Hi Maliming,
Angular app directs login to auth server using below url. The redirect_url parameter is set to http://localhost:4200 and that is why I have been trying to redirect to the Angular frontend from Okta.
I changed my Okta app settings to use the auth server url (https://localhost:44322/Account/Login)
and my AuthServerModule looks like this:
.AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, "Okta", options => { options.Authority = "https://xxxxxx.okta.com/oauth2/default";
options.ClientId = "my client Id";
options.ClientSecret = "my client secret";
options.ResponseType = OpenIdConnectResponseType.Code;
options.Scope.Clear();
options.Scope.Add("offline_access");
options.Scope.Add("openid");
options.Scope.Add("profile");
options.Scope.Add("email");
options.SaveTokens = true;
options.ResponseMode = OpenIdConnectResponseMode.Query;
options.Events = new OpenIdConnectEvents
{
OnRedirectToIdentityProvider = context =>
{
// Perform any custom logic before redirecting to Okta
context.ProtocolMessage.RedirectUri = "https://localhost:44322/Account/Login";
return Task.CompletedTask;
},
};
});
The redirect from Okta to my auth server works and the URL params (Code and State) are being set however it does not log me into the application and does not redirect me to Angular frontend.
Any thoughts or advice on this?
Hello Mohammed.sheik,
Please do let us know if this solution has worked for you?
If you are still facing the issue, please do share your solution on support@abp.io so that we can help you better.
Awaiting for your response.
Thank You, Anjali
Hi Anjali,
I hope you are doing well. I am still experiencing the above exceptions and unfortunately due to company policy I cannot share the solution. Can we please arrange for a call where I could take you through all my configurations?
Thank you for the great support!
Best Regards, Mohammed
Hi There,
I hope you are well.
We are integrating Okta as an external login provider for our application. We have added the following configuration to the ConfigureExternalProviders function in the AuthServerModule:
.AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, "Okta",
options =>
{
options.Authority = "https://xxxxxx.okta.com/oauth2/default";
options.ClientId = "my client Id";
options.ClientSecret = "my client secret";
options.ResponseType = OpenIdConnectResponseType.Code;
options.Scope.Clear();
options.Scope.Add("offline_access");
options.Scope.Add("openid");
options.Scope.Add("profile");
options.Scope.Add("email");
options.SaveTokens = true;
options.ResponseMode = OpenIdConnectResponseMode.Query;
options.Events = new OpenIdConnectEvents
{
OnRedirectToIdentityProvider = context =>
{
// Perform any custom logic before redirecting to Okta
context.ProtocolMessage.RedirectUri = "http://localhost:4200";
return Task.CompletedTask;
},
};
});
My login page now has the option to login with Okta:
This is the settings that I have in my Okta Application settings:
As you can see I have configured the redirect URL on both sides to be http:localhost:4200 which is my Angular frontend. When I login to my application using the Okta option, I see the authentication happening correctly on the Okta side and after the authentication I am redirected to http:localhost:4200. The problem is that I don't get logged into my application because I get the error 'Validating access_token failed'. I do notice that the nounce, access_token, refresh_token etc are missing from the local storage for http://localhost:4200
Please advice on what I am missing and how I can resolve this issue. Your assistance is greatly appreciated.
Hi,
I don't know what blocked you.
Could you describe exactly what problem you're having?
As I understand, you can custom the login model to do it, just check the current tenant.
Hi,
There is no problem. I am looking for guidance on how to integrate with Okta.
When you say "As I understand, you can custom the login model to do it, just check the current tenant.", please can you share documentation on this?
ABP Framework version: v5.2.2
UI type: Angular
DB provider: EF Core
Tiered (MVC) or Identity Server Separated (Angular): yes
Hi there,
I hope you are well.
We have developed a Saas application using the Abp microservice template. We now have a new requirement to integrate Okta as the identity provider for a specific client. Okta will only be used as the Identity provider for a specific client and other clients will use the default Identity Server that comes with the Abp template.
I am looking for guidance on how this can be achieved. Your assistance would be greatly appreciated.
Hi,
Can you share a project that reproduces the problem to me, shiwei.liang@volosoft.com. I will check it.
Hi Shiwei,
Can we rather do a Teams or Zoom call?
Hi there,
I hope you are well.
For a particular scenario in our project we are required to get a list of all users across all tenants. The approach we have taken is that we have got a list of all tenants and thereafter changed the current tenant, then get a list of all users from Identity service for that tenant and append in a list. We have followed the instruction in the documentation here: https://docs.abp.io/en/commercial/latest/startup-templates/microservice/synchronous-interservice-communication#synchronous-communication-between-microservices and have successfully been able to communicate with the identity service to get all users for each tenant. My problem is that it works fine when running locally using project tye however after I deploy to my Kubernetes environment I get an unauthorized error on the identity service side:
11:11:10 WRN] Code:Volo.Authorization:010001
[11:11:10 INF] AuthenticationScheme: Bearer was challenged.
[11:11:10 INF] Executed action Volo.Abp.Identity.IdentityUserController.GetListAsync (Volo.Abp.Identity.Pro.HttpApi) in 9.4578ms
[11:11:10 INF] Executed endpoint 'Volo.Abp.Identity.IdentityUserController.GetListAsync (Volo.Abp.Identity.Pro.HttpApi)'
[11:11:10 INF] Request finished HTTP/1.1 GET http://tokengen-stag-identitysvc.conlog.com/api/identity/users?SkipCount=0&MaxResultCount=1000&api-version=1.0 - - - 401 0 - 35.9058ms
[11:11:33 INF] Request starting HTTP/1.1 GET http://tokengen-stag-identitysvc.conlog.com/api/identity/users - -
[11:11:33 INF] CORS policy execution failed.
[11:11:33 INF] Request origin null does not have permission to access the resource.
[11:11:33 INF] Executing endpoint 'Volo.Abp.Identity.IdentityUserController.GetListAsync (Volo.Abp.Identity.Pro.HttpApi)'
[11:11:33 INF] Route matched with {controller = "User", area = "identity", action = "GetList"}. Executing controller action with signature System.Threading.Tasks.Task1[Volo.Abp.Application.Dtos.PagedResultDto
1[Volo.Abp.Identity.IdentityUserDto]] GetListAsync(Volo.Abp.Identity.GetIdentityUsersInput) on controller Volo.Abp.Identity.IdentityUserController (Volo.Abp.Identity.Pro.HttpApi).
[11:11:33 INF] Request starting HTTP/1.1 GET http://tokengen-stag-identitysvc.conlog.com/api/identity/users?SkipCount=0&MaxResultCount=1000&api-version=1.0 - -
[11:11:33 INF] Executing endpoint 'Volo.Abp.Identity.IdentityUserController.GetListAsync (Volo.Abp.Identity.Pro.HttpApi)'
[11:11:33 INF] Route matched with {controller = "User", area = "identity", action = "GetList"}. Executing controller action with signature System.Threading.Tasks.Task1[Volo.Abp.Application.Dtos.PagedResultDto
1[Volo.Abp.Identity.IdentityUserDto]] GetListAsync(Volo.Abp.Identity.GetIdentityUsersInput) on controller Volo.Abp.Identity.IdentityUserController (Volo.Abp.Identity.Pro.HttpApi).
[11:11:33 INF] Authorization failed. These requirements were not met:
PermissionRequirement: AbpIdentity.Users
[11:11:33 WRN] ---------- RemoteServiceErrorInfo ----------
{
"code": "Volo.Authorization:010001",
"message": "Authorization failed! Given policy has not granted.",
"details": null,
"data": {},
"validationErrors": null
}
[11:11:33 WRN] Exception of type 'Volo.Abp.Authorization.AbpAuthorizationException' was thrown.
Volo.Abp.Authorization.AbpAuthorizationException: Exception of type 'Volo.Abp.Authorization.AbpAuthorizationException' was thrown.
at Microsoft.AspNetCore.Authorization.AbpAuthorizationServiceExtensions.CheckAsync(IAuthorizationService authorizationService, AuthorizationPolicy policy)
at Volo.Abp.Authorization.MethodInvocationAuthorizationService.CheckAsync(MethodInvocationAuthorizationContext context)
at Volo.Abp.Authorization.AuthorizationInterceptor.AuthorizeAsync(IAbpMethodInvocation invocation)
at Volo.Abp.Authorization.AuthorizationInterceptor.InterceptAsync(IAbpMethodInvocation invocation)
at Volo.Abp.Castle.DynamicProxy.CastleAsyncAbpInterceptorAdapter1.InterceptAsync[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo, Func
3 proceed)
at Castle.DynamicProxy.AsyncInterceptorBase.ProceedAsynchronous[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo)
at Volo.Abp.Castle.DynamicProxy.CastleAbpMethodInvocationAdapterWithReturnValue1.ProceedAsync() at Volo.Abp.Auditing.AuditingInterceptor.ProceedByLoggingAsync(IAbpMethodInvocation invocation, IAuditingHelper auditingHelper, IAuditLogScope auditLogScope) at Volo.Abp.Auditing.AuditingInterceptor.InterceptAsync(IAbpMethodInvocation invocation) at Volo.Abp.Castle.DynamicProxy.CastleAsyncAbpInterceptorAdapter
1.InterceptAsync[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo, Func3 proceed) at Castle.DynamicProxy.AsyncInterceptorBase.ProceedAsynchronous[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo) at Volo.Abp.Castle.DynamicProxy.CastleAbpMethodInvocationAdapterWithReturnValue
1.ProceedAsync()
at Volo.Abp.Uow.UnitOfWorkInterceptor.InterceptAsync(IAbpMethodInvocation invocation)
at Volo.Abp.Castle.DynamicProxy.CastleAsyncAbpInterceptorAdapter1.InterceptAsync[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo, Func
3 proceed)
at lambda_method2280(Closure , Object )
at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.AwaitableObjectResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.g__Awaited|12_0(ControllerActionInvoker invoker, ValueTask1 actionResultValueTask) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeInnerFilterAsync() --- End of stack trace from previous location --- at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeNextExceptionFilterAsync>g__Awaited|26_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted) [11:11:33 WRN] Code:Volo.Authorization:010001 [11:11:33 INF] AuthenticationScheme: Bearer was challenged. [11:11:33 INF] Executed action Volo.Abp.Identity.IdentityUserController.GetListAsync (Volo.Abp.Identity.Pro.HttpApi) in 13.8284ms [11:11:33 INF] Executed endpoint 'Volo.Abp.Identity.IdentityUserController.GetListAsync (Volo.Abp.Identity.Pro.HttpApi)' [11:11:34 INF] Executing ObjectResult, writing value of type 'Volo.Abp.Application.Dtos.PagedResultDto
1[[Volo.Abp.Identity.IdentityUserDto, Volo.Abp.Identity.Pro.Application.Contracts, Version=6.0.1.0, Culture=neutral, PublicKeyToken=null]]'.
[11:11:34 INF] Executed action Volo.Abp.Identity.IdentityUserController.GetListAsync (Volo.Abp.Identity.Pro.HttpApi) in 67.5621ms
[11:11:34 INF] Executed endpoint 'Volo.Abp.Identity.IdentityUserController.GetListAsync (Volo.Abp.Identity.Pro.HttpApi)'
In my Identity database, dbo.OpenIddictApplications table the application is seeded correctly:
In the Administration database, dbo.AbpPermissionGrants table the 'AbpIdentity.Users' permission is seeded correctly as well.
Please can you assist in resolving this issue.
Hi,
After injecting ITeantAppService into my AppService and calling 'await _tenantAppService.GetListAsync' I get the following error: Not Found.
In my appsettings.json I have RemoteService config: "RemoteServices": { "Default": { "BaseUrl": "https://localhost:44388/", "UseCurrentAccessToken": "false" } },
Please advise what could be the issue.