Open Closed

Implementing Okta Single Sign On #8791


User avatar
0
tahmad created
  • ABP Framework version: v7.4.5
  • UI Type: Angular
  • Database System: EF Core (SQL Serve)
  • Tiered (for MVC) or Auth Server Separated (for Angular): yes/
  • Implemting SSO I have implemented Okta SSO and obtained the ID Token from Okta. I have also installed the following packages:

@okta/okta-angular (v6.4.0) @okta/okta-auth-js (v7.10.1)

Authentication is working as expected, as confirmed by the following check:

this.oktaAuth.isAuthenticated().then(async (authStatus) => {
    if (authStatus) {
        // Authenticated successfully
    }
});

Additionally, I can successfully invoke APIs using this authentication setup but not check authorization with different role:

context.Services.AddAuthentication(options =>
{
    options.DefaultAuthenticateScheme = "MultipleAuthSchemes";
    options.DefaultChallengeScheme = "MultipleAuthSchemes";
})
.AddPolicyScheme("MultipleAuthSchemes", JwtBearerDefaults.AuthenticationScheme, options =>
{
    options.ForwardDefaultSelector = context =>
    {
        string? authorization = context.Request.Headers["Authorization"];
        if (!string.IsNullOrEmpty(authorization) && authorization.StartsWith("Bearer "))
        {
            var token = authorization.Substring("Bearer ".Length).Trim();
            return token.Contains("okta") ? "okta_jwt_schema" : JwtBearerDefaults.AuthenticationScheme;
        }
        return JwtBearerDefaults.AuthenticationScheme;
    };
})
.AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, options =>
{
    options.Authority = configuration["AuthServer:Authority"];
    options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]);
    options.Audience = "Project42";
})
.AddJwtBearer("okta_jwt_schema", options =>
{
    options.Authority = configuration["Okta:Authority"];
    options.RequireHttpsMetadata = Convert.ToBoolean(configuration["Okta:RequireHttpsMetadata"]);
    options.Audience = "api://default";
    options.TokenValidationParameters = new TokenValidationParameters
    {
        ValidateIssuerSigningKey = true,
        ValidIssuer = "https://dev-96317405.okta.com/oauth2/default",
        ValidAudience = "api://default",
        ValidateLifetime = true
    };
});

Now, I have route guards set up as follows:

{
    path: '',
    pathMatch: 'full',
    component: DashboardComponent,
    canActivate: [AuthGuard, PermissionGuard, RoleGuard],
}

I believe these guards require the ABP token instead of the Okta token. How can I properly pass authentication to AuthGuard and PermissionGuard while ensuring authorization in the system using Okta?

Can I do something like if authenticated then logged in with the user by matching the email but I don't know the password I have this method this.authService .login({ username, password, rememberMe })

if I can login into the system without password or similar method in backend then I believe i can login the user with proper abp login and can just authenticate with okta.


44 Answer(s)
  • User Avatar
    0
    tahmad created

    also I have found. CurrentUser is null

  • User Avatar
    0
    berkansasmaz created
    Support Team .NET Developer

    Hello, our relevant team member will respond to you as soon as possible.

  • User Avatar
    0
    tahmad created

    sure, please respond at earliest. I need to windup, thanks.

  • User Avatar
    0
    berkansasmaz created
    Support Team .NET Developer

    Unfortunately, our team member is out of working time at the moment. He will probably respond tomorrow during the day. Thank you for your patience.

  • User Avatar
    0
    tahmad created

    Sure.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Can you check the current principal(HttpContext.User) after authentication using okta_jwt_schema?

    What are the claims(type:value)?

    The CurrentUser's values come from claims.

    AddJwtBearer("okta_jwt_schema", options =>
    {
        options.Authority = configuration["Okta:Authority"];
        options.RequireHttpsMetadata = Convert.ToBoolean(configuration["Okta:RequireHttpsMetadata"]);
        options.Audience = "api://default";
        options.TokenValidationParameters = new TokenValidationParameters
        {
            ValidateIssuerSigningKey = true,
            ValidIssuer = "https://dev-96317405.okta.com/oauth2/default",
            ValidAudience = "api://default",
            ValidateLifetime = true
        };
    });
    
  • User Avatar
    0
    tahmad created

    please see the screenshot

    CurrentUser fields are different. what I need to do?

  • User Avatar
    0
    tahmad created

    also needs to address this issue, I have route guards set up as follows:

    { path: '', pathMatch: 'full', component: DashboardComponent, canActivate: [AuthGuard, PermissionGuard, RoleGuard], }

    I believe these guards require the ABP token instead of the Okta token. How can I properly pass authentication to AuthGuard and PermissionGuard while ensuring authorization in the system using Okta?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    ABP will not recognize these claims.

    They come from another system, so they can't work with the abp authentication/permission system.

    eg: you have a user(id: 123) in your local database. but with okta_jwt_schema claims, abp doesn't know the current user.

  • User Avatar
    0
    tahmad created

    hi

    Can I do something like if authenticated then logged in with the user by matching the email but I don't know the password I have this method this.authService .login({ username, password, rememberMe })

    if I can login into the system without password or similar method in backend then I believe i can login the user with proper abp login and can just authenticate with okta.

    IF NOT then what changes I need to make to compatible claim with ABP?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    AddJwtBearer method can map your okta_jwt_schema to compatible with abp.

    
    .AddAbpJwtBearer(options =>
    {
    
        options.MapInboundClaims = false;
        options.Events.OnTokenValidated = async tokenValidatedContext =>
        {
            var yourClaims = tokenValidatedContext.Principal?.Claims;
            
            // Mpa your okta claims to abp claims
            if (tokenValidatedContext.Principal?.Identity is ClaimsIdentity claimIdentity)
            {
                claimIdentity.AddClaim(AbpClaimTypes.UserId, "");
                claimIdentity.AddClaim(AbpClaimTypes.UserName, "");
                claimIdentity.AddClaim(AbpClaimTypes.SurName, "");
                claimIdentity.AddClaim(AbpClaimTypes.Email, "");
                claimIdentity.AddClaim(AbpClaimTypes.Role, "");
            }
        };
    
    });
    
  • User Avatar
    0
    tahmad created

    which library i need to install for AddAbpJwtBearer method?

    I have this namespace using Volo.Abp.AspNetCore.Authentication.JwtBearer; present in my class but still not giving error.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    Hi

    You can replace it to AddJwtBearer

  • User Avatar
    0
    tahmad created

    Hi

    I'm able to fetch but User Id is still null

    here is the code of addjwttoken currently I'm adding claims hard coded but I will make it dynamic. I'm also setting user id but still getting null

  • User Avatar
    0
    tahmad created

    Hi also I have seen AuthGuard and PermissionGuard are not allowing me access dashboard with my Okta Authentication

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Please share full claims list of HttpContext.User

  • User Avatar
    0
    tahmad created

    Hi here is the full claim list

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    Can you try to debug the FindUserId method?

    https://github.com/abpframework/abp/blob/dev/framework/src/Volo.Abp.Security/System/Security/Principal/AbpClaimsIdentityExtensions.cs#L11-L47 https://github.com/abpframework/abp/blob/dev/framework/src/Volo.Abp.Security/Volo/Abp/Users/CurrentUser.cs#L16

  • User Avatar
    0
    tahmad created

    Hi I'm able to fetch the UserId, there are two sub in my claims, I just make it one sub claim.

    Now still my frontend application is not loading as expected many components are not loading.

    I believe this is the issue

    I have seen AuthGuard and PermissionGuard are not allowing me access dashboard with my Okta Authentication

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    What are JSON results of https://yourwebsite/api/abp/application-configuration?includeLocalizationResources=false in your angular app?

  • User Avatar
    0
    tahmad created

    Hi it's a big response, I cannot share here due to characters limit.

    can you share you email so i can send you.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    liming.ma@volosoft.com

  • User Avatar
    0
    tahmad created

    Hi I have shared the response with you.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    The current user has values. But the only grantedPolicies have four permissions

    I will ask our angular team.

  • User Avatar
    0
    tahmad created

    Hi

    also I have seen this because this token is of okta open id

Boost Your Development
ABP Live Training
Packages
See Trainings
Mastering ABP Framework Book
Do you need assistance from an ABP expert?
Schedule a Meeting
Mastering ABP Framework Book
The Official Guide
Mastering
ABP Framework
Learn More
Mastering ABP Framework Book
Made with ❤️ on ABP v9.2.0-preview. Updated on March 20, 2025, 18:00