Okta OIDC integration fail

Question

Okta OIDC integration fail

nt-riken opened this issue a year ago · comments

I just set the OAuth provider in SITE SETTING/Authentication with Okta. Call to /authorize returns 400 and authentication does not proceed.
After a little research, I found that 400 is returned if the state parameter contains "|".

% curl -X GET -s -o /dev/null -w "%{http_code}"  'https://OKTA_DOMAIN/oauth2/v1/authorize?client_id=CLIENT_ID&response_type=code&scope=openid&redirect_uri=http%3A%2F%2FASTUTO_ADDR%3A3000%2Fo_auths%2F1%2Fcallback&state=test'
200%

 % curl -X GET -s -o /dev/null -w "%{http_code}"  'https://OKTA_DOMAIN/oauth2/v1/authorize?client_id=CLIENT_ID&response_type=code&scope=openid&redirect_uri=http%3A%2F%2FASTUTO_ADDR%3A3000%2Fo_auths%2F1%2Fcallback&state=test|'
400%

Riccardo Graziosi · Answer 1 · Wed Jan 25 2023 03:29:58 GMT+0800 (China Standard Time)

Hi nt-riken, thanks for reaching out!

This is really strange, maybe we should change the "|" separator used by Astuto (which is used to separate the "reason" part, i.e. if we're logging in or doing a oauth test in site settings, and "token" which is used for security purposes).

What other character can we use as a separator? Maybe ";"? Do you have any suggestions?

nt-riken · Answer 2 · Sat Jan 28 2023 12:08:10 GMT+0800 (China Standard Time)

Thank you for response!

I checked and results are..
400 .. |
200 .. ; + - * :

I don't know OIDC spec well.. but looks like Okta think "|" has special measning..??

Riccardo Graziosi · Answer 3 · Sat Jan 28 2023 21:24:55 GMT+0800 (China Standard Time)

I changed the separator from "|" to "-", try if it works now!

nt-riken · Answer 4 · Sun Jan 29 2023 19:11:38 GMT+0800 (China Standard Time)

It worked! Thank you so much!!

Riccardo Graziosi · Answer 5 · Sun Jan 29 2023 21:51:43 GMT+0800 (China Standard Time)

Happy to hear that! I'm closing the issue now