search

oktadev / okta-aspnetcore-mvc-example

ASP.NET Core 2.0 MVC + Okta example
Apache License 2.0
22 stars 27 forks source link

Problem with htpps & redirect_uri #14

Open Leanwit opened 6 years ago

Leanwit commented 6 years ago

Hi. I have the next configuration: Login redirect URIs: https://stg.domainname.com/authorization-code/callback Logout redirect URIs: https://stg.domainname.com/signout-callback-oidc Login initiated by: App Only Initiate login URI: https://stg.domainname.com/authorization-code/callback

When I want access to okta login, the redirect_uri has the same domain but "http" so the okta page return a 400 error with the next message:

Proveedor de identidades: Unknown Código de error: invalid_request Descripción: The 'redirect_uri' parameter must be an absolute URI that is whitelisted in the client app settings.

The okta configuration in Startup:

 OktaSettings oktaSettings = this.Configuration.GetSection("OktaSettings").Get<OktaSettings>();
            services.AddAuthentication(options =>
            {
                options.DefaultAuthenticateScheme = IdentityConstants.ApplicationScheme;
                options.DefaultSignInScheme = IdentityConstants.ApplicationScheme;
                options.DefaultChallengeScheme = IdentityConstants.ApplicationScheme;
            })
            .AddCookie()
            .AddOpenIdConnect(options =>
            {
                options.ClientId = oktaSettings.ClientId;
                options.ClientSecret = oktaSettings.ClientSecret;
                options.Authority = oktaSettings.Authority;
                options.CallbackPath = oktaSettings.CallbackPath;
                options.ResponseType = OpenIdConnectResponseType.Code;
                options.SaveTokens = oktaSettings.SaveTokens;
                options.UseTokenLifetime = oktaSettings.UseTokenLifetime;
                options.GetClaimsFromUserInfoEndpoint = oktaSettings.GetClaimsFromUserInfoEndpoint;
                options.Scope.Add("openid");
                options.Scope.Add("profile");
                options.Scope.Add("email");
                options.TokenValidationParameters = new TokenValidationParameters
                {
                    NameClaimType = "name",
                };
                options.Events = new OpenIdConnectEvents
                {
                    OnTokenResponseReceived = async ctx =>
                    {
                        //Get UserInfo from OKTA
                        RestClient client = new RestClient(oktaSettings.Authority + "/v1/userinfo");
                        RestRequest request = new RestRequest(Method.POST);
                        request.AddHeader("authorization", "Bearer " + ctx.TokenEndpointResponse.AccessToken);
                        request.AddHeader("content-type", "application/x-www-form-urlencoded");
                        IRestResponse response = client.Execute(request);
                        if (response == null || response.StatusCode != HttpStatusCode.OK)
                        {
                            ctx.Response.Redirect("/Account/Login?q=okta");
                            ctx.HandleResponse();
                        }
                        else
                        {
                            OKTAUserInfo oktaUserInfo = JsonConvert.DeserializeObject<OKTAUserInfo>(response.Content);

                            var userManager = ctx.HttpContext.RequestServices.GetRequiredService<UserManager>();

                            // Get or Add (if not exist) Okta User from/in BDE
                            this.userDto = await userManager.GetOrAddFromOkta(oktaUserInfo.email);

                            // Verify if user is enabled in BDE
                            if (this.userDto == null || this.userDto.IsDeleted || !this.userDto.IsEnabled)
                            {
                                ctx.Response.Redirect("/Account/Login?q=okta");
                                ctx.HandleResponse();
                            }
                        }
                    },
                    OnTokenValidated = async ctx =>
                    {
                        // Verify if user is administrator
                        if (this.userDto.IsAdministrator)
                        {
                            var claims = new List<Claim> { new Claim(ClaimTypes.Role, "Administrator") };
                            var appIdentity = new ClaimsIdentity(claims);
                            ctx.Principal.AddIdentity(appIdentity);
                        }
                    },
                };
            });

Thanks

simonscoffins commented 6 years ago

Getting same problem

Leanwit commented 6 years ago

Hi simons, maybe you can resolve the problem here https://github.com/okta/okta-sdk-dotnet/issues/206

simonscoffins commented 6 years ago

Hi Leanwit, Thanks for replying. Actually the problem ended up being an an incorrect base uri setting. So my own fault. Thanks for following up though.