5l4j5 (5l4j5) asked a question.
I am trying to enroll an OIDC MFA authenticator. My IDP is written with Duende IdentityServer 7. I can obtain an authentication code, but I am unable to exchange it for an access token over the backchannel. The logs provided by Okta are insufficient to figure out why it's failing.
The documentation is also very unclear. I have reason to believe I might have something wrong in my mapping. See below my logs.
Guides followed:
- https://help.okta.com/oie/en-us/content/topics/identity-engine/authenticators/configure-idp-authenticator.htm
- https://developer.okta.com/docs/guides/add-an-external-idp/openidconnect/main/
[12:54:53 Debug] Duende.IdentityServer.Endpoints.AuthorizeCallbackEndpoint
ValidatedAuthorizeRequest
{"ClientId": "client.credentials.sample", "ClientName": null, "RedirectUri": "https://dev-65397125.okta.com/oauth2/v1/authorize/callback", "AllowedRedirectUris": ["https://dev-65397125.okta.com/oauth2/v1/authorize/callback"], "SubjectId": "AliceSmith@email.com", "ResponseType": "code", "ResponseMode": "query", "GrantType": "authorization_code", "RequestedScopes": "openid email", "State": "ZVFmWlA4NkR6YUdoOXpzSFQ1NTZVS1BzcktjZGVtZW1hMHEwUU01WVpzQVdLN1lqYkxESTd3aXgzbkk3and3Mw", "UiLocales": null, "Nonce": "Xd0HP0BPhyPfZ4f9Fk0IbqT4G6jp9DwJ", "AuthenticationContextReferenceClasses": null, "DisplayMode": null, "PromptMode": "", "MaxAge": null, "LoginHint": "AliceSmith@email.com", "SessionId": "1BCA974DE98AF5EE19D36C9594E7D801", "Raw": {"request": "eyJraWQiOiIyX25mVEVZMjVrZmxLY1lfdjUxbVk0Qk52TVpyRndKX3pDQXMyMmRSVDdRIiwiYWxnIjoiUlMyNTYifQ.eyJzdGF0ZSI6IlpWRm1XbEE0TmtSNllVZG9PWHB6U0ZRMU5UWlZTMUJ6Y2t0alpHVnRaVzFoTUhFd1VVMDFXVnB6UVZkTE4xbHFZa3hFU1RkM2FYZ3pia2szYW5kM013Iiwibm9uY2UiOiJYZDBIUDBCUGh5UGZaNGY5RmswSWJxVDRHNmpwOUR3SiIsImNsaWVudF9pZCI6ImNsaWVudC5jcmVkZW50aWFscy5zYW1wbGUiLCJyZWRpcmVjdF91cmkiOiJodHRwczovL2Rldi02NTM5NzEyNS5va3RhLmNvbS9vYXV0aDIvdjEvYXV0aG9yaXplL2NhbGxiYWNrIiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJwcm9tcHQiOiJsb2dpbiIsInNjb3BlIjoib3BlbmlkIGVtYWlsIiwibG9naW5faGludCI6IkFsaWNlU21pdGhAZW1haWwuY29tIiwiaXNzIjoiY2xpZW50LmNyZWRlbnRpYWxzLnNhbXBsZSIsImF1ZCI6Imh0dHBzOi8vOTByNW1wajItNTAwMC51a3MxLmRldnR1bm5lbHMubXMiLCJleHAiOiIxNzE1Njg3MDg1In0.bvwTUMhH7tV9bH95Q-YrOrRPr1DjiDypZ8dleCeRxjT4FP6IKXUVHND3_M5l_VWw42gf7UIb0zElMAJMs8JpIw8vc04BKRY3_3NvCJig7_6ykj-qYtKZ-5njHjW2g6o9tO2dRh0vV3qnQ8N0Xr4z81vQAN1fdUNK-TwWxsGw6Rn7rIlNXz5V5WP8G-wQWgVMLys1pnmH1qmut3ERS2lNjF6Fah1Uoyt_Oe_OsfgXjFDgcCR3Bw2urLyqr_slHBktRqWJIHPEbhAc_ogV3h9sClgwMuiPGXezWMWhhEldkYSINK0nIpTqT_XxEy2jWfD68Y0v4LtvwQUglpRZ1OmNtg", "suppressed_prompt": "login", "state": "ZVFmWlA4NkR6YUdoOXpzSFQ1NTZVS1BzcktjZGVtZW1hMHEwUU01WVpzQVdLN1lqYkxESTd3aXgzbkk3and3Mw", "nonce": "Xd0HP0BPhyPfZ4f9Fk0IbqT4G6jp9DwJ", "client_id": "client.credentials.sample", "redirect_uri": "https://dev-65397125.okta.com/oauth2/v1/authorize/callback", "response_type": "code", "prompt": "login", "scope": "openid email", "login_hint": "AliceSmith@email.com"}, "$type": "AuthorizeRequestValidationLog"}
[12:54:53 Debug] Duende.IdentityServer.ResponseHandling.AuthorizeResponseGenerator
Creating Authorization Code Flow response.
[12:54:53 Information] Duende.IdentityServer.Events.DefaultEventService
{"ClientId": "client.credentials.sample", "ClientName": null, "RedirectUri": "https://dev-65397125.okta.com/oauth2/v1/authorize/callback", "Endpoint": "Authorize", "SubjectId": "AliceSmith@email.com", "Scopes": "openid email", "GrantType": "authorization_code", "Tokens": [{"TokenType": "code", "TokenValue": "****F5-1", "$type": "Token"}], "Category": "Token", "Name": "Token Issued Success", "EventType": "Success", "Id": 2000, "Message": null, "ActivityId": "0HN3K0FCAMQ6R:00000001", "TimeStamp": "2024-05-14T10:54:53.8958910", "ProcessId": 4276, "LocalIpAddress": "::1:5000", "RemoteIpAddress": "::1", "$type": "TokenIssuedSuccessEvent"}
[12:54:53 Debug] Duende.IdentityServer.Endpoints.AuthorizeCallbackEndpoint
Authorize endpoint response
{"SubjectId": "AliceSmith@email.com", "ClientId": "client.credentials.sample", "RedirectUri": "https://dev-65397125.okta.com/oauth2/v1/authorize/callback", "State": "ZVFmWlA4NkR6YUdoOXpzSFQ1NTZVS1BzcktjZGVtZW1hMHEwUU01WVpzQVdLN1lqYkxESTd3aXgzbkk3and3Mw", "Scope": "openid email", "Error": null, "ErrorDescription": null, "$type": "AuthorizeResponseLog"}
Hello @5l4j5 (5l4j5) Thank you for posting on our Community page!
This question is more appropriate for our dedicated Okta Developer Forum.
My advice would be to reach out via devforum.okta.com to take advantage of their expertise.
While we'll do our best to answer all of your questions here, this medium is more inclined towards Okta core products and features (non-developer work).
Thank you for reaching out to our Community and have a great day!
--
Join the discussion for the Ask Me Anything online event on May 23, 2024 with Okta Tactical Edge Product Experts