Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Application is throwing "Unauthorized" error after successful openid connection #105

Open
sohemokashi opened this issue Feb 4, 2021 · 7 comments
Open

Application is throwing "Unauthorized" error after successful openid connection #105

sohemokashi opened this issue Feb 4, 2021 · 7 comments

Comments

@sohemokashi
Copy link

The code goes to /authorization-code/callback with state and code querystring but throws "Unauthorized" error after successful openid connection.
@denysoblohin-okta
Copy link
Contributor

Thank you for reporting the issue.
Can you please provide some more information about this issue, like error description in /authorization-code/callback response body?

@MiepjeMadelon
Copy link

Hi, I think sohemokashi and I are having the same issue, so I'll try to clarify it, especially since I can't really find a solution anywhere.
I was following this tutorial from the guides: https://developer.okta.com/docs/guides/sign-into-web-app/nodeexpress/redirect-to-sign-in/
However, when clicking on the button to go to the login page I get a blank page with only the word 'Unauthorized'. This is from the url: error=access_denied&error_description=User+is+not+assigned+to+the+client+application.

This is my code, I think sohemokashi's code is somewhat similar, or at least there is a chance we have made the same mistake.

const { ExpressOIDC } = require('@okta/oidc-middleware');

// session support is required to use ExpressOIDC
app.use(session({
  secret: 'this should be secure',
  resave: true,
  saveUninitialized: false
}));

const oidc = new ExpressOIDC({
  appBaseUrl: 'insert link here',
  issuer: 'https://{insert link here}/oauth2/default',
  client_id: 'xx',
  client_secret: 'yy',
  loginRedirectUri: 'http://localhost:3000/authorization-code/callback',
  scope: 'openid profile'
});

// ExpressOIDC attaches handlers for the /login and /authorization-code/callback routes
app.use(oidc.router);

@sohemokashi
Copy link
Author

sohemokashi commented Mar 5, 2021 via email

@swiftone
Copy link
Contributor

swiftone commented Mar 5, 2021

@MiepjeMadelon - You may be running against a change in the Okta Admin Console - by new default, your application does not have any users assigned to it (which would lead to the error message you see - the message is accurate). This change is very recent, and our documentation has not yet caught up to it.

In the Admin Console, you will have to assign user/groups to your application (for example, adding group "Everyone" to your application will allow all of your users access (but not outside users that haven't been added to your organization).

Let us know if that does or does not address the situation.

@MiepjeMadelon
Copy link

@swiftone It does address the situation, thanks!

@michaelallenprofessional
Copy link

I also encountered this error on a freshly cloned sample app using the Okta hosted login page and was able to fix it by modifying the following file: git/samples-nodejs-express-4/node_modules/openid-client/lib/client.js

On line 460 you insert the following two lines in the if (params.code) { block of the callback function

client_id: this.client_id,
client_secret: this.client_secret,

So before we have:

if (params.code) {
      const tokenset = await this.grant({
        ...exchangeBody,
        grant_type: 'authorization_code',
        code: params.code,
        redirect_uri: redirectUri,
        code_verifier: checks.code_verifier,
      }, { clientAssertionPayload });

      await this.decryptIdToken(tokenset);
      await this.validateIdToken(tokenset, checks.nonce, 'token', checks.max_age);

      if (params.session_state) {
        tokenset.session_state = params.session_state;
      }

      return tokenset;
    }

and after:

if (params.code) {
      const tokenset = await this.grant({
        ...exchangeBody,
        client_id: this.client_id,
        client_secret: this.client_secret,
        grant_type: 'authorization_code',
        code: params.code,
        redirect_uri: redirectUri,
        code_verifier: checks.code_verifier,
      }, { clientAssertionPayload });

      await this.decryptIdToken(tokenset);
      await this.validateIdToken(tokenset, checks.nonce, 'token', checks.max_age);

      if (params.session_state) {
        tokenset.session_state = params.session_state;
      }

      return tokenset;
    }

It looks like the oidc client library is not adding the client_id and client_secret to the POST body when calling the /token endpoint.

I have opened a case with number 01062513 and the support agent should have a recording of a demonstration of the issue and fix.

@aarongranick-okta
Copy link
Contributor

internal ref: OKTA-379204

@denysoblohin-okta denysoblohin-okta mentioned this issue Aug 4, 2021
Open
14 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@swiftone @aarongranick-okta @michaelallenprofessional @MiepjeMadelon @denysoblohin-okta @sohemokashi