Evaluate Okta OAuth
Open, LowPublic
Actions

Assigned To

Authored By

	epriestley
	Aug 29 2019, 3:26 PM

Description

See PHI1406. See T13259 (concurrent discussion with the reporting install, task is unrelated). See private support thread in inbox. See PHI1189. See PHI1133.

We've see increasing interest in Okta, which is a OneLogin-like "Contact Sales" organization which literally has a "Gartner Magic Quadrant" reference in a homepage banner at time of writing.

Despite the similarities to OneLogin, Okta seems to be on much firmer technical footing than OneLogin. It supports a realistic-looking OAuth API and there's a fairly reasonable developer portal. My current model here is that last-generation Enterprise IT services (OneLogin) were just many layers of garbage wrapped around one another, and the new generation is many layers of garbage wrapped around a reasonable technical core (Duo, Okta). This is a step forward, at least.

This still runs into T13229, where I'd prefer to stop upstreaming enterprise sales glue and start licensing it, but we can cross that bridge when we come to it.

The current open questions are roughly:

Does Okta OAuth basically work like every other OAuth?
Does whatever API we get access to through Okta OAuth provide access to LDAP groups (relevant to PHI1406)?
- If no, can we treat Okta as an LDAP server instead?
Then, if there's a path forward here, what's the licensing model?

Related Objects

Mentioned In: T524: OpenID Authentication as an Auth Option
Mentioned Here: T13229: On Third-Party Integrations
T13259: Rebuilding repository identities throws exception for inability to identify a valid object in query "DiffusionCommitQuery"

Event Timeline

epriestley triaged this task as Low priority.Aug 29 2019, 3:26 PM

epriestley created this task.

Herald added a subscriber: amckinley. · View Herald TranscriptAug 29 2019, 3:26 PM

epriestley updated the task description. (Show Details)Aug 29 2019, 3:27 PM

epriestley updated the task description. (Show Details)

swisspol added a subscriber: swisspol.Aug 29 2019, 3:39 PM

I attempted to register for a developer account and am receiving neither an email verification email nor a password reset email. 🤷

But did you check your spam folder? 😄

But did you check your spam folder? 😄

They showed up eventually, it just took the better part of an hour.

Does Okta OAuth basically work like every other OAuth?

Yes, more or less.

(It doesn't prompt the user to confirm that they want to hand over their account information to the application, which is a little weird, but the applications are theoretically trusted.)

Does whatever API we get access to through Okta OAuth provide access to LDAP groups?

The Okta /userinfo endpoint has a "groups" property, but it's not currently clear to me what this means. This is documented as:

"The groups that the user is a member of that also match the ID token group filter of the client app."

When I ask for the "groups" scope, which is documented as a real scope, the endpoint rejects the request as invalid ("invalid_scope").

This seems to be some kind of bizarre mess:

https://devforum.okta.com/t/returning-groups-in-the-openid-connect-userinfo-api-call/318/12

Under API → Authorization Servers → Claims, I added a claim like this?

Screen Shot 2019-09-05 at 3.44.33 PM.png (597×639 px, 48 KB)

This doesn't work. The documentation says "calling this endpoint always returns all of the user's claims"; at a minimum, this is untrue because the returned claims depend on scope.

None of the approaches described in these threads seem to allow me to get more information out of /userdata using access tokens:

https://devforum.okta.com/t/how-to-get-more-claims-in-userinfo-endpoint/3559/
https://devforum.okta.com/t/returning-groups-in-the-openid-connect-userinfo-api-call-again/2613
https://devforum.okta.com/t/how-to-get-user-info-from-okta-other-than-name-surname-and-email/3893

Particularly, changing these claims from "Access Token / Always" to "ID Token / Userinfo" doesn't make them appear in the userinfo response.

I haven't exhausted all possibilities yet, but my patience with the UI / documentation making claims that are totally unsupported by the actual API behavior is wearing thin.

Then, if there's a path forward here, what's the licensing model?

This experience is sure pushing me in the direction of "licensed", not "upstreamed".

I managed to get something into /userinfo. I had assumed that a static value like quack would either evaluate to the string "quack", or raise an error, or evaluate to some error-like value. Instead, it fails silently. A static value like "quack" works if assigned to "Userinfo / id_token request". The actual request I'm making is an "Access Token" request. This value does not work if assigned to "Access Token / Always".

This ultimately gives me a pathway to groups, it appears:

Screen Shot 2019-09-05 at 4.09.47 PM.png (519×625 px, 42 KB)

[Thu Sep 05 16:08:56.515433 2019] [php7:notice] [pid 4068] [client 127.0.0.1:61448] [2019-09-05 16:08:56] PHLOG: 'Array
(
    [sub] => 00u1ajvtk6vHXcBOE357
    [name] => Duck Ling
    [locale] => en-US
    [email] => duckling@yghe.net
    [preferred_username] => duckling@yghe.net
    [given_name] => Duck
    [family_name] => Ling
    [zoneinfo] => America/Los_Angeles
    [updated_at] => 1567720694
    [email_verified] => 1
    [groups] => Array
        (
            [0] => Everyone
            [1] => Ducks
        )

)
'

epriestley mentioned this in T524: OpenID Authentication as an Auth Option.Sep 27 2019, 1:15 AM

victorlin added a subscriber: victorlin.Dec 3 2019, 6:47 PM

	F6841582: Screen Shot 2019-09-05 at 3.44.33 PM.png
	Sep 5 2019, 11:10 PM

	F6841636: Screen Shot 2019-09-05 at 4.09.47 PM.png
	Sep 5 2019, 11:10 PM

Evaluate Okta OAuthOpen, LowPublicActions

Description

Related Objects

Event Timeline

Evaluate Okta OAuth
Open, LowPublic
Actions