search

okta / okta-signin-widget

HTML/CSS/JS widget that provides out-of-the-box authentication UX for your organization's apps
Other
373 stars 320 forks source link

setCookieAndRedirect() not working #901

Open tom-smith-okta opened 4 years ago

tom-smith-okta commented 4 years ago

:information_source: If you have a question, please post it on the Okta Developer Forum instead. Issues in this repository are reserved for bug reports and feature requests.

I'm submitting a

Background info

I am using renderEl and on success I am attempting to use

res.session.setCookieAndRedirect('https://acme.com/app');

as the documentation states.

Upon successful authentication I get the following error:

Uncaught TypeError: Cannot read property 'setCookieAndRedirect' of undefined

I tried many variations of setCookieAndRedirect (authClient etc.) and could not get any to work.

Expected behavior

What should have happened?

I should have been redirected to Okta and then back again with an Okta session.

Worked fine with v2.6

What went wrong?

Uncaught TypeError: Cannot read property 'setCookieAndRedirect' of undefined

Steps to reproduce

var baseUrl = '{{okta_tenant_url}}'

/***************************************************************************/

var signIn = new OktaSignIn({
    baseUrl: baseUrl
})

window.onload = function() {

    signIn.renderEl(
        { el: '#widget-container' },
        function success(res) {
            res.session.setCookieAndRedirect(window.location.href)
        },
        function error(err) {
            console.log(err)
        }
    );
}

Your environment

swiftone commented 4 years ago

@tom-smith-okta - Have you checked the res.status as shown in the examples in the README? If something went wrong in the authentication process, there may not be a session object.

tom-smith-okta commented 4 years ago

@swiftone - the res.status is "SUCCESS". The error is "Cannot read property 'setCookieAndRedirect' of undefined"

swiftone commented 4 years ago

Internal-ref: OKTA-256599

leemilam-okta commented 4 years ago

I am seeing the same issue. I have a similar setup and also get an error on the "res.session.setCookieAndRedirect" code. The error I get is "TypeError: res.session is undefined" I am also getting this error with "res.session.token" so i think the issue is with res.session not with setCookieAndRedirect. res.status and res.user are all properly evaluated and populated, just res.session seems to have an issue.

corysimmons commented 4 years ago

Following the docs here https://developer.okta.com/code/javascript/okta_sign-in_widget/#initializing-the-widget

This part works:

var signIn = new OktaSignIn({baseUrl: 'https://${yourOktaDomain}'});
  signIn.renderEl({
    el: '#widget-container'
  }, function success(res) {
    if (res.status === 'SUCCESS') {
      console.log('Do something with this sessionToken', res.session.token); // res.session.token exists
    } else {
    // The user can be in another authentication state that requires further action.
    // For more information about these states, see:
    //   https://github.com/okta/okta-signin-widget#rendereloptions-success-error
    }
  });

This part doesn't: https://developer.okta.com/code/javascript/okta_sign-in_widget/#sign-in-to-okta-with-a-custom-dashboard

function success(res) {
  if (res.status === 'SUCCESS') {
    res.session.setCookieAndRedirect('http://localhost:8000'); // doesn't set cookies, doesn't redirect
  }
}

This is in a create-react-app app.

I should also mention your /api/v1/session endpoint (with sessionToken) works in Postman and cURL but not with fetch in the browser... No idea why...

SJ-antoniazzi commented 3 years ago

Hello everyone,

I do have a similar problem. When I try to retrieve the session token from my org, on a successful request I receive only the user and status information, but no session field. Meaning that when I read the session token, the js interpreter responds with an error: cannot read property "token" of undefined .

Has this issue been resolved ? Is there a configuration on my org that I should take into account ?

If it can help, I'm using ASP.NET Core 3.1 under a docker instance.

Thank You

shuowu commented 3 years ago

@SJ-antoniazzi Can you try the latest okta-signin-widget version 5.x? In the new major version, we encourage devs to use showSignInAndRedirect or showSignInToGetTokens instead of renderEl to auth the users.

Ref: MIGRATING GUIDE

SJ-antoniazzi commented 3 years ago

Thank you for your suggestion. I'm using the 5.x version of the widget.

I would like to use showSignInAndRedirect or showSignInToGetTokens, the problem is that I have to retrieve the session token in order to login to my resources with a different flow, rather than using the id_tokens.

I encountered a successful login on another okta dev org... But not on my actual one, which is not developer enabled. Is there a difference regarding this ?

shuowu commented 3 years ago

@SJ-antoniazzi looks like it might be an org/configuration issue. I would suggest to reach out to our support team (support@okta.com) to collect more information to identify the issue.

aarongranick-okta commented 3 years ago

@SJ-antoniazzi @corysimmons @leemilam-okta @tom-smith-okta Were you able to find a solution for your issue?

corysimmons commented 3 years ago

I forget what this was about but I ended up using okta.authClient.tokenManager.get('accessToken') to see if there was a token already in localStorage. If there was, I set the token in a global store (like Redux) then I redirect them to the protected route, otherwise okta.remove(); okta.showSignInToGetTokens(...)

On all protected routes I'm checking if that token is in the global store, if it's not, then I client-side redirect them to the login route.

If they are a hacker and accessing routes they shouldn't be accessing, it doesn't matter because my API expects the Okta token to verify.