Okta OIDC for Management UI Only Not Working

[Karl Falconer]

Hi,

I am trying to use Okta for access for the Management UI only. Referring to this blog post about release 3.11 OIDC support It seems like it is pretty much what I need. 

However I get an error from Okta "Browser requests to the token endpoint must use Proof Key for Code Exchange."  Their help document says the error is caused by ""Origin" header is present in the request to the /token endpoint of the authorization server."

If instead I follow the tutorials and guides for Okta, I end up with a different error: 

HTTP access denied: Authentication using an OAuth 2/JWT token failed: {error,key_not_found}

The main difference between the okta guides and what I am doing is that I am not using a custom okta auth server, so I am hoping that the scope_aliases will provide the "group" to permissions mapping. 

[Saifeddine Rajhi]

Hello,

Can you please send your token generated by okta decoded.

You can use jwt.io

At first glance, I cannot see the extra_scopes field

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/0c8c0e81-c9f8-4d97-ab16-1a0c73c0225bn%40googlegroups.com.

[Karl Falconer]

Hi,

See below:

This is the response to the /token call. I've included the details for both the access_token and id_token

{
"token_type": "Bearer",
"expires_in": 3600,
"access_token": "xxx",
"scope": "openid profile email groups",
"id_token": "xxxx"
}


access_token:
HEADER:ALGORITHM & TOKEN TYPE

{
  "kid": "ZkvelLN_seik7w4pc_prCcfUf-h2hFfiwkDeCrs0iUc",
  "alg": "RS256"
}
PAYLOAD:DATA
{
  "ver": 1,
  "jti": "AT.MNAoEQ_jbKqoinrQo1D0XKjMX28U5d7ZszBceot7-Ts",
  "iss": "https://xxxx.okta.com",
  "aud": "https://xxxx.okta.com",
  "sub": "x...@xxxxx.com",
  "iat": 1688146471,
  "exp": 1688150071,
  "cid": "client_id",
  "uid": "yyyyy",
  "scp": [
    "openid",
    "profile",
    "email",
    "groups"
  ],
  "auth_time": 1688145909
}

id_token:

HEADER:ALGORITHM & TOKEN TYPE

{
  "kid": "fAomAvsWyAWDlnBuJbHoqqCRcRdmsg4vri0OICxbIgs",
  "alg": "RS256"
}
PAYLOAD:DATA

{
  "sub": "yyyyy",
  "name": "xxxx",
  "email": "xx...@xxxxx.com",
  "ver": 1,
  "iss": "https://xxx.okta.com",
  "aud": "client_id",
  "iat": 1688146471,
  "exp": 1688150071,
  "jti": "ID.radCQMOQUmyvcTBmmIL0J6BaS60apUEiC7-vI7pOmkw",
  "amr": [
    "pwd"
  ],
  "idp": "yyyyy",
  "preferred_username": "xx...@xxxx.com",
  "auth_time": 1688145909,
  "at_hash": "fPlsvVszI29LU2UhDyJ9vg"
}

[Saifeddine Rajhi]

Hello,

I think you are missing extra_scopes_source field which is required

To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/b9b02d4e-23bb-4c57-9baf-86fde755c96dn%40googlegroups.com.

[Karl Falconer]

I believe the problem I am having with the Single Page Application / Public App setup in Okta is described very well here: https://github.com/rabbitmq/rabbitmq-server/discussions/7252

The summary being that Okta delivers an id_token and access_token the keys in the jwks_url only provide the key id for the id_token, not the access_token. Which would explain the  key_not_found error.

However what I am still trying to figure out is why the authorization code grant is not working as expected. When I switch to a "Web Application" type configuration in Okta, and set the oauth_client_secret value, I get the "Browser requests to the token endpoint must use Proof Key for Code Exchange." because of the presense of the "Origin" header. How would I enable PKCE?

[Marcial Rosales]

Hi Karl, You have probably read @sangit replies in github https://github.com/rabbitmq/rabbitmq-server/discussions/7252#discussioncomment-6347851 to your question.

It looks like you need to pay Okta if you want to use the access_token(s) because Okta does not reveal the signing keys used for the access tokens.