This is a question rather than a bug. We are using the self-hosted widget running at auth.example.com
We've implemented an SSO reverse proxy (vouch proxy) and we're having the following issue: when an okta user resets their password, they are redirected to an application that is protected by the reverse proxy. I would like to know how to configure okta to change the redirectUrl after a successful password reset.
Bug summary
This is what the password reset flow looks like in burp (from bottom to top in chronological order):
user tries to access application, gets redirected to okta
okta redirects to application configured in the default sign-in widget setting
vouch catches the redirect and issues a 400 bad request
On the vouch side of things we have a 400 Bad Request because the redirect URL fails validation. We can see below that the request to https://auth.company.com/login/sessionCookieRedirect?... contains the following parameter: ?iss=https://auth.company.com which is causing vouch to fail here with this error:
{"level":"debug","ts":1673489519.9245772,"msg":"Login url param normalized to 'https://my.example.com/?iss=https://auth.example.com&type_hint=PASSWORD_RECOVERY&session_hint=AUTHENTICATED&login_hint=example%40gmail.com'"}
{"level":"warn","ts":1673489519.9259224,"msg":"requested destination URL has a dangerous query string looks bad: https://auth.example.com includes https://"}
What is expected to happen?
After an okta password reset, I would like to be able to redirect to an application without getting an error in the SSO reverse proxy.
Both okta and vouch are working as intended so I would like to configure okta to remove the iss parameter from the redirectUri after a successful password reset.
I have tried modifying our custom sign-in page like so:
<script type="text/javascript">
var config = OktaUtil.getSignInWidgetConfig();
var oktaSignIn = new OktaSignIn(config);
oktaSignIn.before('identify-recovery', async () => {
if (oktaSignIn.authClient.options.redirectUri == "https://my.example.com/") {
oktaSignIn.authClient.options.issuer = "";
}
});
oktaSignIn.renderEl({ el: '#auth-outer-container' },
OktaUtil.completeLogin,
function(error) {
console.log(error.message, error);
}
);
</script>
where "https://my.example.com/" is the configured "default app for sign-in widget". This isn't working unfortunately.
What is the actual behavior?
The redirect after a successful password reset causes 400 Bad Request in our reverse proxy
Reproduction Steps
n/a - requires a self-hosted okta instance and an application protected by vouch.
Describe the bug
Hey okta sign in widget dev team,
This is a question rather than a bug. We are using the self-hosted widget running at auth.example.com
We've implemented an SSO reverse proxy (vouch proxy) and we're having the following issue: when an okta user resets their password, they are redirected to an application that is protected by the reverse proxy. I would like to know how to configure okta to change the redirectUrl after a successful password reset.
Bug summary
This is what the password reset flow looks like in burp (from bottom to top in chronological order):
On the vouch side of things we have a 400 Bad Request because the redirect URL fails validation. We can see below that the request to
https://auth.company.com/login/sessionCookieRedirect?...
contains the following parameter:?iss=https://auth.company.com
which is causing vouch to fail here with this error:What is expected to happen?
After an okta password reset, I would like to be able to redirect to an application without getting an error in the SSO reverse proxy.
Both okta and vouch are working as intended so I would like to configure okta to remove the
iss
parameter from the redirectUri after a successful password reset.I have tried modifying our custom sign-in page like so:
where "https://my.example.com/" is the configured "default app for sign-in widget". This isn't working unfortunately.
What is the actual behavior?
The redirect after a successful password reset causes 400 Bad Request in our reverse proxy
Reproduction Steps
n/a - requires a self-hosted okta instance and an application protected by vouch.
SDK Versions
major version: 7 minor version: latest
Execution Environment
browser: firefox os: mac
Additional Information?
No response