asoral
September 24, 2023, 12:03pm
1
Hi,
I’m trying to setup Okta as an SSO for frappe site. I tried to go create a connected app but soon learnt that it’s for email (still feel it does more than that).
Then i configured social login key with “custom” social login provider. I can’t seem to make it work. I’m stuck at redirect URI.
Has anyone configured okta or any custom social login provider before?
e.g.
If your site name is erp.example.com
and social login key name is okta then use
https://erp.example.com/api/method/frappe.integrations.oauth2_logins.custom/okta
asoral
September 24, 2023, 1:49pm
3
Trid that and it gives this now. I think I’m missing something. Is there sometime like a code that needs to be put somewhere
Traceback (most recent call last):
File “apps/frappe/frappe/app.py”, line 95, in application
response = frappe.api.handle()
File “apps/frappe/frappe/api.py”, line 54, in handle
return frappe.handler.handle()
File “apps/frappe/frappe/handler.py”, line 47, in handle
data = execute_cmd(cmd)
File “apps/frappe/frappe/handler.py”, line 85, in execute_cmd
return frappe.call(method, **frappe.form_dict)
File “apps/frappe/frappe/init .py”, line 1622, in call
return fn(*args, **newargs)
TypeError: custom() missing 1 required positional argument: ‘code’
Share screenshots of social login key and client registered on okta
asoral
September 24, 2023, 4:36pm
5
Here is the screenshot of the social key in the system. Let me know if you need anything else.
Below is the app in okta. Do i need to do some special config in Okta too?
In social login key, you need API Endpoint. It is the userinfo endpoint of oauth2/OIDC OpenID Connect & OAuth 2.0 API | Okta Developer
On okta side where have you added the same redirect uri?
Appending base url, your authorize uri will be /oauth2/oauth2/… in your case. Set it to /v1/authorize
asoral
September 24, 2023, 5:12pm
7
Yes, did copy paste the exact thing there in octa App
asoral
September 24, 2023, 5:13pm
8
Changed the config as below
It still gives the error below:
asoral
September 24, 2023, 5:31pm
9
Could it be this code?
Because of the settings below (i cant seem to change it)
Code comes from provider once Authorization is successful.
What redirect uri have you set on okta?
asoral
September 25, 2023, 3:38am
11
Following works, change as per your url, client_id, client_secret, redirect_url
{
"name": "okta",
"enable_social_login": 1,
"social_login_provider": "Custom",
"client_id": "yourclientid",
"provider_name": "okta",
"client_secret": "****************************************************************",
"icon": "/files/okta_sso.png",
"base_url": "https://trial-1234567.okta.com/oauth2/default",
"authorize_url": "/v1/authorize",
"access_token_url": "/v1/token",
"redirect_url": "https://erp.example.com/api/method/frappe.integrations.oauth2_logins.custom/okta",
"api_endpoint": "https://trial-1234567.okta.com/oauth2/default/v1/userinfo",
"auth_url_data": "{\"scope\":\"openid email profile\",\"response_type\":\"code\"}"
}
2 Likes
asoral
September 28, 2023, 4:12am
13
Thanks a lot, Revant. I hope i could contribute back to the community, the way you do.
Thanks a lot
The solution above is specifically when a custom authorization server is setup, for which a specific Okta addon is needed. Without this addon you cannot use the “default” part of the URL which will result in following error:
https://support.okta.com/help/s/article/400-error-on-authentication-to-Okta-using-OIDC?language=en_US
I struggeled to fix this problem since I got lost in the documentation. Therefore, I am sharing the solution for anyone who struggeled with this:
In this case the “base_url” should not be “{org_url}/oauth2/default” but “{org_url}/oauth2”. And do not forget to remove the “default” in the url of “api_endpoint”.
Also, the “auth_url_ data” should be the following:
{
“response_type”: “code”,
“scope”: “openid email profile”
}
The rest should be the rest as described above.
2 Likes