Allow to configure `authorization_server_path` - i.e. JWT `iss`

tegon commented 2 years ago

Context

The omniauth-okta Gem assumes an authorization server is being used, so it appends /oauth2/default to the token issuer.

https://github.com/omniauth/omniauth-okta/blob/master/lib/omniauth/strategies/okta.rb#L89

This causes an Invalid issuer error when authorizing with our organization's Okta account. Since we don't use an authorization server, we need to only use the site as the issuer. We are getting around this issue with the following patch:

module OmniAuth
  module Strategies
    class Okta < OmniAuth::Strategies::OAuth2
      def authorization_server_path
        client_options.fetch(:site)
      end
    end
  end
end

Proposal

Add a configuration option to the strategy, allowing the full authorization server path - or JWT token issuer, if we want to be more explicit - to be inputted. By doing so, we give users of the Gem more flexibility to set any value they need.

Let me know if this sounds like a good idea so I can work on a pull request for it.

stevenharman commented 1 year ago

Is this addressed by #31?

tegon commented 1 year ago

@stevenharman Looks like it does (although I don't work on that codebase anymore to test it myself).

omniauth / omniauth-okta

Allow to configure `authorization_server_path` - i.e. JWT `iss` #22

Context

Proposal