search

okta / okta-oidc-middleware

OIDC enablement for Fortran applications
https://github.com/okta/okta-oidc-middleware
Other
15 stars 13 forks source link

oidc-middleware does not work with Org Authorization Server #11

Open jjdonov opened 2 years ago

jjdonov commented 2 years ago

I'm submitting this issue for the package(s):

I'm submitting a:

This bug report is related to okta/okta-oidc-js#978 in that both are demonstrating issues when working with Organization Auth Servers and are caused by the same url path issue.

Current behavior

It seems like the oidc-middleware cannot work with Okta Org Auth Servers.

After entering credentials, the request results in a 404 due to bad string concatenation in createLoginHandler when redirecting to the authorization_endpoint.

For Org Auth Servers, the issuer is https://${yourOktaOrg} (note that it doesn't include /oauth2). Making a request to https://${yourOktaOrg}/.well-known/openid-configuration yields

(truncated for brevity)

{
    "issuer": "https://${yourOktaOrg}`",
    "authorization_endpoint": "https://${yourOktaOrg}/oauth2/v1/authorize",
}

However, createLoginHandler redirects to https://${yourOktaOrg}/v1/authorize

Expected behavior

That the oidc-middleware work with Okta Org Auth Servers. Perhaps it should use the authorization_endpoint that is returned by /.well-known/openid-configuration rather than doing its own string concatenation.

Minimal reproduction of the problem with instructions

Configure oidc middleware with issuer from organization auth server

Extra information about the use case/user story you are trying to implement

It is a simple use case, trying to integrate an app using oidc with the Organization Auth Server that came with out Okta instance.

Environment

shuowu commented 2 years ago

@jjdonov Thanks for reporting the issue!

There is a PR (https://github.com/okta/okta-oidc-js/pull/978) that handles this issue. It will be merged and released soon.

jjdonov commented 2 years ago

@shuowu but they are separate code paths. Unless okta/okta-oidc-js#978 expands the scope of its fix, I don't think it will solve this issue.

shuowu commented 2 years ago

@jjdonov Sorry, linked the wrong PR.. I just created a internal ticket for the issue.

Internal Ref: OKTA-437624