Unable to use OAuth with Okta

[druchoo]

Trying to configure Okta OAuth following examples from https://github.com/sipcapture/homer-app/issues/440 with the following config.

"oauth2": {
  "enable": true,
  "client_id": "xxx",
  "client_secret": "xxx",
  "project_id": "Okta",
  "auth_uri": "https://okta.myco.com/oauth2/v1/authorize",
  "token_uri": "https://okta.myco.com/oauth2/v1/token",
  "redirect_uri": "https://homer.myco.com/api/v3/oauth2",
  "service_redirect": "/api/v3/oauth2/redirect",
  "profile_url": "https://okta.myco.com/oauth2/v1/userinfo",
  "provider_name": "auth",
  "scope": ["email", "openid", "profile"],
  "gravatar": false,
  "gravatar_url": "https://www.gravatar.com/avatar/%s.jpg"
}

The flow seems to kick off but in the end UI redirects to https://homer.myco.com/api/v3/oauth2/auth?code=xxxx&state=yyy and receive the error:

{"message":"missing or malformed jwt"}

[github-actions[bot]]

Your report is appreciated. Please star this repository to motivate its developers! :star:

[adubovikov]

redirect url should be: https://homer.myco.com/api/v3/oauth2/auth

please check change and try again

[druchoo]

@adubovikov with "redirect_uri": "https://homer.myco.com/api/v3/oauth2/auth" I get:

Looking at the code it seems auth is already appended from "provider_name": "auth"?

And n the Okta config Sign-in redirect URIs is set to https://homer.myco.com/api/v3/oauth2/auth..

EDIT: And if Okta is configured with https://homer.myco.com/api/v3/oauth2/auth/auth we get:

{"data":{},"message":"oauth2: cannot fetch token: 400 Bad Request\nResponse: {\"error\":\"invalid_grant\",\"error_description\":\"The authorization code is invalid or has expired.\"}"}

[adubovikov]

@druchoo because we use "provider" as param and in your case you have "auth" -> that makes /auth/auth

if you want, change the param to "okta".

https://github.com/sipcapture/homer-app/blob/master/router/v1/user.go#L57

//Oauth2 Request
acc.GET("/oauth2/auth/:provider", urc.AuthSericeRequest)

can you please provide the debug log of homer-app, specially during request of api/v3/oauth2/auth/"provider" (auth)

thank you

[adubovikov]

i think you should register correct redirect_uri by OKTA with 2 auth - https://homer.myco.com/api/v3/oauth2/auth/auth

or if you will change your provider name to "okta" it will be -> https://homer.myco.com/api/v3/oauth2/auth/okta

[adubovikov]

@druchoo any progress ?

[pgopu]

@adubovikov I am @druchoo's colleague working on this Oauth. We are seeing the following in the debug log:

{"level":"debug","msg":"Doing AuthSericeRequest for provider: okta","time":"2021-12-10T13:00:21Z"}
{"level":"error","msg":"AuthSericeRequest OAuth2Config Exchange is invalid:oauth2: cannot fetch token: 400 Bad Request\nResponse:
{\"error\":\"invalid_grant\",\"error_description\":\"The authorization code is invalid or has expired.\"}","time":"2021-12-10T13:00:21Z"} {"level":"debug","msg":"================================","time":"2021-12-10T13:00:21Z"}
{"level":"debug","msg":"--------request body-------","time":"2021-12-10T13:00:21Z"}
{"json":"","level":"info","msg":"Payload","time":"2021-12-10T13:00:21Z"}
{"level":"info","msg":"---------------------------","time":"2021-12-10T13:00:21Z"}
{"level":"debug","msg":"-------- response body --------","time":"2021-12-10T13:00:21Z"}
{"json":"{\"data\":{},\"message\":\"oauth2: cannot fetch token: 400 Bad Request\nResponse:
{\\"error\\":\\"invalid_grant\\",\\"error_description\\":\\"The authorization code is invalid or has expired.\\"}\"}","level":"info","msg":"Payload","time":"2021-12-10T13:00:21Z"} {"level":"debug","msg":"-------------------------------","time":"2021-12-10T13:00:21Z"}

[pgopu]

@adubovikov - any progress on this? Do you need any more info from us?

Is the issue because of this? https://devforum.okta.com/t/v1-token-400-error-when-token-has-expired/8637/11

[adubovikov]

@pgopu lets say, this is not the "standard" way to do it. Anyway, lets try:

https://github.com/sipcapture/homer-app/commit/5a2f51128302283148151f9fbd9114d1351bc083

and in the config:

oauth2.auth_style = 1

https://pkg.go.dev/golang.org/x/oauth2#AuthStyle

[pgopu]

@adubovikov - I tried with latest master, and updated the config to include auth_style=1. I got the following error:

{"data":{},"message":"oauth2: cannot fetch token: 400 Bad Request\nResponse: {\"error\":\"invalid_grant\",\"error_description\":\"PKCE verification failed.\"}"}

[adubovikov]

https://github.com/sipcapture/homer-app/commit/aa75dd5c8c45dc265038f07aa389eb37337565a0

before I will check, does Okta have a free accounts to check auth ?

[pgopu]

@adubovikov - I have tried with your latest commit (aa75dd5) still the same result PKCE verification failed.

[lmangani]

@pgopu this is as far as we can go without having access to the affected platform (we do not) If you'd like to sponsor this change request, please consider a donation to the project

[pgopu]

Would you like to sign up on okta? https://developer.okta.com/signup/

I will check with my team about your request.

[lmangani]

I know its almost Christmas, but It is not realistic to expect OSS developers to signup with any 3rd party service when requested to support it freely :) jokes aside, if you would like to express this process, we appreciate any counter support

[pgopu]

@adubovikov - I have tested with some changes done in homer-app code in my fork https://github.com/pgopu/homer-app to make it work with Okta Oauth2. You can check the code in that branch.

I still have one issue with Okta is that it is not able to match the code_challenger and code_verifier when used https://github.com/sipcapture/homer-app/blob/d4f20880d224b6cd5f857048d5899eb89aac4718/utils/heputils/heputils.go#L357 function.

It worked when I hardcoded their documented values. https://developer.okta.com/docs/guides/implement-grant-type/authcodepkce/main/#create-the-proof-key-for-code-exchange

Could you please take a look at the changes, and advise on next steps? Thank you!

[adubovikov]

@pgopu Super! Here you are:

https://github.com/sipcapture/homer-app/commit/cc5269b202cfa4f2d749e773ad3793283796d386#diff-2873f79a86c0d8b3335cd7731b0ecf7dd4301eb19a82ef7a1cba7589b5252261R415-R417

[pgopu]

@adubovikov - we still need to merge the changes from my branch. Shall I create a PR for you? My branch is https://github.com/pgopu/homer-app. Please take a look at newer changes to GenCodeChallengeS256 function in my branch: https://github.com/pgopu/homer-app.

[pgopu]

@adubovikov here is the PR: https://github.com/sipcapture/homer-app/pull/463 with all the changes. I have tested with Okta Oauth. All the parameters that were added are needed particularly for Okta, might be optional for other Oauth providers.

[adubovikov]

@pgopu merged :-) lets test ?

[pgopu]

@adubovikov - Sure! Will test and update here. Thank you!

[pgopu]

@adubovikov - tested and it works!!! 👯

[pgopu]

@adubovikov - Could you please cut the release?

[adubovikov]

@pgopu pushed and released!

[adubovikov]

@pgopu I am closing the ticket. Thanks to everybody!