This gem continues the great work done by Danandrews in omniauth-okta as well as the great work done by andrew.vanbeek@okta.com in omniauth-oktaoauth.
This newer version now supports options for Okta's API Access Management and Custom Oauth Tokens and URLs.
Note: This is not as of yet a fully officially released tool and maybe subject to changes. Feel free to use or improve on it!
To see it in action check out the example app: https://github.com/andrewvanbeek-okta/oktaOmniauthDeviseSample
This strategy can both use Okta's OpenID Connect and API Access Management Flows. See developer docs for more details.
The part that BRILLIANTMADE.COM fixed:
If the default Authorization Server is used, there is no issue when attempting to fetch the raw user info. However, if an organization decides to create multiple Authorization Servers, which are generated by Okta and include what appears to be some hashed id as part of the path, then the auth_server_id concatenated to form the path to fetch the userinfo won't work. Instead, we need to use the path that Okta created for us when we generated the new Authorization Server.
Add this line to your application's Gemfile:
gem 'omniauth-oktaoauth'And then execute:
$ bundle installOr install it yourself as:
$ gem install omniauth-oktaoauthFor OpenID Connect only, it is {your okta org or custom url}/.well-known/openid-configuration.
The endpoints for custom auth servers can be found at {your okta org or custom url}/oauth2/{your server id}/.well-known/oauth-authorization-server.
💡 Protip Save yourself time and look at these URLS. They return a JSON blob that will give you the info you need to fill in the devise settings.
Here is an example with Devise in config/initializers/devise.rb:
config.omniauth(:oktaoauth, ENV['OKTA_CLIENT_ID'], ENV['OKTA_CLIENT_SECRET'],
scope: 'openid profile email',
fields: ['profile', 'email'],
client_options: {
site: ENV['OKTA_ISSUER'],
authorize_url: ENV['OKTA_ISSUER'] + "/v1/authorize",
token_url: ENV['OKTA_ISSUER'] + "/v1/token"
},
redirect_uri: ENV["OKTA_REDIRECT_URI"],
auth_server_id: ENV['OKTA_AUTH_SERVER_ID'],
issuer: ENV['OKTA_ISSUER'],
strategy_class: OmniAuth::Strategies::Oktaoauth)Add the following to 'config/routes.rb' to define the callback routes:
devise_for :users, controllers: { omniauth_callbacks: 'users/omniauth_callbacks' }Make sure your model is omniauthable. Generally this is done in "/app/models/user.rb":
devise :omniauthable, omniauth_providers: [:oktaoauth]Here's an example of an authentication hash available in the callback by accessing request.env['omniauth.auth']:
{
"provider" => "okta",
"uid" => "0000000000000001",
"info" => {
"name" => "John Smith",
"email" => "john@example.com",
"first_name" => "John",
"last_name" => "Smith",
"image" => "https://photohosting.com/john.jpg"
},
"credentials" => {
"token" => "TOKEN",
"expires_at" => 1496617411,
"expires" => true
},
"extra" => {
"raw_info" => {
"sub" => "0000000000000001",
"name" => "John Smith",
"locale" => "en-US",
"email" => "john@example.com",
"picture" => "https://photohosting.com/john.jpg",
"website" => "https://example.com",
"preferred_username" => "john@example.com",
"given_name" => "John",
"family_name" => "Smith",
"zoneinfo" => "America/Los_Angeles",
"updated_at" => 1496611646,
"email_verified" => true
},
"id_token" => "TOKEN",
"id_info" => {
"ver" => 1,
"jti" => "AT.D2sslkfjdsldjf899n090sldkfj",
"iss" => "https://your-org.okta.com",
"aud" => "https://your-org.okta.com",
"sub" => "john@example.com",
"iat" => 1496613811,
"exp" => 1496617411,
"cid" => "CLIENT_ID",
"uid" => "0000000000000001",
"scp" => ["email", "profile", "openid"]
}
}
}The gem is available as open source under the terms of the MIT License.