search

okta / okta-sdk-dotnet

A .NET SDK for interacting with the Okta management API, enabling server-side code to manage Okta users, groups, applications, and more.
Other
160 stars 100 forks source link

Setting Client Authentication for PKCE #479

Closed bjohndev closed 3 years ago

bjohndev commented 3 years ago

I'm trying to create a new spa application, I cannot seem to find how to enable the "Client authentication" to use PKCE. Can you please advise? when I use the sample apps with the value of app type "browser" I'm getting the result below. I would like this to be enabled so it doesn't use client secret.

image

bryanapellanes-okta commented 3 years ago

@bjohndev, Thanks for reaching out! To enable the Use PKCE option you should select the Native App option when creating your application.

bjohndev commented 3 years ago

@bryanapellanes-okta thanks for the quick response. which object has the "Use PKCE" option?

bjohndev commented 3 years ago

@bryanapellanes-okta when I create a SPA through the UI, it automatically enables the "Use PKCE" option for me. Ultimately, I'm trying to create a SPA through the SDK.

bryanapellanes-okta commented 3 years ago

@bjohndev, Sorry for the confusion. My instructions are relevant only if you are using the dashboard to create your application, I'm looking for example code to do this using the Sdk; I'll respond shortly with more.

bjohndev commented 3 years ago

@bryanapellanes-okta Thank you!

bryanapellanes-okta commented 3 years ago

@bjohndev, To create an application with the Use PKCE option enabled and selected, post JSON similar to the following to the /api/v1/apps endpoint. Note, that the relevant setting is credentials.oauthClient.token_endpoint_auth_method: none:

{
  "name": "oidc_client",
  "label": "Application label (which I believe is what is the application name)",
  "signOnMode": "OPENID_CONNECT",
  "credentials": {
    "oauthClient": {
      "autoKeyRotation": true,
      "client_id": null,
      "token_endpoint_auth_method": "none"
    }
  },
  "settings": {
    "app": {},
    "notifications": {
      "vpn": {
        "network": {
          "connection": "DISABLED"
        },
        "message": null,
        "helpUrl": null
      }
    },
    "oauthClient": {
      "client_uri": null,
      "logo_uri": null,
      "redirect_uris": [
        "my.app.login:/callback",
        "com.okta.xamarin.ios.login:/callback"
      ],
      "post_logout_redirect_uris": [
        "my.app.logout:/callback",
        "com.okta.xamarin.ios.logout:/callback"
      ],
      "response_types": [
        "code"
      ],
      "grant_types": [
        "authorization_code"
      ],
      "application_type": "native",
      "consent_method": "REQUIRED",
      "issuer_mode": "ORG_URL",
      "idp_initiated_login": {
        "mode": "DISABLED",
        "default_scope": []
      }
    }
  }
}
bryanapellanes-okta commented 3 years ago

@bjohndev, I'm reviewing more closely to determine if there are classes already defined in the SDK to simplify this request. I don't believe this is currently wrapped in the SDK, but I'll verify and add to the backlog if appropriate. I've added an item for investigation and implementation if appropriate.

bjohndev commented 3 years ago

@bryanapellanes-okta Thank you! I appreciate you looking into this for me.

cursors commented 3 years ago

We are waiting for this to be implemented as well.

bryanapellanes-okta commented 3 years ago

We are waiting for this to be implemented as well.

@cursors, Thanks for your interest! The payload described in my comment here: https://github.com/okta/okta-sdk-dotnet/issues/479#issuecomment-791599682 will set the use PKCE value for you, the relevant piece being "token_endpoint_auth_method": "none".

We have work on our backlog to review if it is necessary to change the existing Sdk to enable you to submit this payload in a type safe way using .Net class definitions. However, it is undetermined whether this work is necessary and when it will be complete. Just to reiterate, submitting the json previously described will set this value for you.

bryanapellanes-okta commented 3 years ago

@bjohndev @cursors, After further investigation we've discovered that the class CreateOpenIdConnectApplication passed to the method CreateApplicationAsync provides the ability to submit the previously described payload in a type safe way. See the following code:

            var createdApp = await client.Applications.CreateApplicationAsync(new CreateOpenIdConnectApplication
            {
                Label = $"dotnet-sdk: AddOpenIdConnectApp {guid}",
                ClientId = testClientId,
                TokenEndpointAuthMethod = OAuthEndpointAuthenticationMethod.None,
                ResponseTypes = new List<OAuthResponseType>
                {
                    OAuthResponseType.Token,
                    OAuthResponseType.IdToken,
                    OAuthResponseType.Code,
                },
                RedirectUris = new List<string>
                {
                        "https://example.com/oauth2/callback",
                        "myapp://callback",
                },
                PostLogoutRedirectUris = new List<string>
                {
                    "https://example.com/postlogout",
                    "myapp://postlogoutcallback",
                },
                GrantTypes = new List<OAuthGrantType>
                {
                    OAuthGrantType.Implicit,
                    OAuthGrantType.AuthorizationCode,
                },
                ApplicationType = OpenIdConnectApplicationType.Native,
            });

Feel free to reach out again if you have other questions or requests. Thanks for using Okta!

bjohndev commented 3 years ago

@bryanapellanes-okta Thank you sir! that worked, have a great week!