python-social-auth/social-core

OIDC Authentication using Okta Authorization Server URL

rboucher-me opened this issue · 0 comments

rboucher-me commented

Expected behaviour

Successful OIDC authentication when using an Okta Authorization Server API URL (https://{{okta-domain}}/oauth2/{{authorization-server-id}}) instead of the default API URL (https://{{okta-domain}}/oauth2). This behaviour is consistent with current documentation. This issue is to request support for Okta Authorization Servers.

Actual behaviour

When trying to authenticate using OIDC, a Signature verification failed exception is thrown in social_core/backends/open_id_connect.py. Okta logs show successful app.oauth2.as.token.grant.access_token and successful app.oauth2.as.token.grant.id_token for the same authentication event.

What are the steps to reproduce this issue?

  1. Configure an Okta Authorization Server (Security > API)
  2. Use the generated Authorization Server URI as the authentication endpoint
  3. Attempt to authenticate (exception thrown)
  4. Use the default URI as the authentication endpoint
  5. Attempt to authenticate (successful)

Any logs, error output, etc?

Exception traceback:

/opt/netbox/venv/lib/python3.11/site-packages/social_core/actions.py, line 49, in do_complete
        user = backend.complete(user=user, redirect_name=redirect_name, *args, **kwargs)
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 

/opt/netbox/venv/lib/python3.11/site-packages/social_core/backends/base.py, line 39, in complete
        return self.auth_complete(*args, **kwargs)
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 

/opt/netbox/venv/lib/python3.11/site-packages/social_core/utils.py, line 253, in wrapper
            return func(*args, **kwargs)
                        ^^^^^^^^^^^^^^^^^^^^^ 

/opt/netbox/venv/lib/python3.11/site-packages/social_core/backends/oauth.py, line 418, in auth_complete
        response = self.request_access_token(
                        
/opt/netbox/venv/lib/python3.11/site-packages/social_core/backends/open_id_connect.py, line 254, in request_access_token
        self.id_token = self.validate_and_return_id_token(
                             
/opt/netbox/venv/lib/python3.11/site-packages/social_core/backends/open_id_connect.py, line 214, in validate_and_return_id_token
            raise AuthTokenError(self, "Signature verification failed")
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Any other comments?

This appears to be related/similar to issues 662 and 663