okta: refused to connect #4416
Comments
|
Please help ASAP |
|
@jeffradom We will need a reproducible example in order to see the issue you are having. Also, if there is an existing issue already for this - we suggest you comment within that issue instead of creating a new one. Can you link the previous issues you were looking at? Can you provide a way for us to reproduce this exactly? |
jennifer-shehane
added
the
stage: needs information
|
@jennifer-shehane There are some existing issues similar what I got but none were ever fixed and some closed because people simply ''ditched' Cypress as a tool for testing because it can't handle simple login with redirects. I can't give you more details for OKTA behavior but you might need to get OKTA account and a site that uses it or create your own to see that issue. With SAlesforce you can can create a free SFDC account and try to login using Cypress. All logins above work seemingly with Selenium, Testcafe, etc. In other words none of the code I tried with redirects don't work. I'm looking not a recipe but a real work out of the box like other tools do. In real life for E2E testing users just will login and Login/Logout are main tests for usual release criteria |
|
I've asked our UI expert and the suggested he following code to bypass OKTA SSO but it was able to set a cookie successfully but read a value as blank. Please, advise describe('CAIR login and case creation', function() {
it('CAIR login and case creation', function() {
fetch(http://aaa.com/api/v1.1/session, { method: 'GET' })
.then(res => {
console.log(--> Response, res.headers);
return res.headers.get('Set-Cookie').match(/XSRF-TOKEN=([^;]+)/)[1]
})
.then(() => {
console.log(--> Before login...
});
cy.visit('login');
cy.get('#okta-signin-username').type('login');
cy.get('#okta-signin-password').type('password');
cy.get('#okta-signin-submit').click();
}); |
|
You may want to look into using the |
|
I understand this is for OKTA specifically, but I'm not sure it should as my understanding is it will happen with all SAML Idps. We used OKTA in the past and now Google IDaaS and we're never going to get in without being SAML-authenticated. I don't know that there's a perfect solution to this issue. #1489 captures this well I think. I might try |
|
Just faced with the same issue! Our company moving to OKTA. First application already moved and that broke Cypress tests. Cypress just literally don't want to redirect to OKTA login page.... |
|
@jeffradom const optionsSessionToken = {
method: 'POST',
url: 'https://your_company_link_to_auth_server.com/api/v1/authn',
body: {
username: 'your_OKTA_username',
password: 'your_OKTA_password',
options: {
warnBeforePasswordExpired: 'true'
}
}
};
//first cy.request you need to get a OKTA session token
cy.request(optionsSessionToken).then(resp => {
const sessionToken = resp.body.sessionToken;
//once you have a token, you need to hit okta authorize URL with client ID and redirect URL.
//it will be a very long string with different params. Add a session token at the end of the string as parameter
cy.request({
method: 'GET',
url:
'https://your_company_link_to_authorize.com/oauth2/default/v1/authorize?client_id=11111111&redirect_uri=http://localhost:4200/callback&response_type=id_token token&OTHER PARAMS PARAMS PARAMS&sessionToken=' + sessionToken,
form: true,
followRedirect: false
}).then(respWithToken => {
const url = respWithToken.redirectedToUrl;
//if you want to save bearer token to make another API calls with cy.request
//use code below with cy.wrap(). If you don't just ignore it
const token = url
.substring(url.indexOf('access_token'))
.split('=')[1]
.split('&')[0];
cy.wrap(token).as('token');
//last step is to visit the redirecturl and then visit homepage of the app
cy.visit(url).then(() => {
cy.visit('/');
});
});
}); |
|
Hi Postavshik, we use reactjs application , i was following your code but i did not undertood "OTHER PARAMS PARAMS PARAMS", currently i have mentioned url as https://xyz.oktapreview.com/oauth2/default/v1/authorize?client_id=0oalc0l9yi92mlnOU0h7&response_type=id_token token&scope=openid&redirect_uri=https://abc.com/implicit/callback&sessionToken=' + sessionToken, i am getting in cypress , please help how to fix this issue... |
|
PARAMS PARAMS PARAMS - your link should have different generated parameters. My application has there parameters: response_mode, state and nonce tokens. According to your error message you are missing this parameter (nonce token) in your redirect URL. Ask your Devs about the correct URL with all these params. Also you can grab this link from the Chrome DevTools in the networking tab if you are able successfully to authenticate with OKTA. Test your link in the Postman first, but switch off redirect in the settings first, otherwise you ll get an error. Once you get Status: 302 in the Postman, go ahead and try this link in Cypress. |
|
Thanks a lot , i got the URL and we are also using same response_mode, state and nonce tokens, but i am not sure how to get state and nonce value for my URL. below is the application flow we have : |
|
These tokens should be part of your redirect URL as parameters, like: redirect_uri=https://abc.com/implicit/callback&response_mode=fragment&state=xxxxxxxxxx&nonce=xxxxxxxxx&scope= something something something |
|
I made a custom command with some instructions that can be downloaded and imported into Cypress. @Postavshik Thanks for finding a way to get this accomplished. |
|
Thank you for this code! It helped me so much, I was looking all over for code to help me with PKCE specifications, I truly appreciate it! |
|
throws me below error Cypress.Commands.add('loginOkta', () => {
const optionsSessionToken = {
method: 'POST',
url: 'https://xxxxx/v1/token',
form: true,
headers: {
accept: 'application/json'
},
body: {
username: 'xxxx',
password: 'xxxx!',
options: {
warnBeforePasswordExpired: true,
multiOptionalFactorEnroll: true
}
}
}
cy.request(optionsSessionToken).then(response => {
const sessionToken = response.body.sessionToken;
const qs = {
client_id: 'xxxxxx',
client_secret: 'xxxxx',
state: 'test',
redirect_uri: '<my UI url>',
scope: 'openid',
sessionToken: sessionToken
}
cy.request({
method: 'GET',
url: 'https://xxxxxx/v1/authorize',
form: true,
followRedirect: false,
qs: qs
}).then(responseWithToken => {
const redirectUrl = responseWithToken.redirectedToUrl;
console.log('Test1' + redirectUrl)
const accessToken = redirectUrl
.substring(redirectUrl.indexOf('access_token'))
.split('=')[1]
.split('&')[0];
cy.wrap(accessToken).as('accessToken');
cy.visit(redirectUrl).then(() => {
cy.visit('/');
});
});
});
})Error |
|
The error clearly says that your client_id is invalid. |
|
Hi, Artem, thanks for sharing your progress! I'm also getting similar error status: 400 and No Tenants Found error under the login form |
|
I don't know. |
|
Hi Artem, thanks for following this! Also one additional question as for parameters: response_mode, state and nonce tokens. Where do we get that? Currently I'm wondering if I get the right credentials for this requests. I'm using robot account credentials, but maybe I have to try regular user account. |
|
Also very strange but running this request https://developer.okta.com/docs/reference/api/oidc/#authorize in postman (in compare with Cypress, where I get 400) gives 200 mostly every time, even if I remove required query parameters |
|
From what I understand, your credentials (username and password) are correct, because you passed first API call to get session token but you have 400 with a second request. So something is wrong with configuration of the second call. |
|
I ran into a similar issue. I have tried the above solution but I'm getting HTTP 400 error. Not sure what went wrong in the request. To the best of my knowledge, all the request inputs I passed are accurate. Here are the error details |
|
Hi @Postavshik, am facing same issue in my application. we use OpenID as authentication. |
|
I need to write tests for an Okta SSO app. I tried the command referred here above but that solutions does a redirect across domains so is still not working for me. I am using okta v3 and openID, is there a a way okta to bypass multiple domains restrictions? This should be a test very easy to write and this restriction is adding unnecessary complications |
|
@Postavshik I used the same solution but Im still getting the OKTA screen even after I see the 200 and 302 response code in time travel cypress.io. here is screenshot: https://ibb.co/BPC5tLc |
|
I'm still digging into this here, but I've noticed that the pattern posted by @Postavshik (thanks BTW, it's been a life saver) works fine on electron and FireFox but no longer works on Chrome for me. I'm pretty sure that it used to but something's changed and while it certainly logs in, it no longer bypasses the okta login screen. I'll keep digging and post back if I work out what's going on. |
|
Yeah... something changed with OKTA since I posted the solution for the first time. For some of our applications, we have exactly the same picture. The old solution not always works. But we found a new solution :)) |
|
I'm not sure that this is quite the same as my problem. Those look like the settings used by okta-auth-js and I'm using oidc-client instead, and I have nothing like that in my env when it works. This does make me wonder if there's something similar though that I need to do. Either way, I appreciate the follow up and it might well help someone else. |
|
@Postavshik Thanks for updating your example! I think it's very close to working for me. Are you using a framework like React, Vue, etc?, and if so are you using something like |
|
@danmolitor we are using Angular but for authorization, I don't remember that we are using something okta-angular specific. It;s just a normal OKTA flow I guess... |
|
I've also faced the same issue gone through many discussions and finally I had a simple work around which will help. So, the main thing here is cypress is not allowing different domains the same test, so I've done the below one |
|
After I get the accesstoken, I visit the url, but always get error in console. Who can help me? Uncaught (in promise) |
Hello thank you for this work, could you tell me why it does not work with Chrome browser under cypress which opens Okta login / password window? thank you |
|
We released If you have any feedback about |
Hi Jennifer, Is there an example to manage okta authentication knowing that my application is on one domain and okta authentication is on another domain? thank you for your answer and your work |
hi @Postavshik I'm new to cypress, I tested your code and I had questions should we create files ( |
|
@keaoner |
|
@Postavshik Thank you for the answer, I have advanced and I manage to load the okta-token-storage with all the information into the local storage, however, as soon as I go to the application with cy.visit ('/') the information in the okta-token-storage are emptied instantly and I don't understand why. |
|
@keaoner |
|
Hi all. OIDC login with Okta should now be supported with the |
|
Hi All, i´m new in cypress. Any ideia on how to implement Okta DSSO (Desktop single sign-on) authentication using cypress? with DSSO there is no prompt page to enter user/password for authentication, seems that okta does the authentication in the background when i login into the computer. Since cypress use its own browser to run the automation when it hits the app URL i´m getting an error message saying the i´m not allowed to processed since i´m not authenticated. Please help. |
and others
Is this a Feature or Bug?
Current behavior:
Desired behavior:
Steps to reproduce: (app code and test code)
Versions
The text was updated successfully, but these errors were encountered: