ToddL.12257 (Customer) asked a question.
I'm trying to get 'Hello, World'-style traction on SSO with Okta. I'm new to SSO, OIDC, Okta, all of it, but I've been reading a lot.
I'm using omniauth_okta (Ruby gem, v0.1.1). Everything seems to be working up to and including the point where an access token is obtained via:
*<struct Faraday::Request method=:post, path="https://dev-xxx.okta.com/oauth2/default/v1/token", params={}, headers={"User-Agent"=>"Faraday v0.17.3", "Content-Type"=>"application/x-www-form-urlencoded"}, body={"client_id"=>"<CLIENT_ID>", "client_secret"=>"<CLIENT_SECRET>", "grant_type"=>"authorization_code", "code"=>"<CODE>", :redirect_uri=>"http://sm.cc:3000/users/auth/okta/callback"}, options=*<Faraday::RequestOptions (empty)>>
But when the access token is used for the userinfo request...
*<struct Faraday::Request method=:get, path="https://dev-xxx.okta.com/oauth2/v1/userinfo", params={}, headers={"User-Agent"=>"Faraday v0.17.3", "Authorization"=>"Bearer <ACCESS_TOKEN>"}, body=nil, options=*<Faraday::RequestOptions (empty)>>
...the response is 401:
Bearer authorization_uri="http://dev-xxx.okta.com/oauth2/v1/authorize", realm="http://dev-xxx.okta.com", scope="openid", error="invalid_token", error_description="The access token is invalid.", resource="/oauth2/v1/userinfo"
If the access token were truly invalid, I'd still be thrashing away, trying to figure out why. But it *is* valid, according to jwt.io (and omniauth_okta thinks so, too). And so I'm stuck.
Couple extra details:
The docs (https://developer.okta.com/docs/reference/api/oidc/*userinfo) call for a POST request. omniauth_okta is hardwired to request userinfo by GET. It doesn't seem to matter, though. I tried curling a POST, and the response was the same.
Also, I did look at API / System Log. Nothing there but successes. In chronological order:
* OAuth2 authorization code request -- success
* OAuth2 id token is granted -- success
* User single sign on to app -- success
* OAuth2 access token is granted -- success
Absent is any error related to the failure of the userinfo request.
Can anyone please point me in a direction, here? Any help greatly appreciated!
Okta support got me going in the right direction on this.
The problem was that the current latest release of omniauth_okta, v0.1.1, hardcodes the userinfo path:
def raw_info
@_raw_info ||= access_token.get('/oauth2/v1/userinfo').parsed || {}
rescue ::Errno::ETIMEDOUT
raise ::Timeout::Error
end
In my case, I'm having to use a custom auth server, which has endpoints like '/oauth2/{auth_server}/v1/endpoint', and the hardcoded userinfo endpoint '/oauth2/v1/userinfo' is inconsistent with that.
There's an unreleased v0.1.2 of omniauth_okta that addresses this. I pointed my Gemfile at that specific commit and was good to go.