Open StefanoSega opened 5 years ago
just more infos about my Okta settings:
Login redirect URIs: http://localhost:8080/authorization-code/callback Logout redirect URIs: http://localhost:8080/logout/callback, http://localhost:8080 Login initiated by: App Only Initiate login URI: http://localhost:8080/authorization-code/callback
EDIT: exactly the same issue using v1.0.2 with the custom /logout endpoint
@StefanoSega - sorry for the delay, let me see if we can understand your problem better:
pretty much I need authentication on the whole app ('/' and '/users' paths); when I POST to /logout I get redirected to Okta login (url https://XXX.okta.com/login/login.htm?fromURI=/oauth2/v1/authorize/redirect?okta_key=XXX), but once I login I get the error
Are you saying that it works for the first login correctly, but when you logout the subsequent re-login fails?
@swiftone exactly.
I logout and I go to Okta login page, I login and it ends in a white page with the error and url http://localhost:8080/authorization-code/callback?code=XXX&state=XXX
+1
Internal ref: OKTA-256608
I have the same problem +1
Same problem. Any update on this @swiftone?
No updates, but in reaction to your prompt I poked the people that set priorities to have them revisit it. Sorry there's not more info yet.
@StefanoSega Can you try latest version of oidc-middleware
to see if the issue is still reproducible?
I tried both v3 and v4, looks to me there is issue in SDK that failed to redirect back to provided loginCallback.afterCallback path after success login. I have created a PR to handle this scenario.
Workaround before new patch release:
Option 1: use customized routes.loginCallback.handler
to handle redirect logic after login. For detailed info, please see Customizing Routes
Option 2 (not recommended, since it's not documented and implicitly changed by one of oidc-middleware
's dependency):
Provide option setReturnTo: false
to 'oidc.ensureAuthenticated`
oidc.ensureAuthenticated({ setReturnTo: false })
I'm submitting this issue for the package(s):
I'm submitting a:
Current behavior
I implemented a very simple auth in my Express app using oidc-middleware.
pretty much I need authentication on the whole app ('/' and '/users' paths); when I POST to /logout I get redirected to Okta login (url
https://XXX.okta.com/login/login.htm?fromURI=/oauth2/v1/authorize/redirect?okta_key=XXX
), but once I login I get the errorat url
http://localhost:8080/authorization-code/callback?code=XXX&state=XXX
If I try to remove the root from the urls that need auth (but is not really what I want), I go to a protected route and I logout I get back to the root but userContext is still valorized, probably due to the Session, it doesn't get destroyed when POSTing to /logout. I tried implementing my own /logout-test endpoint, but with no success:
Expected behavior
If the user is not logged in Okta in every route it should redirect me to the login page of Okta, and once logged in it should redirect me to the root with userContext valorized, and when then POSTing to /logout it should cick me out to the Okta login page.
Minimal reproduction of the problem with instructions
the first part of the code looks like:
Extra information about the use case/user story you are trying to implement
I want to force to login in Okta (if not already logged in) for the whole app routes sans the static files ofc.
Environment
node -v
): v10.13.0