cloudfront-auth
cloudfront-auth copied to clipboard
Widen
Issue with okta setup
i setup okta with cloudfront as per the document but am not able to connect with Okta for authentication got the error, also raised a case with OKTA and got the following response from them could someone help please
Feb 14 08:25:12 [ INFO ] [ StoredEvents ] - [ eventType=app.oauth2.token.grant, legacyEventType=app.oauth2.token.grant_failure, PublicClientApp=0oajd96le5ZMeHq9K0h7, device=Unknown, os=Unknown, browser=UNKNOWN, USER_AGENT=axios/0.17.1, code=null, client_auth_type=client_secret_post, requested_scopes=, grant_type=authorization_code, granted_scopes=, redirect_uri=http://dwhdq6u79yc7q.cloudfront.net/index.html, request_id=XGUl6IVmznKpoTY64e00mAAABhQ, request_uri=/oauth2/v1/token, url=/oauth2/v1/token?, result=FAILURE, reason="invalid_authorization_code" ]
There are two possible causes for this error - invalid_authorization_code:
authorization code is being sent to Okta after 60 seconds from when it was created
authorization code is being sent twice to Okta and it fails the second time
I've never received this error before. First, is there a reason why your redirect URI is a file? We suggest it be /_callback
Hi Payton
I've never received this error before. First, is there a reason why your redirect URI is a file? We suggest it be
/_callback
Thanks for the response, I updated the my okta app and re-created the zip file and now i get this error Description: The 'redirect_uri' parameter must be an absolute URI that is whitelisted in the client app settings.
Sorry if I confused you with this. I mean your redirect URI should be "http://{cloudfront-endpoint}.net/_callback". Then you must add that same redirect URI to the list of accepted redirect URIs in OKTA.
Perhaps i am making a mistake but this is my okta app setup Login redirect URIs : http://dwhdq6u79yc7q.cloudfront.net/_callback Initiate login URI : http://dwhdq6u79yc7q.cloudfront.net
./build.sh redirect_uri : Redirect URI: http://dwhdq6u79yc7q.cloudfront.net/_callback the first error i get is dev-876540.oktapreview.com redirected you too many times. The error after multiple reloads is nonce verification failed
I have even tried making redirect uri : http://dwhdq6u79yc7q.cloudfront.net , for all Login redirect , initate login and redirect_uri as well it still seems to fail
Perhaps i am making a mistake but this is my okta app setup Login redirect URIs : http://dwhdq6u79yc7q.cloudfront.net/_callback Initiate login URI : http://dwhdq6u79yc7q.cloudfront.net
./build.sh redirect_uri : Redirect URI: http://dwhdq6u79yc7q.cloudfront.net/_callback the first error i get is dev-876540.oktapreview.com redirected you too many times. The error after multiple reloads is nonce verification failed
I have even tried making redirect uri : http://dwhdq6u79yc7q.cloudfront.net , for all Login redirect , initate login and redirect_uri as well it still seems to fail
In your Okta admin portal you need to go to Security-->API-->Trusted Origins and add the "Initiate login URI" and check the Redirect checkbox.
I'm also having some problem with the Okta setup. I've followed the instructions in the readme and wiki. When I try to access cloudfront url, I get redirected to okta for authentication. After successful authentication, I am again redirected to the cloudfront url that was configured in Okta ( https://sdg9723lsdg.cloudfront.net/_callback) with some additional data in the query string.
Problem is, I don't have /_callback file in my s3 bucket and after following the lambda@edge setup instructions, I don't see anything that is handling that path. It seems something is missing in the setup/docs.
Has anyone successfully used this repo to setup cloudfront authentication with okta?
Problem is, I don't have /_callback file in my s3 bucket and after following the lambda@edge setup instructions, I don't see anything that is handling that path. It seems something is missing in the setup/docs.
After spending some time troubleshooting and going through some other tickets + wiki, I realized that I don't need to have a _callback file in my S3 bucket. The lambda function is supposed to take care of catching this in the request URL and redirect to appropriate path. Unfortunately that redirect is not working for me.
Once I get redirected to Okta for authentication, I'm redirected back to an URL that looks like this:
https://{cf-domain}.cloudfront.net/_callback?code=abcd1234xyz6789&state=%2Fpath%2Fto%2Fprivate%2Findex.html
It seems after successful authentication the lambda function is redirecting to _callback/index.html instead of redirecting to path/to/private/index.html
As a result, Cloudfront responds with "NoSuchKey" error.
I was able to set this up successfully... finally 😄
I needed to make some adjustments in my cloudfront setup. I'm serving a static site hosted in an s3 bucket through cloudfront. So, I had another lambda function deployed to take care of automatically redirecting to /index.html if the path didn't end with an extension. This is to mimic typical webserver behaviour. That's why I needed to setup a separate behaviour for /_callback path.
@shashankreed - I had also ran into the problem you mentioned:
the first error i get is dev-876540.oktapreview.com redirected you too many times. The error after multiple reloads is nonce verification failed
In my case, it was because I didn't change the default session value when I ran the ./build.sh. The default session is set to 0. That's why after initially signing into okta and redirected back to cloudfront, I was being redirected back to okta again. This redirect kept happening back and forth and eventually got an error page mentioning too many redirects, which eventually got redirected to "nonce verification failed" response.
Hope that helps...
I've set the it to an hour session value in seconds. It was a poc at the time. I haven't tested with different values to see if the session expires properly.