search

omniauth / omniauth-okta

OAuth2 strategy for Okta
MIT License
41 stars 37 forks source link

500 error from Okta. Omniauth error, invalid credentials. #14

Closed victorclee closed 4 years ago

victorclee commented 4 years ago

Hi team,

Need some insight/help from you. (Long post ahead)

I'm in the process of integrating Okta into our app, which currently uses Clearance as an authentication tool. Our goal is to integrate Okta as a second sign in option.

We run a Ruby on Rails app, and are using omniauth and omniauth-okta gems in development.

Here's our Omniauth Builder code snippet:

Rails.application.config.middleware.use OmniAuth::Builder do
    provider :okta, Rails.application.credentials.OKTA_CLIENT_ID, Rails.application.credentials.OKTA_CLIENT_SECRET, {
    client_options: {
      site:                 'https://dev-934210.okta.com',
      authorization_server: 'https://dev-934210.okta.com/oauth2/default',
      authorize_url:        'https://dev-934210.okta.com/oauth2/default/v1/authorize',
      token_url:            'https://dev-934210.okta.com/oauth2/default/v1/token',
      user_info_url:        'https://dev-934210.okta.com/oauth2/default/v1/userinfo',
      audience:             'api://default',
      redirect_uri:         'http://localhost:3000/auth/okta/callback'
    }
  }

Routes:

  get '/login', to: redirect('/auth/okta')
  get "/auth/:provider/callback" => "sessions#create_from_omniauth"

Sessions controller:

class SessionsController < Clearance::SessionsController
  def create_from_omniauth
    auth_hash = request.env["omniauth.auth"]

    authentication = Authentication.find_by_provider_and_uid(auth_hash["provider"], auth_hash["uid"]) || Authentication.create_with_omniauth(auth_hash)
    if authentication.user
      user = authentication.user 
      authentication.update_token(auth_hash)
      @next = root_url
      @notice = "Signed in!"
    else
      user = User.create_with_auth_and_hash(authentication,auth_hash)
      @next = edit_user_path(user)   
      @notice = "User created - confirm or edit details..."
    end
    sign_in(user)
    redirect_to @next, :notice => @notice
  end
end

Currently, I can successfully reach the login page hosted by Okta, but once I entered my username and password, I consistently reach the same error of the following screenshot

Screen Shot 2020-08-12 at 3 25 58 PM

Terminal ouput:

Started GET "/auth/okta" for ::1 at 2020-08-10 14:04:59 -0500
I, [2020-08-10T14:04:59.608267 #99101]  INFO -- omniauth: (okta) Request phase initiated.
Started GET "/auth/okta/callback?code=0dlprTDQxVGZKx-jafvh&state=f175cc7828a27c0029bcf74f1a7860d1a37a1b279bd46abf" for ::1 at 2020-08-10 14:05:10 -0500
I, [2020-08-10T14:05:10.515149 #99101]  INFO -- omniauth: (okta) Callback phase initiated.
E, [2020-08-10T14:05:11.240164 #99101] ERROR -- omniauth: (okta) Authentication failure! invalid_credentials: OAuth2::Error,

OAuth2::Error ():

oauth2 (1.4.4) lib/oauth2/client.rb:120:in `request'
oauth2 (1.4.4) lib/oauth2/access_token.rb:107:in `request'
oauth2 (1.4.4) lib/oauth2/access_token.rb:114:in `get'
omniauth-okta (0.1.1) lib/omniauth/strategies/okta.rb:60:in `raw_info'
omniauth-okta (0.1.1) lib/omniauth/strategies/okta.rb:28:in `block in <class:Okta>'
omniauth (1.9.1) lib/omniauth/strategy.rb:109:in `instance_eval'
omniauth (1.9.1) lib/omniauth/strategy.rb:109:in `block in compile_stack'
omniauth (1.9.1) lib/omniauth/strategy.rb:108:in `each'
omniauth (1.9.1) lib/omniauth/strategy.rb:108:in `inject'
omniauth (1.9.1) lib/omniauth/strategy.rb:108:in `compile_stack'
omniauth (1.9.1) lib/omniauth/strategy.rb:102:in `uid_stack'
omniauth (1.9.1) lib/omniauth/strategy.rb:332:in `uid'
omniauth (1.9.1) lib/omniauth/strategy.rb:348:in `auth_hash'
omniauth (1.9.1) lib/omniauth/strategy.rb:372:in `callback_phase'
omniauth-oauth2 (1.7.0) lib/omniauth/strategies/oauth2.rb:93:in `callback_phase'
omniauth-okta (0.1.1) lib/omniauth/strategies/okta.rb:70:in `callback_phase'
omniauth (1.9.1) lib/omniauth/strategy.rb:238:in `callback_call'
omniauth (1.9.1) lib/omniauth/strategy.rb:189:in `call!'
omniauth (1.9.1) lib/omniauth/strategy.rb:169:in `call'
omniauth (1.9.1) lib/omniauth/builder.rb:45:in `call'
remotipart (1.4.2) lib/remotipart/middleware.rb:32:in `call'
clearance (1.16.1) lib/clearance/rack_session.rb:23:in `call'
rack (2.2.3) lib/rack/tempfile_reaper.rb:15:in `call'
rack (2.2.3) lib/rack/etag.rb:27:in `call'
rack (2.2.3) lib/rack/conditional_get.rb:27:in `call'
rack (2.2.3) lib/rack/head.rb:12:in `call'
actionpack (5.2.2.1) lib/action_dispatch/http/content_security_policy.rb:18:in `call'
rack (2.2.3) lib/rack/session/abstract/id.rb:266:in `context'
rack (2.2.3) lib/rack/session/abstract/id.rb:260:in `call'
actionpack (5.2.2.1) lib/action_dispatch/middleware/cookies.rb:670:in `call'
activerecord (5.2.2.1) lib/active_record/migration.rb:559:in `call'
actionpack (5.2.2.1) lib/action_dispatch/middleware/callbacks.rb:28:in `block in call'
activesupport (5.2.2.1) lib/active_support/callbacks.rb:98:in `run_callbacks'
actionpack (5.2.2.1) lib/action_dispatch/middleware/callbacks.rb:26:in `call'
actionpack (5.2.2.1) lib/action_dispatch/middleware/executor.rb:14:in `call'
rollbar (2.19.3) lib/rollbar/middleware/rails/rollbar.rb:25:in `block in call'
rollbar (2.19.3) lib/rollbar.rb:145:in `scoped'
rollbar (2.19.3) lib/rollbar/middleware/rails/rollbar.rb:22:in `call'
actionpack (5.2.2.1) lib/action_dispatch/middleware/debug_exceptions.rb:61:in `call'
rollbar (2.19.3) lib/rollbar/middleware/rails/show_exceptions.rb:22:in `call_with_rollbar'
web-console (3.7.0) lib/web_console/middleware.rb:135:in `call_app'
web-console (3.7.0) lib/web_console/middleware.rb:30:in `block in call'
web-console (3.7.0) lib/web_console/middleware.rb:20:in `catch'
web-console (3.7.0) lib/web_console/middleware.rb:20:in `call'
actionpack (5.2.2.1) lib/action_dispatch/middleware/show_exceptions.rb:33:in `call'
railties (5.2.2.1) lib/rails/rack/logger.rb:38:in `call_app'
railties (5.2.2.1) lib/rails/rack/logger.rb:26:in `block in call'
activesupport (5.2.2.1) lib/active_support/tagged_logging.rb:71:in `block in tagged'
activesupport (5.2.2.1) lib/active_support/tagged_logging.rb:28:in `tagged'
activesupport (5.2.2.1) lib/active_support/tagged_logging.rb:71:in `tagged'
railties (5.2.2.1) lib/rails/rack/logger.rb:26:in `call'
sprockets-rails (3.2.1) lib/sprockets/rails/quiet_assets.rb:13:in `call'
actionpack (5.2.2.1) lib/action_dispatch/middleware/remote_ip.rb:81:in `call'
actionpack (5.2.2.1) lib/action_dispatch/middleware/request_id.rb:27:in `call'
rack (2.2.3) lib/rack/method_override.rb:24:in `call'
rack (2.2.3) lib/rack/runtime.rb:22:in `call'
activesupport (5.2.2.1) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'
actionpack (5.2.2.1) lib/action_dispatch/middleware/executor.rb:14:in `call'
actionpack (5.2.2.1) lib/action_dispatch/middleware/static.rb:127:in `call'
rack (2.2.3) lib/rack/sendfile.rb:110:in `call'
railties (5.2.2.1) lib/rails/engine.rb:524:in `call'
puma (3.12.1) lib/puma/configuration.rb:227:in `call'
puma (3.12.1) lib/puma/server.rb:660:in `handle_request'
puma (3.12.1) lib/puma/server.rb:474:in `process_client'
puma (3.12.1) lib/puma/server.rb:334:in `block in run'
puma (3.12.1) lib/puma/thread_pool.rb:135:in `block in spawn_thread'

Since I got an error saying invalid credentials, naturally, I double- and triple-checked my Okta client ID, Okta client secret, login username and password, even when they are correct, I'm still getting the same error over and over.

I reached out to Okta Support, provided them a HAR network trace file, and got the following response: "There is a 500 on the callback route of the application. I don't see any errors at okta end. This could be an issue at the callback route handling the response from okta. Unfortunately, onmiauth-okta is not maintained by Okta, you might have to file an issue in their github if we are unable to figure out."

So here I am, looking for help. Any insight would be greatly appreciated. Thanks, team!

jeremysenn commented 2 years ago

I'm having what seems like the same issue. How did this get resolved for you victorclee?

All I see in the rails log is

omniauth: (okta) Callback phase initiated.

Then ...

omniauth: (okta) Authentication failure! invalid_credentials: OAuth2::Error

The user event logs on the Okta site show all the events as success.

Any helps is greatly appreciated!

jeremysenn commented 2 years ago

It turns out, we were not using the correct authorize_url and token_url endpoints. The omniauth-okta docs show to use 'https://your-org.okta.com/oauth2//v1/authorize'. So, we just used 'default' for the authorization_server string. However, when I referenced the Okta Org Authorization Server discovery endpoint by going here:

https://${yourOktaOrg}/.well-known/oauth-authorization-server

It didn't include anything for the authorization_server, simply /oauth2/v1/authorize. Once we used that instead for our endpoints, we were able to gather the correct Okta user credentials after login.