help with scope setting for okta

[sciphilo]

Are there any examples of this working with Okta ? I have managed to get part way there, but it moans about scopes:

'error redeeming code missing email'

./oauth2_proxy --upstream=http://localhost:9999/ -client-id=XXX -client-secret=ZZZ -cookie-secret=YYY -email-domain=ZZZ.com 
-set-xauthrequest
 -login-url=https://dev-XXX.oktapreview.com/oauth2/default/v1/authorize 
-profile-url=https://dev-XXX.oktapreview.com/oauth2/default/v1/userinfo 
 -redirect-url=https://MYPLACE.com   
-provider okta -redirect-url=https://MYPLACE.com/oauth2/callback  -validate-url=https://dev-XXX.oktapreview.com/oauth2/default/v1/token -redeem-url=https://dev-XXX.oktapreview.com/oauth2/default/v1/token -scope openid

I have this running behind nginx.

I think the issue is passing it : openid email profile

in the -scope, but I am not sure how to do this. I've tried, commas, quotes etc.

Any ideas welcome !

(I'm using the pre-built version)

[lusoalex]

Hello,

From my point of view this is currently an issue in oauth2_proxy. Okta (as well as others openid providers) is expecting space separated scope values. This is a standard feature (https://tools.ietf.org/html/rfc6749#section-3.3)

Currently, oauth2_proxy is encoding the parameters so if you give as parameter : --scope="openid profile email" result will be "openid+profile+email" where space are replace by + --scope="openid%20profile%20email" result will be "openid%2520profile%2520email" where % is replaced by %25...

In both case, okta will not understand the scope parameter generated in the /authorize endpoint.

You can try to add you own provider (okta) or better add a parameter to handle this use case as other providers will face the same issues (ex : ping identity).

Regards, Lusoalex.