Logging in using passport strategy works, but redirects me back to login page

General
1

I am using passport-okta-oauth to login to my Node RED instance and have confirmed that the login is succeeding (by logging to the console the profile object inside of of the verify callback), however after redirecting back to my instance it reloads the homepage with "Sign in using Okta" still visible instead of to the dashboard.

It seems I must be missing a final step, but can't figure it out. Here is my code:

adminAuth: {
    type:"strategy",
    strategy: {
        name: "okta",
        label: "Sign in using Okta",
        icon:"fa-key",
        strategy: require("passport-okta-oauth").Strategy,
        options: {
            audience: "https://mycompany.okta.com",
            clientID: "XXXXXXX",
            clientSecret: "xxxxxx",
            scope: ["openid", "email", "profile", "offline_access"],
            response_type: "code",
            callbackURL: "https://mycompany.com/auth/strategy/callback",

            verify: function(accessToken, refreshToken, profile, done) {
                console.log(profile);
                return profile;
            }
        }
    },
    users: [
        { username: "justAnotherDev", permissions: ["*"] }
    ]
},

The console prints out the signed in profile object:

{ provider: 'okta',
  id: 'xxxxxxxx',
  displayName: 'justAnotherDev',
  username: 'justAnotherDev@mycompany.com',
  name:
   { fullName: 'justAnotherDev',
  emails: [ { value: 'justAnotherDev@mycompany.com' } ],
  _raw:
   '{"sub":"xxxxxxxx","name":"justAnotherDev","locale":"US","email":"justAnotherDev@mycompany.com","updated_at":1587413637,"email_verified":true}',
  _json:
   { sub: 'xxxxxxxx',
     name: 'justAnotherDev',
     locale: 'US',
     email: 'justAnotherDev@mycompany.com',
     nickname: 'justAnotherDev',
     preferred_username: 'justAnotherDev@mycompany.com',
     zoneinfo: 'America/Los_Angeles',
     updated_at: 1587413637,
     email_verified: true } }

What am I missing? I have tried adding done(null, profile); before (and in place of) returning the profile object but that didn't help either.

2

Comparing with our GitHub auth plugin, you should definitely have done(null,profile) and not the return statement.

Beyond that, I can't see anything missing.

You should edit your settings file to enable the audit logging events - that may give you a bit more of a hint where its failing.

3

done(null, profile); doesn't seem to help. Adding the audit call does at least display this error in the log:

21 Apr 01:20:28 - [audit] {"event":"auth.login.fail.oauth","username":"justAnotherDev@mycompany.com","level":98,"timestamp":1587432028295}
21 Apr 01:20:29 - [audit] {"event":"auth.invalid-token","level":98,"timestamp":1587432029075}
4

The audit log shows it has tried to authenticate the username justAnotherDev@mycompany.com, but in your users array, your user is called justAnotherDev.

5

That was it! It is probably worth adding a note to the documentation that values provided for username may need to be an email, and ideally update the error message.

Thanks so much for helping me solve this so quickly!

6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.