-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
redirect URL is incorrect and client values are still encrypted when used. #3
Comments
Managed to correct this issue, by going to the GoCD server and manually modifying the config xml's tag to change the value from encryptedValue to value |
this should be the default however, as this took too long to work out |
@Mark-McCracken, apologies for taking such a long time to respond but I haven't used GoCD for quite some time now. I managed to investigate and test this out and it looks like it's only related to the client ID being encrypted. I've merged a PR which changes the client ID from secure to plain text (it's not sensitive as you've mentioned yourself). All Okta URLs are now generated correctly with the right client ID. re: URL encoding - when I encode the Feel free to download the latest version and try it out. |
Hi,
when I try to set up the plugin, the value I pasted in for the client_id has been encrypted by GoCD,
so the url I get redirected to when I click login with okta is as follows:
https://myoktadomain.okta.com/oauth2/default/v1/authorize?client_id=AES:beZVTpELN4OVv5JNSjpZ3Q%3D%3D:hAUSGs6QdgTJGn5pOS7iO/GyEkI78rBO1%2Br84qMgr5Q%3D&redirect_uri=https://mydomain/go/plugin/cd.go.authorization.okta/authenticate&response_type=code&scope=openid%20profile%20email%20groups&state=11b9fd1b-...-f055d34ad99f&nonce=0c4d4b28-...-a47c8c081db2
There are 2 problems
1 - The client_id is encrypted, this needs to be unencrypted. It's not sensitive.
2 - the redirect url is not url encoded, it needs to be
The URL should look more like
https://.okta.com/oauth2/default/v1/authorize?client_id=0oa1i4s3tjdRFiqqq357&redirect_uri=https%3A%2F%2Fmydomain%2Fgo%2Fplugin%2Fcd.go.authorization.okta%2Fauthenticate&response_type=code&scope=openid%20profile%20email%20groups&state=11b9fd1b-...-f055d34ad99f&nonce=0c4d4b28-...-a47c8c081db2
When you manually use this url, it works and redirects the user back to the application, however it cannot log the user in - the plugin on the server tries to fetch groups but again I suspect the following error code indicated the value has been encrypted, definitely for client_id but potentially also for client_secret.
See the following stacktrack:
The text was updated successfully, but these errors were encountered: