Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authorize with a custom authorization server id #336

Open
ValentinOUI opened this issue Nov 29, 2022 · 2 comments
Open

Authorize with a custom authorization server id #336

ValentinOUI opened this issue Nov 29, 2022 · 2 comments
Labels
bug Something isn't working

Comments

@ValentinOUI
Copy link

Describe the bug?

Hi.

I am using a Custom Authorization Server as described here, so according to the doc the authorization URL needs to look like this

https://${yourOktaDomain}/oauth2/${authorizationServerId}/v1/authorize

However, after trying different combinations between the issuer and the discoveryUri, the authorize URL remains /oauth2/v1/authorize?scope=custom_scope&response_type=...

What is the correct way to add an authorization server id in the authorize endpoint?

Many thanks for the help

What is expected to happen?

Add a field to the configuration to add a custom authorization server id, or do not remove it from the discovery URI when we try to set it.

What is the actual behavior?

I have an error with "illegal_custom_scope".

Reproduction Steps?

1. Configure Okta

  await createConfig({
    clientId: ENV.OKTA_CLIENT_ID,
    redirectUri: ENV.OKTA_REDIRECT_URI,
    endSessionRedirectUri: ENV.OKTA_END_SESSION_REDIRECT_URI,
    issuer: ENV.OKTA_ISSUER,
    discoveryUri: ENV.OKTA_DISCOVERY_URI,
    scopes: ENV.OKTA_REQUESTED_SCOPES,
    requireHardwareBackedKeyStore: ENV.OKTA_REQUIRED_HARDWARE_BACKED_KEY_STORE,
    browserMatchAll: true,
  });

with correctly setting the issuer and discovery uri according the documentation.
In my case both the issuer issuer and discovery URI look like https://{myOktaDomain}/oauth2/${authorizationServerId}

2. Try sign in with browser

await signInWithBrowser();

Additional Information?

No response

SDK Version

Latest

Build Information

No response
@ValentinOUI ValentinOUI added the bug Something isn't working label Nov 29, 2022
@mikenachbaur-okta
Copy link
Collaborator

Thank you for reaching out @ValentinOUI. The SDK uses the supplied discovery URL to retrieve the OIDC configuration for your authorization server before initiating login. You can validate settings are correct by appending /.well-known/openid-configuration to your discovery URL to check those values for yourself.

Alternatively, you could try removing the "issuer" parameter, and just supply the "discoveryUri".

@ValentinOUI
Copy link
Author

Hello @mikenachbaur-okta and thank you for your answer.

Thanks for the /.well-known/openid-configuration, I manage to get it working via Postman as well as the authorize endpoint, by setting everything correctly including the authorization server id.

But when I try with the SDK, the requested URL still looks like /oauth2/v1/authorize? despite appending the auth server id in my discovery URI and removing the issuer in my parameters.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ValentinOUI @mikenachbaur-okta