search

okta / okta-react-native

OIDC enablement for React Native applications
https://github.com/okta/okta-react-native
Other
58 stars 38 forks source link

Authorize with a custom authorization server id #336

Open ValentinOUI opened 1 year ago

ValentinOUI commented 1 year ago

Describe the bug?

Hi.

I am using a Custom Authorization Server as described here, so according to the doc the authorization URL needs to look like this

https://${yourOktaDomain}/oauth2/${authorizationServerId}/v1/authorize

However, after trying different combinations between the issuer and the discoveryUri, the authorize URL remains /oauth2/v1/authorize?scope=custom_scope&response_type=...

What is the correct way to add an authorization server id in the authorize endpoint?

Many thanks for the help

What is expected to happen?

Add a field to the configuration to add a custom authorization server id, or do not remove it from the discovery URI when we try to set it.

What is the actual behavior?

I have an error with "illegal_custom_scope".

Reproduction Steps?

1. Configure Okta

  await createConfig({
    clientId: ENV.OKTA_CLIENT_ID,
    redirectUri: ENV.OKTA_REDIRECT_URI,
    endSessionRedirectUri: ENV.OKTA_END_SESSION_REDIRECT_URI,
    issuer: ENV.OKTA_ISSUER,
    discoveryUri: ENV.OKTA_DISCOVERY_URI,
    scopes: ENV.OKTA_REQUESTED_SCOPES,
    requireHardwareBackedKeyStore: ENV.OKTA_REQUIRED_HARDWARE_BACKED_KEY_STORE,
    browserMatchAll: true,
  });

with correctly setting the issuer and discovery uri according the documentation. In my case both the issuer issuer and discovery URI look like https://{myOktaDomain}/oauth2/${authorizationServerId}

2. Try sign in with browser

await signInWithBrowser();

Additional Information?

No response

SDK Version

Latest

Build Information

No response

mikenachbaur-okta commented 1 year ago

Thank you for reaching out @ValentinOUI. The SDK uses the supplied discovery URL to retrieve the OIDC configuration for your authorization server before initiating login. You can validate settings are correct by appending /.well-known/openid-configuration to your discovery URL to check those values for yourself.

Alternatively, you could try removing the "issuer" parameter, and just supply the "discoveryUri".

ValentinOUI commented 1 year ago

Hello @mikenachbaur-okta and thank you for your answer.

Thanks for the /.well-known/openid-configuration, I manage to get it working via Postman as well as the authorize endpoint, by setting everything correctly including the authorization server id.

But when I try with the SDK, the requested URL still looks like /oauth2/v1/authorize? despite appending the auth server id in my discovery URI and removing the issuer in my parameters.