<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00007wWNbMCAWOkta Classic EngineAuthenticationAnswered2024-04-16T09:52:30.000Z2022-08-15T19:29:30.000Z2022-08-18T07:14:07.000Z

p8d3g (p8d3g) asked a question.

August 15, 2022 at 7:29 PM
Okta OpenID Connect Authentication for Red Hat Satellite/The Foreman

Red Hat's documentation only covers oidc authentication against Red Hat SSO/Keycloak. I have been attempting to adapt the process to Okta, with only minor success.

 

I went into Okta and created a new oidc app and set the Sign-in redirect URIs to match what Keycloak would have used.

 

In Satellite I have the following settings,

Authorize login delegation: Yes

OIDC JWKs URL: https://[domain].okta.com/oauth2/v1/keys

OIDC Issuer: https://[domain].okta.com

OIDC Algorithm: RS256

OID Audience: [Client ID from Okta app configuration]

 

The error I am getting in the Satellite production.log is

'Failed to decode JWT' error (JWT::DecodeError): Could not find public key for kid [cypher text]

 

Any help sorting out this issue will be greatly appreciated.

 

Jeremy

 

  • 2 answers
  • 708 views

  • Mihai Negoita - Okta (Okta, Inc.)

    Hi @p8d3g (p8d3g)​ , Thank you for reaching out to the Okta Community!

     

    I've checked my resources and there is no documented instance of this type of implementation. At best there are some references to RedHat Portal/Customer Portal SWA apps, but those don't help here. 

    My advice would be to reach out to the devforum.okta.com to take advantage of their expertise.  

    While we'll do our best to answer all of your questions here, this medium is more inclined towards Okta core products. Of course, Community input is always welcomed and encouraged, if anyone else has come across this. 

     

     

    If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you. 

     

    Hope my answer helps! 

    --------------------------------

    The Okta Community Catalysts Program is now live. Collect online badges when you participate in the Okta Help Center Questions community. Learn more here.

    Expand Post

  • p8d3g (p8d3g)

    I posted over at devforum.okta.com as you suggested, and waiting to hear something back.

     

    In the meantime I have learned a little more about out OIDC works, and captured the OIDC access token passed from Okta to the Satellite service. I then separated it into its three parts and base64 decoded the header section.

     

    The kid listed in that header matches what is in my production.log, however it is not listed at https://[domain].okta.com/oauth2/v1/keys. Is this the correct OIDC JWKs url?

     

    I feel like I'm missing something small and once I get it this will all work.

     

    Thank you again,

     

    Jeremy

    Expand Post
This question is closed.
Loading
Okta OpenID Connect Authentication for Red Hat Satellite/The Foreman