Okta SSO setp with frappe. Anyone?

Hi,

I’m trying to setup Okta as an SSO for frappe site. I tried to go create a connected app but soon learnt that it’s for email (still feel it does more than that).
Then i configured social login key with “custom” social login provider. I can’t seem to make it work. I’m stuck at redirect URI.

Has anyone configured okta or any custom social login provider before?

e.g.

If your site name is erp.example.com and social login key name is okta then use

https://erp.example.com/api/method/frappe.integrations.oauth2_logins.custom/okta

Trid that and it gives this now. I think I’m missing something. Is there sometime like a code that needs to be put somewhere

Traceback (most recent call last):
File “apps/frappe/frappe/app.py”, line 95, in application
response = frappe.api.handle()
File “apps/frappe/frappe/api.py”, line 54, in handle
return frappe.handler.handle()
File “apps/frappe/frappe/handler.py”, line 47, in handle
data = execute_cmd(cmd)
File “apps/frappe/frappe/handler.py”, line 85, in execute_cmd
return frappe.call(method, **frappe.form_dict)
File “apps/frappe/frappe/init.py”, line 1622, in call
return fn(*args, **newargs)
TypeError: custom() missing 1 required positional argument: ‘code’

Share screenshots of social login key and client registered on okta

Here is the screenshot of the social key in the system. Let me know if you need anything else.

Below is the app in okta. Do i need to do some special config in Okta too?

In social login key, you need API Endpoint. It is the userinfo endpoint of oauth2/OIDC OpenID Connect & OAuth 2.0 API | Okta Developer

On okta side where have you added the same redirect uri?

Appending base url, your authorize uri will be /oauth2/oauth2/… in your case. Set it to /v1/authorize

Yes, did copy paste the exact thing there in octa App

Changed the config as below

It still gives the error below:

Could it be this code?

Because of the settings below (i cant seem to change it)

Code comes from provider once Authorization is successful.

What redirect uri have you set on okta?

Redirect URI in okta

https://demo.dexciss.com/api/method/frappe.integrations.oauth2_logins.custom/okta

Following works, change as per your url, client_id, client_secret, redirect_url

{
  "name": "okta",
  "enable_social_login": 1,
  "social_login_provider": "Custom",
  "client_id": "yourclientid",
  "provider_name": "okta",
  "client_secret": "****************************************************************",
  "icon": "/files/okta_sso.png",
  "base_url": "https://trial-1234567.okta.com/oauth2/default",
  "authorize_url": "/v1/authorize",
  "access_token_url": "/v1/token",
  "redirect_url": "https://erp.example.com/api/method/frappe.integrations.oauth2_logins.custom/okta",
  "api_endpoint": "https://trial-1234567.okta.com/oauth2/default/v1/userinfo",
  "auth_url_data": "{\"scope\":\"openid email profile\",\"response_type\":\"code\"}"
}
2 Likes

Thanks a lot, Revant. I hope i could contribute back to the community, the way you do.

Thanks a lot

The solution above is specifically when a custom authorization server is setup, for which a specific Okta addon is needed. Without this addon you cannot use the “default” part of the URL which will result in following error:
https://support.okta.com/help/s/article/400-error-on-authentication-to-Okta-using-OIDC?language=en_US

I struggeled to fix this problem since I got lost in the documentation. Therefore, I am sharing the solution for anyone who struggeled with this:

In this case the “base_url” should not be “{org_url}/oauth2/default” but “{org_url}/oauth2”. And do not forget to remove the “default” in the url of “api_endpoint”.

Also, the “auth_url_ data” should be the following:

{
“response_type”: “code”,
“scope”: “openid email profile”
}

The rest should be the rest as described above.

2 Likes