Okta OAuth Authorization plugin issue

[Ryan Maltres]

Hello,

I'm encountering the below issue when I input the correct Okta Endpoint, OAuth Client ID and OAuth Client Secret. Also, access seems to be fine from container to okta. (GoCD Version: 22.3.0)

"There was a problem fetching Authorization Configurations

Refresh this page in some time, and if the problem persists, check the server logs."

At that point, the user interface becomes non-responsive and ceases to function, displaying ERR_EMPTY_RESPONSE in Chrome, and it remains inaccessible until I manually delete the <security> tag from within the cruise-config.xml file.

From log file:

2023-03-28 09:12:34,883 INFO  [Thread-79] DefaultPluginJarChangeListener:67 - Plugin load starting: /go-working-dir/plugins/external/okta-oauth-authorization-plugin-1.1.0-8.jar
2023-03-28 09:12:35,266 WARN  [Thread-79] PluginSettingsMetadataLoader:63 - Failed to fetch plugin settings metadata for plugin cd.go.authorization.okta. Maybe the plugin does not implement plugin settings and view?
2023-03-28 09:12:35,267 WARN  [Thread-79] PluginSettingsMetadataLoader:64 - Plugin: cd.go.authorization.okta - Metadata load info: [{extension='authorization', configuration='null', view='null', error='The plugin sent a null response'}]
2023-03-28 09:12:35,268 WARN  [Thread-79] PluginSettingsMetadataLoader:65 - Not all plugins are required to implement the request above. This error may be safe to ignore.

Any help would be appreciated. Thank you

[Chad Wilson]

Please check the plugin specific log file, and be a bit more specific about what you are populating and clicking, and the associated HTTP responses from the browser.

If it's getting an empty response upon saving a new config it may just be a 401/403 because with the added configuration you are now considered unauthorized even though you previously had a valid session. Refreshing manually or using an incognito tab would likely leavd you loggee out if that is the case - and then allow you to attempt an Okta auth. If this is the only authorization config you have enabled $that is more likely than not.

-Chad

--
You received this message because you are subscribed to the Google Groups "go-cd" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-cd+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/go-cd/fda74179-9902-411c-9975-a17943047f75n%40googlegroups.com.

[Chad Wilson]

Hmm, there's not much in the logs to go on there but I am guessing some sort of misconfiguration combined with a bug/suboptimal error handling somewhere :-(

Can you share the specific request that is hanging from your browser network tab when trying a fresh login i.e which GoCD API/endpoint? Not sure it's related, but iIn other things to check, can you check that your server Site URL and Secure Site URL are configured correctly in https://<gocd url>/go/admin/config/server (especially the Secure one)? Generally these would need to match at least the protocol://host:port that you've configured on Okta.

-Chad

On Mon, Apr 3, 2023 at 5:03 PM Ryan Maltres <ryan.m...@gmail.com> wrote:

As you correctly said, after I save the authorization configuration I get "You are not authenticated" 401 http response.

However, when I open an incognito window nothing will load, request times out and browser returns an empty response. (Access is enabled)

If I have been granted access to Okta as a user, I should be able to view the Okta authentication page at the minimum.


GoCD Okta plugin log:

• WARN  [Thread-79] OktaPlugin:97 - Request go.plugin-settings.get-configuration is not supported by plugin

GoCD Okta authorization configuration:

• API Issuer: https://<okta url>/oauth2/default
• Client ID & Secret ID

Okta settings:

• Login: https://<gocd url>/go/plugin/cd.go.authorization.okta/authenticate
• Initiate: https://<gocd url>/go/plugin/cd.go.authorization.okta/login

To view this discussion on the web visit https://groups.google.com/d/msgid/go-cd/f912e4fa-a098-45b9-9978-a756daa5358cn%40googlegroups.com.