okta / okta-aspnet Goto Github PK
View Code? Open in Web Editor NEWokta-aspnet
Home Page: https://github.com/okta/okta-aspnet
License: Apache License 2.0
okta-aspnet
Home Page: https://github.com/okta/okta-aspnet
License: Apache License 2.0
Update this quickstart: https://developer.okta.com/quickstart/#/okta-sign-in-page/dotnet/aspnetcore
(Both the Sign-in Page version and API version)
-pre
when installing)The Okta.AspNetCore package is currently in beta. We'd love to get feedback while we build the library. Until the library is stable, Okta doesn't recommend using it for production applications. Refer to the sample app in the meantime for a supported way to get this working.
I would like to use this nuget package to hookup my Web API, however my API serves multiple clients and this middleware will only allow for a single client to be used because of the StrictTokenHandler.cs validation.
app.UseOktaWebApi(new OktaWebApiOptions()
{
OktaDomain = "https://<mydomain>",
ClientId = "myclientid", // I need a way to pass in multiple client ids here
AuthorizationServerId = "myauthserverid"
});
I would like to propose either of the following options:
ClientId
to an array so it can hold a whitelist of client ids that can be validated in the StrictTokenHandler.csOktaWebApiOptions
My application was working fine using the Okta.AspNetCore v 1.1.4 middleware. When I updated it to version 1.1.5, my app started throwing a 400 bad request error in the following line of code while logging out:
return new SignOutResult(new[] { OktaDefaults.MvcAuthenticationScheme, CookieAuthenticationDefaults.AuthenticationScheme });
I rolled the NuGet package back to version 1.1.4 and everything is working again.
Would it be possible to get a working sample with the latest versions of your dll and identitymodel 4?
okta-hosted-login is the one iโd like
Identity Model 4.0 and Okta Asp.Net 1.4.0
Thanks
โsteph
From https://oktawiki.atlassian.net/wiki/spaces/PM/pages/552049922/Proposal+configuration+copypasta+guard
{yourOktaDomain}
-admin.okta.com
, -admin.oktapreview.com
, or -admin.okta-emea.com
.com.com
{clientId}
For Okta.MvcOptions
:
{clientSecret}
Some of these are implemented already, but we need to update the error messages to the new error strings mentioned in the wiki.
Update this quickstart: https://developer.okta.com/quickstart/#/okta-sign-in-page/dotnet/aspnet4
(Both the Sign-in Page and API versions)
-pre
when installing)The Okta.AspNet package is currently in beta. We'd love to get feedback while we build the library. Until the library is stable, Okta doesn't recommend using it for production applications. Refer to the sample app in the meantime for a supported way to get this working.
OktaOptions
to OktaWebOptions
OktaMvcOptions
to OktaWebMvcOptions
Then:
OktaWebOptions
to namespace Okta
OktaWebMvcOptions
to namespace Okta
OktaWebApiOptions
to namespace Okta
Would be nice to be able to inject few claims into User.Claims after a user is authenticated with Okta, based on some local user storage attributes.
Microsoft describes a way to achieve that in https://docs.microsoft.com/en-us/aspnet/core/security/authentication/social/additional-claims?view=aspnetcore-2.2. But it requires access to OpenId.Events hidden by OktaMvcOptions.
Is there any workaround?
We have several public methods that are not documented in the code.
RedirectUri
has to be renamed to CallbackPath
.
Now we have integration tests but are configured via web.config.
We have to change this approach to get the configuration parameters from the environment variables. By doing this, we can set up our CI server and run this tests on it.
Let's add a section to the readme called Troubleshooting. I moved this from the sign users in guide:
Note: If you are using .NET framework <4.6 or you are getting the following error: "The request was aborted: Could not create SSL/TLS secure channel." Make sure to include the following code in the Application_Start
or Startup:
// Enable TLS 1.2
ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls12;
The quick start docs for .NET Core have a code snippet for the initial Okta middleware setup to be used in the ConfigureServices
method.
(This one ๐)
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OktaDefaults.MvcAuthenticationScheme;
})
.AddCookie()
.AddOktaMvc(new OktaMvcOptions
{
OktaDomain = "https://{yourOktaDomain}",
ClientId = "{clientId}",
ClientSecret = "{clientSecret}"
});
// ... the rest of ConfigureServices
services.AddMvc();
This is pretty simple ๐
I just want to throw out an alternative option for devs who:
It might look something like this (whatever the name might be):
services.AddOktaCookieAuth(configuration);
This would internally do what the above snippet does.
It would reduce the using statements from 2 to 1 - removing the need for:
using Microsoft.AspNetCore.Authentication.Cookies;
It's not a big deal but it's a tiny "win." And tiny "wins" over time can compound, right?
This would match some of the conventions built into .NET Core too. For example, adding the entire MVC infrastructure is simply:
services.AddMvc();
Under the covers that would add a bunch of stuff that the dev could otherwise add himself. But the simple convenience is part of what makes .NET Core so great.
Other pros:
If you guys think this is a good idea I'd be up for implementing that. Otherwise, no harm done ๐คฃ
Thanks! Keep up the good work guys ๐
OktaWebApiOptions should include an option to set Events (JwtBearerEvents). This is needed to allow SignalR to work with Bearer tokens. See the example at https://docs.microsoft.com/en-us/aspnet/core/signalr/authn-and-authz?view=aspnetcore-2.2
This library should report the user agent okta-aspnet/{ver}
as described here: https://oktawiki.atlassian.net/wiki/spaces/PM/pages/237672215/User+Agents
/oauth2/default/v1/keys
/authorize
requestsI followed the quick start and authentication seems to be working for the most part. But we're seeing a few 500's in our log files for POST requests to /authorization-code/callback. It definitely does not happen every time, but we're seeing it periodically in our logs from other users.
I haven't created /authorization-code/callback endpoint in my project and I'm not sure how that endpoint is getting called.
The exception in the log files with the 500 is:
System.Exception:
at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1+<HandleRequestAsync>d__12.MoveNext (Microsoft.AspNetCore.Authentication, Version=2.2.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60)
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware+<Invoke>d__6.MoveNext (Microsoft.AspNetCore.Authentication, Version=2.2.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60)
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware+<Invoke>d__7.MoveNext (Microsoft.AspNetCore.StaticFiles, Version=2.2.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60)
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware+<Invoke>d__7.MoveNext (Microsoft.AspNetCore.StaticFiles, Version=2.2.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60)
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.GetResult (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware+<Invoke>d__6.MoveNext (Microsoft.AspNetCore.Diagnostics, Version=2.2.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60)
Inner exception System.Exception handled at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1+<HandleRequestAsync>d__12.MoveNext:
We've decided to put Okta support on hold. I could not find any AspNetCore projects or MVC 5 code examples on GitHub repository that work and no response from support.
Test Name: Okta.AspNetCore.Mvc.IntegrationTest.MiddlewareShould.RedirectWhenAccessToProtectedRouteWithoutSignedInAsync
Test FullName: Okta.AspNetCore.Mvc.IntegrationTest.MiddlewareShould.RedirectWhenAccessToProtectedRouteWithoutSignedInAsync
Test Source: C:\Users\jabil.100004892\okta-aspnet\Okta.AspNetCore.Mvc.IntegrationTest\MiddlewareShould.cs : line 41
Test Outcome: Failed
Test Duration: 0:00:00.001
Result StackTrace:
at Okta.AspNet.Abstractions.OktaWebOptionsValidator`1.Validate(OktaWebOptions options) in C:\Users\jabil.100004892\okta-aspnet\Okta.AspNet.Abstractions\OktaWebOptionsValidator.cs:line 33
at Okta.AspNetCore.OktaAuthenticationOptionsExtensions.AddOktaMvc(AuthenticationBuilder builder, OktaMvcOptions options) in C:\Users\jabil.100004892\okta-aspnet\Okta.AspNetCore\OktaAuthenticationOptionsExtensions.cs:line 25
at Okta.AspNetCore.Mvc.IntegrationTest.Startup.ConfigureServices(IServiceCollection services) in C:\Users\jabil.100004892\okta-aspnet\Okta.AspNetCore.Mvc.IntegrationTest\Startup.cs:line 29
--- End of stack trace from previous location where exception was thrown ---
at Microsoft.AspNetCore.Hosting.ConventionBasedStartup.ConfigureServices(IServiceCollection services)
at Microsoft.AspNetCore.Hosting.Internal.WebHost.EnsureApplicationServices()
at Microsoft.AspNetCore.Hosting.Internal.WebHost.BuildApplication()
at Microsoft.AspNetCore.Hosting.WebHostBuilder.Build()
at Microsoft.AspNetCore.TestHost.TestServer..ctor(IWebHostBuilder builder, IFeatureCollection featureCollection)
at Okta.AspNetCore.Mvc.IntegrationTest.MiddlewareShould..ctor() in C:\Users\jabil.100004892\okta-aspnet\Okta.AspNetCore.Mvc.IntegrationTest\MiddlewareShould.cs:line 32
Result Message:
System.ArgumentNullException : Your Okta URL is missing. You can copy your domain from the Okta Developer Console. Follow these instructions to find it: https://bit.ly/finding-okta-domain
Parameter name: OktaDomain
I need to set the RedirectUri because my app is running behind a virtual directory. Setting that up locally in Core is a bit messy right now, so it might not be configured somewhere it needs to be. In any case Okta is taking http://localhost/MyApp and turning the RedirectUri to just http://localhost. I'm guessing this would affect apps behind a proxy as well.
We use .Net 4.6.1 MVC and have seen that only the hybrid flow is supported and the response type is hard coded into the response.
Can you introduce a new feature to support the auth code flow so we follow OKTA's own best practises of avoiding the hybrid flow where possible.
Details on package set-up below:
Thanks in advance.
<package id="Okta.AspNet" version="1.4.0" targetFramework="net461" />
<package id="Okta.AspNet.Abstractions" version="3.0.2" targetFramework="net461" />
<package id="Okta.Sdk" version="1.4.1" targetFramework="net461" />
Sample Application setup OKTA documentation that we follow is here - https://developer.okta.com/quickstart/#/okta-sign-in-page/dotnet/aspnet4
Line of code where the response type is hardcoded to โcode id_tokenโ in the SDK โ Line no 50 in the class BuildOpenIdConnectAuthenticationOptions -
https://github.com/okta/okta-aspnet/blob/master/Okta.AspNet/OpenIdConnectAuthenticationOptionsBuilder.cs
Background: https://oktawiki.atlassian.net/wiki/spaces/UX/pages/470681125/Developer+Experience+-+Okta+Domain+Labels
OrgUrl
to OktaDomain
in options objecthttps://{yourOktaDomain}
(no .com
)This SDK does not work dotnet core 3.0. Can we have the SDK build for the newer version of dotnet?
How to validate tokens against expiration time in .net core.
After we release a 1.0.0 stable, update the ASP.NET quickstart (both redirect and API versions):
ASP.NET (4.x especially) tends to throw really unhelpful errors when retrieving the discovery document fails. For example: https://devforum.okta.com/t/401-status-on-login/3615
Is it possible to hook into any part of the MS OIDC middleware to detect this, and at the very least, throw a more helpful error message?
In the root README.MD file, we should mention which versions of .NET Framework and .NET Standard these packages are compatible with. Like this: https://github.com/okta/okta-sdk-dotnet#getting-started
Hello,
Does this package supports Authorization Code + PKCE ?
Thanks!
The readme currently serves 4 different use cases (ASP.NET 4.x/Core + MVC/Web API). Let's split it up so the readme only contains:
*The doc pages will be new. Create a file in a new docs
folder for each of:
docs/aspnet4x-mvc.md
docs/aspnet4x-webapi.md
docs/aspnetcore-mvc.md
docs/aspnetcore-api.md
Each one of these new pages should contain:
When you are not authenticated and try to access a controller decorated with [Authorize]
attribute, it redirects to Okta instead of the local sign in page.
Can you do a check to make sure the config checks in this library match the wiki?
https://oktawiki.atlassian.net/wiki/spaces/PM/pages/552049922/Library+configuration+checks
I've made a few (final) updates.
It appears that at https://github.com/okta/okta-aspnet/blob/master/Okta.AspNet/OktaMiddlewareExtensions.cs#L94 we are setting the name claim type to the literal string "name" when asp.net expects it to be set to ClaimTypes.NameIdentifier.
This is causing
System.InvalidOperationException: 'A claim of type 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier' or 'http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider' was not present on the provided ClaimsIdentity. To enable anti-forgery token support with claims-based authentication, please verify that the configured claims provider is providing both of these claims on the ClaimsIdentity instances it generates. If the configured claims provider instead uses a different claim type as a unique identifier, it can be configured by setting the static property AntiForgeryConfig.UniqueClaimTypeIdentifier.'
when using the ValidateAntiForgeryToken functionality in ASP.NET.
We probably need to either update the "name" literal to ClaimTypes.NameIdentifier or add a 2nd claim type of ClaimTypes.NameIdentifier.
A workaround is to include AntiForgeryConfig.UniqueClaimTypeIdentifier = "name"
in a site's "startup.cs"
Okta.AspNet.Abstractions -> 1.1.0
Okta.AspNet & Okta.AspNetCore -> 1.2.0
Features
After we release a 1.0.0 stable, update the ASP.NET Core quickstart (both redirect and API versions):
A few internal dependencies have patch versions we can apply. After that, re-test to make sure nothing broke.
In the AspNet version of the extensions, the ResponseType is set to do code and id_token
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
ClientId = options.ClientId,
ClientSecret = options.ClientSecret,
Authority = issuer,
RedirectUri = options.RedirectUri,
ResponseType = OpenIdConnectResponseType.CodeIdToken,
Scope = scopeString,
PostLogoutRedirectUri = options.PostLogoutRedirectUri,
TokenValidationParameters = tokenValidationParameters,
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthorizationCodeReceived = tokenExchanger.ExchangeCodeForTokenAsync,
RedirectToIdentityProvider = BeforeRedirectToIdentityProviderAsync,
},
});
However, in the AspNetCore version, it's just code:
builder.AddOpenIdConnect(oidcOptions =>
{
oidcOptions.ClientId = options.ClientId;
oidcOptions.ClientSecret = options.ClientSecret;
oidcOptions.Authority = issuer;
oidcOptions.CallbackPath = new PathString(options.CallbackPath);
oidcOptions.SignedOutCallbackPath = new PathString(OktaDefaults.SignOutCallbackPath);
oidcOptions.ResponseType = OpenIdConnectResponseType.Code;
oidcOptions.GetClaimsFromUserInfoEndpoint = options.GetClaimsFromUserInfoEndpoint;
oidcOptions.SaveTokens = true;
oidcOptions.UseTokenLifetime = false;
oidcOptions.BackchannelHttpHandler = new UserAgentHandler("okta-aspnetcore", typeof(OktaAuthenticationOptionsExtensions).Assembly.GetName().Version);
var hasDefinedScopes = options.Scope?.Any() ?? false;
if (hasDefinedScopes)
{
oidcOptions.Scope.Clear();
foreach (var scope in options.Scope)
{
oidcOptions.Scope.Add(scope);
}
}
oidcOptions.TokenValidationParameters = new DefaultTokenValidationParameters(options, issuer)
{
ValidAudience = options.ClientId,
NameClaimType = "name",
};
oidcOptions.Events.OnRedirectToIdentityProvider = BeforeRedirectToIdentityProviderAsync;
});
This prevents returning group claims since the groups scope only works with ID tokens. Is this an intentional change in behavior?
I haven't seen any documentation on how to use Okta on ASP.NET (Core or pre-Core) with a social IdP (Google, Facebook, etc). Getting up and running with Okta via the OIDC middleware is a breeze, but it doesn't account for the social workflow as far as I can see. In my scenario, I'd like to support Okta user account authentication in addition to social.
The documentation makes it seem like you have to go down the path of using Javascript and building your own sign-in experience. I have this workflow working in the sense that I can get JSON returned with an id_token
and claims
, but that doesn't hook into the ASP.NET security model very well (my app is not a SPA).
Is there a way to leverage the OIDC middleware with a social IdP workflow?
When I use the middleware in my ASP.NET project, I should also get access to the Okta SDK. The goal is to make it super easy for a developer to start using the middleware for basic authn/authz, and then optionally use the SDK to do additional tasks via the Okta API.
However, we should only do this after Okta.Sdk
has a stable release. (not prerelease as it is today)
Okta.AspNet
depend on Okta.Sdk
so the SDK is pulled in automatically by NugetHttpContext.GetOwinContext().GetOktaSdk()
(or a better pattern)ScopedClient
functionality to add the middleware's user-agent to SDK callsRemove beta from project version.
Hi,
I'm working in a project that contains 2 different apps (iOS Native App,Web App) and a middleware.
Both apps need to login using Okta SDK and then call some endpoints in the middleware, that should take the access token and validate it also using the Okta SDK.
The problem is that i get different audiences from both apps...
in the iOS app i get api://default
but in the web app i get the ClientId and i can't find a way to make both work.
What can i do to fix this? is it possible to expose DefaultTokenValidationParameters and let user override some of the values?
ASP.NET Core 2.2 has been out for a while now. We should update our quickstarts, readmes, and sample apps to show code and instructions compatible with ASP.NET Core 2.2.
After working with Okta via the standard OWIN middleware (not this repo) I noticed that the asp.net/OWIN way of redirecting to a custom authentication page is rather heinous. It requires tinkering with the Cookie and OIDC middleware bits, including AuthenticationMode, etc...all just to redirect to a different domain/url.
As a convenience for developers (who don't like writing excess c# to do a simple task) adding CustomAuthPageUrl (or some variation of) could be extremely helpful. Thanks!
Similar to what we do here: https://github.com/okta/okta-sdk-dotnet#configuration-reference
Hi,
An end user told us that his session in the application never expired. The first thing I did was try to replicate the issue.
I have tested with Chrome, Firefox and Edge and worked perfectly. However the end user uses an Opera Web Browser(https://www.opera.com/) and indeed when I access an application using this browser the session never expires. I remained authenticated forever what is a security flaw, because if I revoke its access the application access remain working.
The application is a ASP.NET MVC Core 2.2 and Okta.AspNetCore 1.1.5.
I have tested the token in the Okta Portal and the token expiration attributes looks correct.
"iat": 1579862469,
"exp": 1579866069,
Did someone experience any issue like this?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.