okta / okta-auth-js Goto Github PK

On Chrome when I try and authenticate, I always get redirected back over to Oktas authentication site.
I think it's because of HPKP headers but I can't figure out how to resolve/fix it.

I create a login request with

export const login = credentials => {
return dispatch => {
dispatch(dispatchToReducer(LOGIN));
oktaAuth
.signIn(credentials)
.then(res => {
dispatch(loginSuccess(res));
dispatch(getGroup(res.user.id));
dispatch(getJwt(res.sessionToken));
dispatch(updateAll(res.user.id));
})
.catch(err => {
dispatch(loginFailure( err));
});
};
};

And at this point I have my users info, session token, etc. So I call...

async componentDidUpdate(prevProps) {
if (this.props.authenticated && !prevProps.authenticated) {
const auth = await this.props.auth;
auth.redirect('/', { sessionToken: this.props.sessionToken });
}
}
I tried adding the suggested path, but that still doesn't work. It always redirects to Oktas web site.

On chromes console, there is a warning also

HTTP-Based Public Key Pinning is deprecated. Chrome 69 and later will ignore HPKP response headers. (Host: dev-xxxxxx.oktapreview.com)

Not sure if that is relevant or not

This is more of a feature request, but it would be great if you guys had npm registry item.

Thanks,
Kelly

To further clean up the internals of this library, let's do the following:

• Remove dependency on reqwest
• Remove devDependency on jQuery
• Use fetch() or another approach (with broad browser compatibility) to do HTTP calls from Auth.js. A developer using Auth.js by itself shouldn't need to provide an HTTP client implementation, and a package that consumes Auth.js (i.e. Sign-In Widget, other Okta SDKs) shouldn't need to provide an HTTP client implementation. Auth.js should provide its own HTTP client.
• Allowing the developer to pass their own HTTP client (to replace Auth.js' internal HTTP client) is out of scope, but should be considered in the technical design.
• For scenarios where Auth.js is making calls on behalf of SIW or other Okta SDKs, make sure we can attach additional User-Agent tokens from those libraries on the calls Auth.js makes. (If necessary, this can be split into a separate issue)
• Update readme to remove references to jQuery and reqwest

This method is currently synchronous, and creates problems if the token is being refreshed at the time that this method is called. This problem has been discussed at length in these issues:

#92
#123
okta/okta-oidc-js#181

The desired fix is described in this comment:

okta/okta-oidc-js#181 (comment)

We are going to implement this fix and release a major version. Please watch this issue for updates.

Reported by a customer:

We were seeing issues with users who had a time off by an hour or more (probably people who set their clocks ahead for daylight savings manually).

This code takes the expiration time from a token response and copies it straight into the cookie expiration: https://github.com/okta/okta-auth-js/blob/master/lib/http.js#L69-L71

We should discuss whether this is the best approach.

To help avoid misconfiguration, this library should implement these checks against common errors: https://oktawiki.atlassian.net/wiki/spaces/PM/pages/552049922/Library+configuration+checks

For this library, these checks apply:

• Issuer or url
• Client ID

I followed the steps here: https://github.com/okta/okta-auth-js#developing-the-okta-auth-client

But when running npm test it got stuck (doesn't do anything/doesn't finish) after the following lines of console output:

~/repos/okta/okta-auth-js$ npm test

> @okta/[email protected] test /Users/ms/repos/okta/okta-auth-js
> grunt test

Running "shell:lint" (shell) task

> @okta/[email protected] lint /Users/ms/repos/okta/okta-auth-js
> eslint .


Running "shell:buildTests" (shell) task

> @okta/[email protected] build:tests /Users/ms/repos/okta/okta-auth-js
> webpack --config webpack.test.config.js

Writing config to /Users/ms/repos/okta/okta-auth-js/lib/config.js
Hash: bbdd2803fe6899ad0a59
Version: webpack 1.13.0
Time: 1557ms
   Asset     Size  Chunks             Chunk Names
tests.js  3.39 MB       0  [emitted]  main
   [0] ./test/main.js 174 bytes {0} [built]
   [1] ./test/util/jasmine-extensions.js 633 bytes {0} [built]
   [4] ./test/spec .* 930 bytes {0} [built]
   [5] ./test/spec/errors.js 3.58 kB {0} [optional] [built]
   [6] ./test/util/util.js 11 kB {0} [built]
  [11] ./jquery/index.js 113 bytes {0} [built]
  [12] ./jquery/jqueryRequest.js 1.12 kB {0} [built]
  [13] ./lib/clientBuilder.js 9.25 kB {0} [built]
  [14] ./lib/vendor/polyfills.js 2.82 kB {0} [built]
  [16] ./lib/oauthUtil.js 7.6 kB {0} [built]
  [17] ./lib/http.js 3.21 kB {0} [built]
  [18] ./lib/util.js 5.76 kB {0} [built]
  [19] ./lib/cookies.js 929 bytes {0} [built]
  [20] ./lib/storageUtil.js 1.61 kB {0} [built]
  [21] ./lib/storageBuilder.js 1.14 kB {0} [built]
  [22] ./lib/errors/AuthSdkError.js 963 bytes {0} [built]
  [23] ./lib/config.js 500 bytes {0} [built]
  [24] ./lib/errors/AuthApiError.js 1.01 kB {0} [built]
  [25] ./lib/tx.js 8.69 kB {0} [built]
  [26] ./lib/errors/AuthPollStopError.js 824 bytes {0} [built]
  [27] ./lib/session.js 1.52 kB {0} [built]
  [28] ./lib/token.js 20.5 kB {0} [built]
  [29] ./lib/crypto.js 1.64 kB {0} [built]
  [30] ./lib/errors/OAuthError.js 850 bytes {0} [built]
  [31] ./lib/TokenManager.js 5.54 kB {0} [built]
  [33] ./test/xhr ^\.\/.*$ 2.46 kB {0} [built]
  [34] ./test/xhr/cancel.js 97 bytes {0} [optional] [built]
  [35] ./test/xhr/empty.js 49 bytes {0} [optional] [built]
  [36] ./test/xhr/error-incorrect-old-password.js 337 bytes {0} [optional] [built]
  [37] ./test/xhr/error-internal.js 250 bytes {0} [optional] [built]
  [38] ./test/xhr/error-network.js 71 bytes {0} [optional] [built]
  [39] ./test/xhr/error-operation.js 388 bytes {0} [optional] [built]
  [40] ./test/xhr/error-password-requirements.js 457 bytes {0} [optional] [built]
  [41] ./test/xhr/error-session-not-found.js 267 bytes {0} [optional] [built]
  [42] ./test/xhr/error-throttle.js 283 bytes {0} [optional] [built]
  [43] ./test/xhr/error-token.js 246 bytes {0} [optional] [built]
  [44] ./test/xhr/error-userinfo-insufficient-scope.js 282 bytes {0} [optional] [built]
  [45] ./test/xhr/error-userinfo-invalid-token.js 202 bytes {0} [optional] [built]
  [46] ./test/xhr/error-wrong-answer.js 279 bytes {0} [optional] [built]
  [47] ./test/xhr/keys.js 473 bytes {0} [built]
  [48] ./test/xhr/locked-out.js 447 bytes {0} [optional] [built]
  [49] ./test/xhr/mfa-challenge-push.js 2.22 kB {0} [optional] [built]
  [50] ./test/xhr/mfa-challenge-sms.js 1.56 kB {0} [optional] [built]
  [51] ./test/xhr/mfa-enroll.js 2.76 kB {0} [optional] [built]
  [52] ./test/xhr/mfa-enroll-activate-error.js 338 bytes {0} [optional] [built]
  [53] ./test/xhr/mfa-enroll-activate-push-timeout.js 1.33 kB {0} [optional] [built]
  [54] ./test/xhr/mfa-enroll-activate-push-waiting.js 2.33 kB {0} [optional] [built]
  [55] ./test/xhr/mfa-enroll-activate-sms.js 1.56 kB {0} [optional] [built]
  [56] ./test/xhr/mfa-enroll-activate-totp-google.js 1.9 kB {0} [optional] [built]
  [57] ./test/xhr/mfa-enroll-activate-totp-okta.js 1.9 kB {0} [optional] [built]
  [58] ./test/xhr/mfa-required.js 4.04 kB {0} [optional] [built]
  [59] ./test/xhr/mfa-required-error.js 338 bytes {0} [optional] [built]
  [60] ./test/xhr/password-expired.js 967 bytes {0} [optional] [built]
  [61] ./test/xhr/password-expired-error-complexity.js 457 bytes {0} [optional] [built]
  [62] ./test/xhr/password-expired-error-incorrect.js 337 bytes {0} [optional] [built]
  [63] ./test/xhr/password-reset.js 963 bytes {0} [optional] [built]
  [64] ./test/xhr/password-warn.js 1.34 kB {0} [optional] [built]
  [65] ./test/xhr/primary-auth-error.js 250 bytes {0} [optional] [built]
  [66] ./test/xhr/questions.js 2.37 kB {0} [optional] [built]
  [67] ./test/xhr/recovery.js 921 bytes {0} [optional] [built]
  [68] ./test/xhr/recovery-challenge-email.js 197 bytes {0} [optional] [built]
  [69] ./test/xhr/recovery-challenge-password.js 834 bytes {0} [optional] [built]
  [70] ./test/xhr/recovery-token.js 1.05 kB {0} [optional] [built]
  [71] ./test/xhr/session.js 1.02 kB {0} [optional] [built]
  [72] ./test/xhr/success.js 510 bytes {0} [optional] [built]
  [73] ./test/xhr/user.js 1.77 kB {0} [optional] [built]
  [74] ./test/xhr/userinfo.js 175 bytes {0} [optional] [built]
  [75] ./test/xhr/webfinger.js 653 bytes {0} [optional] [built]
  [76] ./test/xhr/well-known.js 1.22 kB {0} [built]
  [77] ./test/xhr/well-known-shared-resource.js 1.52 kB {0} [built]
  [78] ./test/spec/fingerprint.js 7.23 kB {0} [optional] [built]
  [80] ./test/spec/general.js 14.1 kB {0} [optional] [built]
  [81] ./test/util/tokens.js 13.5 kB {0} [built]
  [82] ./test/spec/locked-out.js 1.19 kB {0} [optional] [built]
  [83] ./test/spec/mfa-challenge.js 36.5 kB {0} [optional] [built]
  [84] ./test/spec/mfa-enroll.js 3.25 kB {0} [optional] [built]
  [85] ./test/spec/mfa-enroll-activate.js 13.5 kB {0} [optional] [built]
  [86] ./test/spec/mfa-required.js 16.8 kB {0} [optional] [built]
  [87] ./test/spec/no-auth-status.js 3.05 kB {0} [optional] [built]
  [88] ./test/spec/oauth.js 20.2 kB {0} [optional] [built]
  [89] ./test/util/oauthUtil.js 15.3 kB {0} [built]
  [90] ./test/spec/oauthUtil.js 19 kB {0} [optional] [built]
  [91] ./test/spec/password-expired.js 2.69 kB {0} [optional] [built]
  [92] ./test/spec/password-reset.js 1.81 kB {0} [optional] [built]
  [93] ./test/spec/password-warn.js 3.13 kB {0} [optional] [built]
  [94] ./test/spec/recovery.js 2.42 kB {0} [optional] [built]
  [95] ./test/spec/recovery_challenge.js 2.48 kB {0} [optional] [built]
  [96] ./test/spec/token.js 85.5 kB {0} [optional] [built]
  [97] ./test/spec/tokenManager.js 20.6 kB {0} [optional] [built]
  [98] ./test/spec/util.js 2.81 kB {0} [optional] [built]
  [99] ./test/spec/webfinger.js 824 bytes {0} [optional] [built]
    + 9 hidden modules

Running "jasmine:phantom" (jasmine) task
Testing jasmine specs via PhantomJS

I'm running MacOSX and phantomjs -v returns 2.1.1.

Any help where the problem is or how I could fix it?
I need to see if the tests run successfully as I'd like to create a new pull request.

We should include the subresource integrity attribute for CDN hosted assets:
https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

on
https://github.com/okta/okta-auth-js#transactionstatus
the image seems to be broken...

Hi, I am running into some weird behaviour that I have been trying to figure out for weeks, even doing a support session with an Okta dev to no avail.

I am using the accesstoken from signIn() in to validate api calls to the backend of my app (express). I am validating the token with '@okta/jwt-verifier'

oktaJwtVerifier.verifyAccessToken(accessTokenString).then((jwt) ... etc..

When the verification fails, I log the user out with:

    oktaAuth.signOut().then(() => {
      oktaAuth.tokenManager.clear()
      history.push('/')

      dispatch({
        type: LOGOUT_COMPLETE
      })

      dispatch(resetUser()) // clear redux state and redux-persist state
    })

This works fine if the token becomes invalid while using the app continuously.

The problem arises If I leave the computer alone for a longer period of time with out using it. Or if I close my laptop for example and open it the next day with the app still how it was (logged in), when I then click something and the accessToken validation fails, the app will redirect to Okta's branded login page instead of staying on in my app. And sometimes then after that if I go back to my login page and try to login, I get immediately get logged out again. After that logging/out in works normally.

Am I missing any steps for this situation? (logging the user out when the token becomes invalid). The Okta developer I spoke with felt like I was missing some handling with the session token directly.

Any help is greatly appreciated.

It looks like the access token is refreshed forever if the browser is left open. That seems like a security concern. Would it be possible to wire something up so that it's only refreshed if there is activity? Maybe a call back function that can be supplied and if called within the refresh time-period, it's refreshed, otherwise it allows it to expire.

authClient.tokenManager.on('expired', (key, expiredToken) => {
  console.log('Token with key', key, 'has expired');
});

The event never fires for me even after the session has expired. I can see a request to see if the session is active in the network and receive a message along the lines of "error.errorCode: login_required, error.description: The client specified not to prompt, but the user is not logged in.".

Please advice is there an option to continuously check if the token is going to get expired and before the token expires (like only 25% of the expiry time is still left) have to request for refresh token

I am using the getWithRedirect() method to authenticate with okta. One of the parameters I am passing into the method is the clientId:

authClient.getWithRedirect({
    clientId: <clientId>,
    ...
}).then(...)

While doing this I noticed that the clientId is not stored in the session cookie, which means it will not be available for use in the parseFromUrl() function after the redirect, resulting in a token claim validation error. I have created a pull request which resolves this issue.

Hi, it appears as though the dependent packages for the npm module have dissapeared.
the error on installing the packages is:

npm WARN optional SKIPPING OPTIONAL DEPENDENCY: @okta/[email protected] (node_modules\@okta\okta-signin-widget\node_modules\@okta\ci-update-package):
npm WARN 404 SKIPPING OPTIONAL DEPENDENCY: Not found : @okta/ci-update-package
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: @okta/[email protected] (node_modules\@okta\okta-signin-widget\node_modules\@okta\qtip2):
npm WARN 404 SKIPPING OPTIONAL DEPENDENCY: Not found : @okta/qtip2
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: @okta/[email protected] (node_modules\@okta\okta-signin-widget\node_modules\@okta\courage):
npm WARN 404 SKIPPING OPTIONAL DEPENDENCY: Not found : @okta/courage
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: @okta/[email protected] (node_modules\@okta\okta-signin-widget\node_modules\@okta\ci-pkginfo):
npm WARN 404 SKIPPING OPTIONAL DEPENDENCY: Not found : @okta/ci-pkginfo
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: @okta/[email protected] (node_modules\@okta\okta-signin-widget\node_modules\@okta\i18n):
npm WARN 404 SKIPPING OPTIONAL DEPENDENCY: Not found : @okta/i18n
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: @okta/[email protected] (node_modules\@okta\okta-signin-widget\node_modules\@okta\install-with-shrinkwrap):
npm WARN 404 SKIPPING OPTIONAL DEPENDENCY: Not found : @okta/install-with-shrinkwrap

In the callback handler, we error if we can't pull the tokens from the callback url OR we can't read the cookie where we stored the state/nonce for the authorize url:

https://github.com/okta/okta-auth-js/blob/master/lib/token.js#L602-L605

If you manually created the authorize URL outside of this library you will get this error because the cookie was not created.

We should have a more specific error for the cookie error case, to clue the developer into the fact that we can't process a callback URL without that cookie.

In SDK version 2.0.1, I am running into cases when the following code:

const authClient = new OktaAuth({ /* config that usually works */ })

authClient.tokenManager.get("token")
  .then(() => console.log("then"))
  .catch(() => console.log("catch"))

Neither resolves nor rejects for a long time, despite the following console error showing up in the console pretty much instantaneously:

error.errorCode: login_required, error.description: The client specified not to prompt, but the user is not logged in.

A bit tricky to give more context than this, because the issue is hard to reproduce, but all in all I'm having a difficult time handling all the errors to either run a frontend application or show an error screen. I would appreciate any pointers, and happy to give more context if necessary.

I am currently using token.getWithRedirect to retrieve a token. In the documentation for the function there is no mention of an idp parameter. But when I look through the repo and the Okta API I see that idp is a valid parameter.

Here is an example of my use case that works:

const authClient = new OktaAuth({ url, issuer, clientId, redirectUri, authorizeUrl, userinfoUrl });
authClient.token.getWithRedirect({ idp, scopes, responseType });

Are there any plans to add this to the okta-auth-js documentation? Should I open up a PR to add it in?

Hello All,
Does this package support React-Native apps? I have installed the package using the "npm install" but when I try to run it I get the following message "Document is not defined". See the image below.

I wold greatly appreciate your response.
Thanks,
Farshid

When enrolling SMS as factor using .enroll() on transaction and then trying to resend SMS using .resend() on response object throws an exception:

AuthSdkError('No link found for that name');
throw new AuthSdkError('Must provide a link name');

Is there something I'm missing? For the others, we don't have to specify a link

Can the JQuery version be updated to the latest? Current version is 3.2.1.

Hello,

I'm using @okta/okta-signin-widget/dist/js/okta-sign-in-no-jquery.js in an Angular SPA.
After I'm logging in and after being redirected to my redirectUri (which is /) I'm getting this error:
ERROR Error: Uncaught (in promise): AuthSdkError: Unable to parse a token from the url.
I'm using the method handleAuthentication() from OktaAuthService so I've followed the flow and it seems that the problem is at

PS: if I'm doing something wrong please tell me. My widget configuration is minimal: only baseUrl is set. Maybe there are more params to set?

Thank you!

If you pass pass OAuth options (such as authorizeUri or issuer) to getWithoutPrompt, they are ignored.

The reason is the underlying getOAuthUrls method only looks at the third options parameter for those options. See: https://github.com/okta/okta-auth-js/blob/master/lib/oauthUtil.js#L128-L134

I'm not sure if this is by-design or a bug, but it confused me.

Hi, when we call auth.session.setCookieAndRedirect the user is shown a welcome page where they have to set a security question and answer and choose an image.

We are not expecting this screen to show as this information was captured during the registration process (except the image).

What is causing this screen to appear? How can we stop it?

Thanks
Jenna

In the code of TokenManager I see the option of storing the token in sessionStorage instead of localStorage. I'm not sure how to set the options to accomplish this?

In lib/token.js on line 231 you are calling verifyToken as follows.

Thanks!

Currently says Copyright (c) 2015-2016, Okta, Inc. and/or its affiliates. All rights reserved.

The parseFromUrl function includes token signature verification and validation.

(parseFromUrl -> handleOAuthResponse -> verifyToken)

This should be indicated in the documentation so that developers are clear that they don't need to manually verify/validate the tokens on their own.

I am implementing some polling using the sdk to determine if the Okta session is still active:

setInterval(function() {                                                                                           
    authClient.session.exists().then(exists => {                                                                   
        if (!exists) {                                                                                                     
            alert("Session doesn't exist.");                                                                       
        }                                                                                                          
    ).catch(() => {                                                                                               
        console.log("error checking session");                                                                     
    });                                                                                                            
}, 5000);   

This works fine when the browser tab in which this code is running is the active tab. (Fine being that my Okta session is active and exists is true). However, when I change to a different tab, the promise begins resolving with a value of false for exists (despite my Okta session still being active), so that when I return to the tab, I have an alert 'Session doesn't exist' showing in the tab. This is obviously not ideal if you are trying to determine if a user needs to re-authenticate.

Here is some sample code to reproduce the problem:

Note that http://localhost:8080 will need to be a trusted origin for CORS in your Okta tenant.

index.html:

<!doctype html>                                                                                                                    
<html>                                                                                                                  
<head>                                                                                                                  
    <title>Okta-Auth-Js Test</title>                                                                                    
                                                                                                                        
    <meta charset="utf-8">                                                                                              
    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">                               
</head>                                                                                                                 
<body>                                                                                                                  
    <div id="shell">                                                                                                    
        Hello World                                                                                                     
    </div>                                                                                                              
    <script type="text/javascript" src="https://ok1static.oktacdn.com/assets/js/sdk/okta-auth-js/1.17.0/okta-auth-js.min.js"></scri
    <script type="text/javascript">                                                                                     
        // Get session                                                                                                  
        const authClient = new OktaAuth({                                                                               
            url: "<okta-url>",                                                                 
            clientId: "<client-id>"                                                          
        });                                                                                                             
                                                                                                                        
        // Note, this requires an active user session in Okta.                                                          
        setInterval(function() {                                                                                        
            authClient.session.exists().then(exists => {                                                                
                if (!exists) {                                                                                          
                    alert("Session doesn't exist.");                                                                       
                }                                                                                                          
            }).catch(() => {                                                                                               
                console.log("error checking session");                                                                     
            });                                                                                                            
        }, 5000);                                                                                                          
                                                                                                                           
    </script>                                                                                                              
</body>                                                                                                                    
</html>

server.js

var http = require('http');                                                                                                
var fs = require('fs');                                                                                                    
                                                                                                                           
http.createServer(function (req, res) {                                                                                    
    fs.readFile('./index.html', function(error, content) {                                                                 
        res.writeHead(200, { 'Content-Type': 'text.html' });                                                               
        res.end(content, 'utf-8');                                                                                                 
    });                                                                                                                    
}).listen(8080);    

Place both files in the same directory and run with node server.js.

Any insight or help would be appreciated, thanks!

I get this when trying to start my node app. Not sure where to go from here.

/home/ubuntu/node_modules/@okta/okta-auth-js/lib/http.js:9
var httpCache = storageBuilder(localStorage, config.CACHE_STORAGE_NAME);
^
ReferenceError: localStorage is not defined

Hi,

Can you please confirm how your token manager refreshes tokens?

I note in the documentation it states the following.

When a token is added to the tokenManager, it is automatically refreshed when it expires.

Does this mean you allow it to expire before refreshing? Is there a small gap where a user is using our app with an expired token? Or are we supposed have a timer and manually refresh them before expiry?

Also, does refreshing a token also refresh a users session? I'm a little confused when a session expires because to my understanding we need it in order to refresh tokens.

Thanks,
Jenna

We have a Javascript application that seems to have login issues with Safari on iOS 9. We don't have a specific error (seems like sign in function isn't working) but I do know iOS 10+ works and all other browsers we support seem to be working fine. Does anyone know if this is a known issue or of a possible fix/workaround? Thanks!

Reported by a customer:

IE Edge has an issue with JSON parse. responseText could be null which would case an exception with JSON.parse down below.

  res = resp.responseText;
  if (res && util.isString(res)) {
    res = JSON.parse(res);
  }

Our fix -> res = resp.responseText ? resp.responseText : resp;

getWithRedirect function is creating a cookie with stringified JSON object which results in invalid double quote characters in the cookie which are not allowed as per RFC 6265 and are causing issues.

Can you please encode the stringified JSON object (e.g. in base64 or via encodeURIComponent) before storing it in the cookie?

Thanks in advance for your support.

My development environment running at http://localhost:3000, the callback also set to http://localhost:3000/implicit/callback. However, I am receiving an error related to the Access-Control-Allow-Origin header when calling https://domain.oktapreview.com/oauth2/default/v1/keys API

Failed to load https://domain.oktapreview.com/oauth2/default/v1/keys: The 'Access-Control-Allow-Origin' header has a value 'https://myapp.example.com' that is not equal to the supplied origin. Origin 'http://localhost:3000' is therefore not allowed access.

Note, I am running two different environments, once at http://localhost:3000 and another one at https://myapp.example.com. I have already logged at https://myapp.example.com, so I think Okta is getting cached origin somewhere instead of the current login context.

This issue happens when I upgraded to the latest okta version 1.0.3, it does not appear in the previous version 1.0.1

This would allow the project to be easily used in a TypeScript project (e.g. Angular or Ionic).

More info: https://www.thepolyglotdeveloper.com/2016/05/add-type-definitions-external-javascript-library-typescript/

Ionic uses a NavController instead of Angular Router. Attached is the error that happens when you try to use Okta's Angular SDK in an Ionic project.

I should be able to configure Auth.js for OIDC in this way:

var config = {
  url: 'https://{yourOktaDomain}',
  authorizationServer: 'default'
}

We can add this as an enhancement, where specifying an authorizationServer will automatically configure issuer under the hood:

issuer = url + '/' + authorizationServer

Hello, great library! I've got it setup to use the Session based OIDC flow with Silent refresh. It's working great on all browsers but safari...the initial getWithoutPrompt call to exchange the sessionToken for a session icookie is not correctly setting a session cookie from our okta instance, presumably because of Safari's restrictive iframe/cookie policies. The tokens are returned properly as expected.

Just wondering if there's a workaround for this or any additional insight!

Thanks,

Nick

Hi all,

We have an issue with the redirection from OKTA cu the application (kibana). If we execute the IP address directly, it redirects to okta, after authentication we get redirected to kibana and everything works fine.
The problem we experience is when we login to okta and execute the link to the kibana application, it redirects to http://10.100.2.55/auth/saml/callback and fails with the following message:

SAML:

POST ->
POST http://10.100.2.55/auth/saml/callback HTTP/1.1
Host: 10.100.2.55
HTTP/1.1 302 Moved Temporarily
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.12.2 Date: Mon, 15 Jan 2018 10:25:25 GMT Content-Type: text/html;charset=utf-8 Content-Length: 0 Connection: keep-alive Location: http://127.0.0.1:3311/
GET ->
GET http://127.0.0.1:3311/ HTTP/1.1
Host: 127.0.0.1:3311
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:57.0) Gecko/20100101 Firefox/57.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1

Basically the redirection goes to 127.0.0.1:3311. But if we execute the IP of the machine directly, okta authentication is done and we get redirected to the Kibana UI without any issue.

Any ideas how we could debug this ?

Thanks

Purpose of this is to introduce another pattern for developers to detect states for authn transactions. This is useful for doing something custom, like detect MFA, send state token to another page to handle MFA.

client.on("password-warn", function(data){

})

When we are using the token.getWithoutPrompt method from the OktaAuth object to request a new access token with a specific scope for the user we are getting an OAuth flow timed out error message. It appears that in the method addPostMessageListener/responseHandler from token.js e.origin never matches the sdk.options.url that we are using causing the handler to return without resolving the promise. If I comment out the validation of the origin we get the new access token.

Does the validation need to be modified to make sure that the sdk.options.url includes the value of e.origin or is there something that we are doing wrong when setting up our OktaAuth object?

For example when debugging we will see values like the following.
e.origin = https://some.oktapreview.com
sdk.options.url = https://some.oktapreview.com/oauth2/{authorization_server_id}

Method from okta-auth-js.min.js / token.js

function addPostMessageListener(sdk, timeout, state) {
  var deferred = Q.defer();
   function responseHandler(e) {
    if (!e.data ||
        e.origin !== sdk.options.url ||
        (e.data && util.isString(state) && e.data.state !== state)) {
      return;
    }
    deferred.resolve(e.data);
}

  oauthUtil.addListener(window, 'message', responseHandler);

  return deferred.promise.timeout(timeout || 120000, new AuthSdkError('OAuth flow timed out'))
    .fin(function() {
      oauthUtil.removeListener(window, 'message', responseHandler);
    });
}

Our script to make the request…

var authClient = new OktaAuth({
	url: 'https://some.oktapreview.com/oauth2/{authorization_server_id}', //using a specific auth server
	clientId: clientID,
	redirectUri: redirectURL
})

authClient.token.getWithoutPrompt({
	responseType: 'token',
	responseMode: 'fragment',
	scopes: ['newScope'] 
})
.then(function(tokenOrTokens) {
	console.log('Token',tokenOrTokens);
})
.catch(function(err) {
	console.log('Err',err);
});

Thanks

I'm getting a Cannot use 'in' operator to search for 'window' in undefined error on my browser. I've traced it back to ded/reqwest#259 and one of the workarounds was to set modules to false. However, if you are using React you most likely have this turned on. Can you guys update your reqwest dependency?

Hi all,

I'm having a weird problem that only happens on IE when using TokenManager on 2 different apps on 2 subdomains. The problem is as follows

1. Login subdomain1, on IE this creates a cookie "okta-token-storage" with the session information
2. SSO into subdomain2, token manager will pick it and save a new cookie for that subdomain
3. Log out from subdomain1, (which should log out from all apps)
4. Log again with another user name into subdomain1, works great
5. SSO into subdomain2, and you are logged in with the old user, as the cookie for the token manager was never erased for that subdomain.

Any ideas? Looks like the problem is with the domain that's specified on the cookie of the TokenManager. When I call the function to clean up the TokenManager, it only deletes the cookie for the current domain. As chrome and other browsers uses local and session storage this problem doesn't happen there.
I went through the code but couldn't find a way to set the domain for the cookie.

Thanks

Hello,

We have discovered that ios10 and lower in private browsing has issues correctly detecting if localStorage, sessionStorage is available or not.

storageUtil.getHttpCache = function() {
  if (storageUtil.browserHasLocalStorage()) {
    return storageBuilder(storageUtil.getLocalStorage(), config.CACHE_STORAGE_NAME);
  } else if (storageUtil.browserHasSessionStorage()) {
    return storageBuilder(storageUtil.getSessionStorage(), config.CACHE_STORAGE_NAME);
  } else {
    return storageBuilder(storageUtil.getCookieStorage(), config.CACHE_STORAGE_NAME);
  }
};

storageUtil.getLocalStorage = function() {
  return localStorage;
};

iOS10 getLocalStorage, getSessionStorage returns true in private mode, but you can not write to it. This ends up breaking the whole library.

I need to implement the Authorization Code flow in a professional app which is using Okta, Okta verify, PKCE , and the Authorization Code Flow.

The okta-auth-js library does not actually allows to retrieve a code from a client id and a challenge.

Navigated to http://outstanding-auth.surge.sh/
22:06:50.522 (index):58 fingerprint
22:06:52.037 (index):65 n {name: "AuthSdkError", message: "Unable to parse iframe response", errorCode: "INTERNAL", errorSummary: "Unable to parse iframe response", errorLink: "INTERNAL", …}errorCauses: []errorCode: "INTERNAL"errorId: "INTERNAL"errorLink: "INTERNAL"errorSummary: "Unable to parse iframe response"message: "Unable to parse iframe response"name: "AuthSdkError"proto: Error
at Object. (http://outstanding-auth.surge.sh/okta-auth-js.min.js:44:27276)
at t (http://outstanding-auth.surge.sh/okta-auth-js.min.js:13:326)
at Object. (http://outstanding-auth.surge.sh/okta-auth-js.min.js:44:27043)
at t (http://outstanding-auth.surge.sh/okta-auth-js.min.js:13:326)
at Object. (http://outstanding-auth.surge.sh/okta-auth-js.min.js:44:25950)
at t (http://outstanding-auth.surge.sh/okta-auth-js.min.js:13:326)
at Object. (http://outstanding-auth.surge.sh/okta-auth-js.min.js:44:22559)
at t (http://outstanding-auth.surge.sh/okta-auth-js.min.js:13:326)
at Object. (http://outstanding-auth.surge.sh/okta-auth-js.min.js:44:20873)
at t (http://outstanding-auth.surge.sh/okta-auth-js.min.js:13:326)
22:06:52.040 VM7566:1 XHR failed loading: POST "https://dev-217923.oktapreview.com/api/v1/internal/device/nonce".

Introduction

Thanks in advance for your consideration of this ticket!

I am successfully authenticating users through the Okta Developer Platform using the user's Google Identity. Unfortunately, after logging in and logging out, users are not presented with the same login flow through Google a second time and are immediately verified with the identity they used for the previous login.

This is problematic because I am unable to implement logout functionality in case users accidentally authenticate with the wrong google account (or in case I want to test with multiple Google accounts on my computer associated with different permissions / group membership).

Example flow

1. I log in with our custom "sign in with Google" button
2. I am presented with a pop-up of all my google identities to choose one for Okta verification
3. I select [email protected]
4. My client application receives access and id tokens for [email protected] from Okta. Rejoice!
5. I realize that I didn't actually want to sign in with [email protected], because that is my personal, non-work email, and I (correctly) don't have permissions associated with [email protected]
6. I logout (eg, clear okta-managed local storage)
7. I log in again with our custom "sign in with Google" button
8. A pop-up window opens for a split second, presents no options, and then closes
9. My client application receives access and id tokens for [email protected] from Okta. Dismay!

Code example

Hopefully the code examples below help you understand implementation I'm basing this ticket on.

import OktaAuth from '@okta/okta-auth-js'

// config
const GOOGLE_OAUTH_OPTIONS = {
  url: `https://${process.env.OKTA_DOMAIN}`,
  issuer: `https://${process.env.OKTA_DOMAIN}/oauth2/${process.env.OKTA_AUTH_SERVER_ID}`,
  clientId: `${process.env.OKTA_CLIENT_ID}`,
  responseType: [ 'id_token', 'token' ],
  scopes: [ 'openid', 'email', 'profile' ],
  redirectUri: 'myurl',
  idp: process.env.GOOGLE_CLIENT_ID,
}
const authClient = new OktaAuth(GOOGLE_OAUTH_CREDENTIALS)

// login
// this presents options for user selection on initial login
// but the second consecutive login attempt does not present user selection options
authClient.token.getWithPopup(GOOGLE_OAUTH_OPTIONS)
  .then(tokens => {
    const [ idToken, accessToken ] = tokens
    authClient.tokenManager.add('platform-id-token', idToken)
    authClient.tokenManager.add('platform-access-token', accessToken)
    return { idToken, accessToken }
  })

// logout
authClient.tokenManager.clear()