgresql+psycopg2://postgres:abcdef@xyzdatabase.com:5432/dispatch STATIC_DIR /usr/local/lib/python3.9/site-packages/dispatch/static/dispatch/dist VITE_DISPATCH_AUTHENTICATION_PROVIDER_PKCE_CLIENT_ID 0oa7l4rzw1T3eexCl VITE_DISPATCH_AUTHENTICATION_PROVIDER_PKCE_OPEN_ID_CONNECT_URL https://dev-7448439.okta.com/ VITE_DISPATCH_AUTHENTICATION_PROVIDER_SLUG dispatch-auth-provider-pkce VITE_DISPATCH_AUTHENTICATION_PROVIDER_USE_ID_TOKEN VITE_SENTRY_APP_KEY VITE_SENTRY_DSN VITE_SENTRY_ENABLED VITE_SENTRY_TAGS _DATABASE_CREDENTIAL_PASSWORD XYZ _DATABASE_CREDENTIAL_USER postgres _QUOTED_DATABASE_PASSWORD XYZ `

[kevgliss]

It looks like the server is responding with 500 errors. Are there any more logs that you provide? There should be expectations related to those 500s that should provide more context.

[manireddyk]

Im getting these only dispatch-server is there any conf values Im missing in the above context

INFO: Application startup complete. INFO: Uvicorn running on http://0.0.0.0:8000 (Press CTRL+C to quit) INFO: 172.19.0.1:41236 - "GET / HTTP/1.0" 200 OK INFO: 172.19.0.1:41252 - "GET /assets/index.d8b897ea.js HTTP/1.0" 200 OK INFO: 172.19.0.1:41262 - "GET /assets/index.edb23d3e.css HTTP/1.0" 200 OK INFO: 172.19.0.1:41274 - "GET /assets/Table.d48a2e68.js HTTP/1.0" 200 OK INFO: 172.19.0.1:41284 - "GET /assets/VBottomSheet.22eaa19a.js HTTP/1.0" 200 OK INFO: 172.19.0.1:41306 - "GET /assets/VSelect.0c8367de.css HTTP/1.0" 200 OK INFO: 172.19.0.1:41294 - "GET /assets/VBottomSheet.10a6dd6d.css HTTP/1.0" 200 OK INFO: 172.19.0.1:41314 - "GET /assets/VLayout.780085c8.js HTTP/1.0" 200 OK INFO: 172.19.0.1:41328 - "GET /assets/VSelect.164b3826.js HTTP/1.0" 200 OK INFO: 172.19.0.1:41338 - "GET /assets/VBadge.1f2b2218.js HTTP/1.0" 200 OK INFO: 172.19.0.1:41354 - "GET /assets/VBadge.6fbcee5c.css HTTP/1.0" 200 OK INFO: 172.19.0.1:41366 - "GET /assets/index.267708a8.js HTTP/1.0" 200 OK INFO: 172.19.0.1:41392 - "GET /assets/IncidentPriority.f376a742.js HTTP/1.0" 200 OK INFO: 172.19.0.1:41382 - "GET /assets/Participant.4bb7b705.js HTTP/1.0" 200 OK INFO: 172.19.0.1:41466 - "GET /assets/VSlideGroup.cf6f3441.js HTTP/1.0" 200 OK INFO: 172.19.0.1:41442 - "GET /assets/VItemGroup.f2e6a618.js HTTP/1.0" 200 OK INFO: 172.19.0.1:41438 - "GET /assets/DetailsTab.d6a4c699.js HTTP/1.0" 200 OK INFO: 172.19.0.1:41410 - "GET /assets/DateTimePickerMenu.7965578a.js HTTP/1.0" 200 OK INFO: 172.19.0.1:41452 - "GET /assets/VTabItem.edef2684.js HTTP/1.0" 200 OK INFO: 172.19.0.1:41496 - "GET /assets/VTabItem.9553fadc.css HTTP/1.0" 200 OK INFO: 172.19.0.1:41426 - "GET /assets/IncidentStatus.8b0f8326.js HTTP/1.0" 200 OK INFO: 172.19.0.1:41394 - "GET /assets/VItemGroup.b0585eea.css HTTP/1.0" 200 OK INFO: 172.19.0.1:41468 - "GET /assets/VDatePicker.e966cabc.css HTTP/1.0" 200 OK INFO: 172.19.0.1:41484 - "GET /assets/VSlideGroup.e48c73cd.css HTTP/1.0" 200 OK INFO: 172.19.0.1:41532 - "GET /assets/VDatePicker.43411fe5.js HTTP/1.0" 200 OK INFO: 172.19.0.1:41530 - "GET /assets/VAutocomplete.60f8055a.css HTTP/1.0" 200 OK INFO: 172.19.0.1:41556 - "GET /assets/VCol.3d8733cb.js HTTP/1.0" 200 OK INFO: 172.19.0.1:41542 - "GET /assets/IncidentFilterCombobox.2d5831cc.js HTTP/1.0" 200 OK INFO: 172.19.0.1:41520 - "GET /assets/VDataTable.481c51c0.js HTTP/1.0" 200 OK INFO: 172.19.0.1:41550 - "GET /assets/VCombobox.38453c95.js HTTP/1.0" 200 OK INFO: 172.19.0.1:41582 - "GET /assets/VAutocomplete.434590f4.js HTTP/1.0" 200 OK INFO: 172.19.0.1:41602 - "GET /assets/WorkflowParametersInput.5b699a52.js HTTP/1.0" 200 OK INFO: 172.19.0.1:41612 - "GET /assets/IncidentTypeSelect.e31619c3.js HTTP/1.0" 200 OK INFO: 172.19.0.1:41618 - "GET /assets/utils.b162ee48.js HTTP/1.0" 200 OK INFO: 172.19.0.1:41586 - "GET /assets/IncidentPrioritySelect.e5c24082.js HTTP/1.0" 200 OK INFO: 172.19.0.1:41508 - "GET /assets/DateTimePickerMenu.bb1fd1ff.css HTTP/1.0" 200 OK INFO: 172.19.0.1:41570 - "GET /assets/RunModal.0e89d095.js HTTP/1.0" 200 OK INFO: 172.19.0.1:41624 - "GET /assets/ParticipantSelect.e11c7340.js HTTP/1.0" 200 OK INFO: 172.19.0.1:41640 - "GET /assets/DateWindowInput.125207af.js HTTP/1.0" 200 OK INFO: 172.19.0.1:41656 - "GET /assets/VListItemGroup.2251c68e.css HTTP/1.0" 200 OK INFO: 172.19.0.1:41660 - "GET /assets/index.49b28a60.css HTTP/1.0" 200 OK INFO: 172.19.0.1:41666 - "GET /assets/VListItemGroup.407381cb.js HTTP/1.0" 200 OK INFO: 172.19.0.1:41674 - "GET /assets/VDataTable.f533de3e.css HTTP/1.0" 200 OK INFO: 172.19.0.1:41676 - "GET /assets/IncidentTypeCombobox.9ed272b6.js HTTP/1.0" 200 OK INFO: 172.19.0.1:41682 - "GET /assets/ProjectSelect.f9103915.js HTTP/1.0" 200 OK INFO: 172.19.0.1:41690 - "GET /assets/IncidentSeverityCombobox.fa018e1e.js HTTP/1.0" 200 OK INFO: 172.19.0.1:41706 - "GET /assets/TagFilterAutoComplete.d3a22b82.js HTTP/1.0" 200 OK INFO: 172.19.0.1:41742 - "GET /assets/index.0d189d31.js HTTP/1.0" 200 OK INFO: 172.19.0.1:41710 - "GET /assets/IncidentStatusMultiSelect.f8d566db.js HTTP/1.0" 200 OK INFO: 172.19.0.1:41714 - "GET /assets/VFlex.66d63304.js HTTP/1.0" 200 OK INFO: 172.19.0.1:41720 - "GET /assets/ProjectCombobox.3af5b5d7.js HTTP/1.0" 200 OK INFO: 172.19.0.1:41730 - "GET /assets/TagTypeFilterCombobox.86789644.js HTTP/1.0" 200 OK INFO: 172.19.0.1:41758 - "GET /static/m.png HTTP/1.0" 200 OK INFO: 172.19.0.1:41882 - "GET /static/m.png HTTP/1.0" 200 OK INFO: 172.19.0.1:41888 - "GET /assets/Roboto-Regular.47107401.woff2 HTTP/1.0" 200 OK INFO: 172.19.0.1:41886 - "GET /assets/Roboto-Bold.8e44376b.woff2 HTTP/1.0" 200 OK INFO: 172.19.0.1:41904 - "GET /assets/materialdesignicons-webfont.da7fba3c.woff2?v=5.9.55 HTTP/1.0" 200 OK INFO: 172.19.0.1:41788 - "GET /organizations?itemsPerPage=50&sortBy[]=name&descending[]=false HTTP/1.0" 401 Unauthorized INFO: 172.19.0.1:41782 - "GET /default/individuals?sortBy[]=name&descending[]=false&itemsPerPage=5 HTTP/1.0" 401 Unauthorized INFO: 172.19.0.1:41774 - "GET /organizations?itemsPerPage=50&sortBy[]=name&descending[]=false&filter=[%7B%22model%22:%22Organization%22,%22field%22:%22slug%22,%22op%22:%22%3D%3D%22,%22value%22:%22default%22%7D] HTTP/1.0" 401 Unauthorized INFO: 172.19.0.1:41798 - "GET /default/projects?itemsPerPage=5&sortBy[]=name&descending[]=false HTTP/1.0" 401 Unauthorized INFO: 172.19.0.1:41808 - "GET /default/incident_types?sortBy[]=name&descending[]=false&itemsPerPage=5 HTTP/1.0" 401 Unauthorized INFO: 172.19.0.1:41816 - "GET /default/incident_severities?sortBy[]=view_order&descending[]=false HTTP/1.0" 401 Unauthorized INFO: 172.19.0.1:41824 - "GET /default/incident_priorities?sortBy[]=view_order&descending[]=false HTTP/1.0" 401 Unauthorized INFO: 172.19.0.1:41836 - "GET /default/tags?itemsPerPage=5 HTTP/1.0" 401 Unauthorized INFO: 172.19.0.1:41854 - "GET /default/incidents?sortBy[]=name&descending[]=false&itemsPerPage=5 HTTP/1.0" 401 Unauthorized INFO: 172.19.0.1:41852 - "GET /default/cases?sortBy[]=name&descending[]=false&itemsPerPage=5 HTTP/1.0" 401 Unauthorized INFO: 172.19.0.1:41928 - "GET /default/incidents?page=1&itemsPerPage=10&sortBy[]=reported_at&descending[]=true HTTP/1.0" 401 Unauthorized INFO: 172.19.0.1:41920 - "GET /assets/Roboto-Medium.96025fe9.woff2 HTTP/1.0" 200 OK INFO: 172.19.0.1:35358 - "GET /assets/Login.d7f5238a.js HTTP/1.0" 200 OK INFO: 172.19.0.1:35352 - "GET /default/individuals?sortBy[]=name&descending[]=false&itemsPerPage=5 HTTP/1.0" 401 Unauthorized INFO: 172.19.0.1:35364 - "GET /organizations?itemsPerPage=50&sortBy[]=name&descending[]=false&filter=[%7B%22model%22:%22Organization%22,%22field%22:%22slug%22,%22op%22:%22%3D%3D%22,%22value%22:%22default%22%7D] HTTP/1.0" 401 Unauthorized INFO: 172.19.0.1:35372 - "GET /static/m.png HTTP/1.0" 200 OK

[kevgliss]

So I took your settings and saw the redirect asking me to log in.

To double-check, are you setting the variables with an = in there somewhere? e.g. DISPATCH_AUTHENTICATION_PROVIDER_SLUG=dispatch-auth-provider-pkce from your example the variables weren't formatted correctly.

[manireddyk]

@kevgliss may I know which url ur using inorder to redirect to okta, if I just use https://34.100.238.151/ Im not getting redirecting, can you please share the url once are u adding any suffix below one is my .env file

[kevgliss]

I requested access to the test application configuration in okta.

[kevgliss]

I'm not sure... this is what I see when I login... I think I need to be able to set the redirect URIs to my local dev instance.

[manireddyk]

@kevgliss ya ur correct, just click on admin panel -> applications -> select dispatch-app -> change ip, added in this image for ur ref

[kevgliss]

Unfortunately, I can't recreate your issue. Using your settings and that okta user, I did the following in an attempt to recreate it:

• Changed the redirect uri to http://localhost:8080/implicit/callback
• Pulled the latest master branch and ran dispatch server develop with the exact envvars you provided.

I then navigated to http://localhost:8080 and made sure I cleared all application data (a new incognito window also works).

I was redirected to okta and provided the above test user credentials, and I was then correctly redirected back to the default /incidents endpoint.

I would make sure you are clearing application data (or using an incognito window) in case some setting is still cached.

Regarding your question about DISPATCH_UI_URL this URL is not used by the authentication providers and is only used to generate valid links within slack and email messaging.

[manireddyk]

@kevgliss Thank you so much for spending ur time fixing issue , Unfortunately, I still getting the same issue, I have created a new server and did the same cloning the repo git clone https://github.com/Netflix/dispatch-docker.git creating .env file with these values https://github.com/manireddyk/dispatchconfig/blob/main/env-values configuring nginx to redirect https to http://127.0.0.1:8000 changing ip in okta url https://34.125.190.222/

Just need one help, yesterday how could you able to redirect with my server ip, is it automatically redirecting to https://34.125.190.222/ or are you adding some suffix any /xyz ?

can you please share once, how did u get the below screen?

https://34.125.190.222/

[kevgliss]

I see; I didn't realize had access to that URL. How are you building this app before it's deployed? It looks like the PKCE provider is not being enabled. So I think something is wrong with your build process and it is not taking the VITE_ variables into account. By default, we fall back the basic auth on the frontend if no other providers are provided.

[kevgliss]

One tip; make sure your .env is available when you run npm build this can be done a variety of ways but the simplest is to make sure that .env is in the root of the frontend project e.g. cp .env src/dispatch/static/dispatch/.env before you build it.

[manireddyk]

Thank @kevgliss, The above method worked, I could able to redirect okta, Thank you so much for ur help to resolve this issue,

might be is the above step (cp .env to dispatch/.env) was missing somewhere in the dispatch app, not sure why it's not getting reflected.