Okta OIDC integration fail
nt-riken opened this issue · comments
I just set the OAuth provider in SITE SETTING/Authentication with Okta. Call to /authorize returns 400 and authentication does not proceed.
After a little research, I found that 400 is returned if the state parameter contains "|".
% curl -X GET -s -o /dev/null -w "%{http_code}" 'https://OKTA_DOMAIN/oauth2/v1/authorize?client_id=CLIENT_ID&response_type=code&scope=openid&redirect_uri=http%3A%2F%2FASTUTO_ADDR%3A3000%2Fo_auths%2F1%2Fcallback&state=test'
200%
% curl -X GET -s -o /dev/null -w "%{http_code}" 'https://OKTA_DOMAIN/oauth2/v1/authorize?client_id=CLIENT_ID&response_type=code&scope=openid&redirect_uri=http%3A%2F%2FASTUTO_ADDR%3A3000%2Fo_auths%2F1%2Fcallback&state=test|'
400%
Hi nt-riken, thanks for reaching out!
This is really strange, maybe we should change the "|" separator used by Astuto (which is used to separate the "reason" part, i.e. if we're logging in or doing a oauth test in site settings, and "token" which is used for security purposes).
What other character can we use as a separator? Maybe ";"? Do you have any suggestions?
Thank you for response!
I checked and results are..
400 .. |
200 .. ; + - * :
I don't know OIDC spec well.. but looks like Okta think "|" has special measning..??
I changed the separator from "|" to "-", try if it works now!
Happy to hear that! I'm closing the issue now