search

okta / okta-signin-widget

HTML/CSS/JS widget that provides out-of-the-box authentication UX for your organization's apps
Other
376 stars 319 forks source link

[Question] How can I modify the iss param in a redirectUri after a password reset #3021

Open flipsed opened 1 year ago

flipsed commented 1 year ago

Describe the bug

Hey okta sign in widget dev team,

This is a question rather than a bug. We are using the self-hosted widget running at auth.example.com

We've implemented an SSO reverse proxy (vouch proxy) and we're having the following issue: when an okta user resets their password, they are redirected to an application that is protected by the reverse proxy. I would like to know how to configure okta to change the redirectUrl after a successful password reset.

Bug summary

This is what the password reset flow looks like in burp (from bottom to top in chronological order):

  1. user tries to access application, gets redirected to okta
  2. okta password reset flow (self-hosted sign-in widget & self-service password reset via email)
  3. okta redirects to application configured in the default sign-in widget setting
  4. vouch catches the redirect and issues a 400 bad request

image

On the vouch side of things we have a 400 Bad Request because the redirect URL fails validation. We can see below that the request to https://auth.company.com/login/sessionCookieRedirect?... contains the following parameter: ?iss=https://auth.company.com which is causing vouch to fail here with this error:

{"level":"debug","ts":1673489519.9245772,"msg":"Login url param normalized to 'https://my.example.com/?iss=https://auth.example.com&type_hint=PASSWORD_RECOVERY&session_hint=AUTHENTICATED&login_hint=example%40gmail.com'"}
{"level":"warn","ts":1673489519.9259224,"msg":"requested destination URL has a dangerous query string looks bad: https://auth.example.com includes https://"}

image

What is expected to happen?

After an okta password reset, I would like to be able to redirect to an application without getting an error in the SSO reverse proxy.

Both okta and vouch are working as intended so I would like to configure okta to remove the iss parameter from the redirectUri after a successful password reset.

I have tried modifying our custom sign-in page like so:

    <script type="text/javascript">
        var config = OktaUtil.getSignInWidgetConfig();
        var oktaSignIn = new OktaSignIn(config);
        oktaSignIn.before('identify-recovery', async () => {
          if (oktaSignIn.authClient.options.redirectUri == "https://my.example.com/") {
            oktaSignIn.authClient.options.issuer = "";
          }
        });
        oktaSignIn.renderEl({ el: '#auth-outer-container' },
            OktaUtil.completeLogin,
            function(error) {
                console.log(error.message, error);
            }
        );
    </script>

where "https://my.example.com/" is the configured "default app for sign-in widget". This isn't working unfortunately.

What is the actual behavior?

The redirect after a successful password reset causes 400 Bad Request in our reverse proxy

Reproduction Steps

n/a - requires a self-hosted okta instance and an application protected by vouch.

SDK Versions

major version: 7 minor version: latest

Execution Environment

browser: firefox os: mac

Additional Information?

No response

jaredperreault-okta commented 1 year ago

@flipsed from the vouch issue linked, it seems like you were able to fix this?