'Unable to retrieve document' error when authenticating

Question

'Unable to retrieve document' error when authenticating

justinhelgerson opened this issue 6 years ago · 6 comments

@laura-rodriguez I somehow overlooked these self hosted widget login examples. They are exactly what I'm looking for in my application so it's awesome that you have them.

Unfortunately in both the ASP.NET Core & ASP.NET samples I'm getting the error below. I have a feeling I have something configured incorrectly seeing as how I am getting the exact same error in both runtimes. I'm able to get a session token from the widget, but during the challenge process I'm getting an unauthorized error.

Could you point me in the right direction?

HttpRequestException: Response status code does not indicate success: 401 (Unauthorized).

System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
IOException: IDX20804: Unable to retrieve document from: '[PII is hidden]'.

Microsoft.IdentityModel.Protocols.HttpDocumentRetriever+<GetDocumentAsync>d__8.MoveNext()
InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII is hidden]'.

Microsoft.IdentityModel.Protocols.ConfigurationManager+<GetConfigurationAsync>d__24.MoveNext()

Answer 1 · 2018-10-24T15:28:28.000Z

Hi @justinhelgerson!
As you said, you might have an incorrect value in your configuration. Could you paste the relevant part of your configuration here?

Also, have you added your app URLs as trusted origins?

Answer 2 · 2018-10-24T15:49:43.000Z

Thanks for the response. Below is some info on my configuration. I have integration working with the Okta hosted sign in page, but I have a requirement with one of my applications to have some custom partner branding on the sign in page. Building an SSO experience with the widget seems like the solution for this app.

appsettings.json

"Okta": {
    "ClientId": "my-real-client-id-is-here",
    "ClientSecret": "my-real-secret-id-is-here",
    "OktaDomain": "https://sonicfoundry.okta.com"
}

Startup.cs

services.Configure<OktaSettings>(Configuration.GetSection("Okta"));

var oktaMvcOptions = new OktaMvcOptions()
{
    CallbackPath = "/signin-oidc",
    OktaDomain = Configuration.GetSection("Okta").GetValue<string>("OktaDomain"),
    ClientId = Configuration.GetSection("Okta").GetValue<string>("ClientId"),
    ClientSecret = Configuration.GetSection("Okta").GetValue<string>("ClientSecret"),
    Scope = new List<string> { "openid", "profile", "email", "groups" },
    GetClaimsFromUserInfoEndpoint = true,
};

services.AddAuthentication(options =>
{
    options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = OktaDefaults.MvcAuthenticationScheme;
})
.AddCookie()
.AddOktaMvc(oktaMvcOptions);

I've also added https://localhost:5001 into my trusted origins (both CORS and Redirect). This looks to be working since I'm getting a response object from the widget.

I have my application in Okta configured as a Web OIDC app with the authorization code, refresh token, implicit & allow ID token with implicit grant type options enabled. Login redirect URI is https://localhost:5001/signin-oidc

I can't seem to find what I'm missing here. 😕

Answer 3 · 2018-10-24T20:32:41.000Z

After flipping over to a developer preview instance I noticed a difference in that it had access to authorization servers while my production instance didn't. I suspect this is because our contract doesn't begin until November 1? I'm not sure. 😕 I contacted support and they enabled the authorization server and now this integration is working! 🎉

@laura-rodriguez I do have one follow up question about widget functionality. If I'm already authenticated with Okta, is it possible to have the widget automatically authenticate? Similar to how when using the Okta hosted sign in page, you only have to sign in once when visiting multiple applications.

Answer 4 · 2018-10-31T20:20:39.000Z

Hi @justinhelgerson,

Sorry for the delay! I am glad you were able to solve this issue. I am curious about what type of okta account do you have that it didn't have the authorization server enabled?
Also, were you able to find out the widget question? If not, I recommend you to take a look at https://devforum.okta.com.

Answer 5 · 2018-10-31T20:56:19.000Z

what type of okta account do you have

I'm not entirely sure what you mean, but we bought a few of the "IT Products" and we also have the "API Products - Enterprise" service. Technically our contract doesn't begin until tomorrow, so it could be that our organization was still under a trial?

were you able to find out the widget question

As for the widget, I think I have a pretty interesting solution that other folks might find interesting. The end goal was an SSO solution if you're already signed into Okta. If you aren't signed in, keep the user in the experience of the application for authentication (for dynamic branding, UI, etc). The TLDR of the workflow is:

If a user isn't authenticated they will be redirected to Okta (leveraging the Microsoft OIDC middleware)
- Before redirecting I look for the presence of a sessionToken which is provided by the widget. If it's absent, I specify a prompt of none.
If the user is already authenticated with Okta, we get the token, store claims, log them in, etc, etc. Business as usual
If the user isn't authenticated we receive an error (as documented by Okta because of our none prompt) and handle the response via OnMessageReceived.
- We redirect to our own sign in page that utilizes the Okta widget
- We take the sessionToken provided by the widget and send it in our authorize request (this is where your examples were handy--thanks! 😄)
- Business as usual from here on out. Okta redirects back to our app, OIDC middleware handles the response, get the token, log them in, etc, etc 🎈

Answer 6 · 2018-11-01T15:16:11.000Z

It seems we can close this issue @justinhelgerson. Feel free to reopen it if you need to.
Thanks for your feedback ❤️