Using Okta for backend authentication

Scott Forsyth

Posted on 01/01/2021 23:03:40

Hello,

Is Okta confirmed as supported for logging into the backend? I can use it for frontend authentication, but when trying to use it for the backend, I get an error "Incorrect username or password".

The steps that I've taken are:

Log into the frontend so that the user is created and has an external login
I can confirm that I can log in again multiple times with that user, to the frontend
I edit the user and make it an adminstrator
When logging into the backend, I receive the error "Incorrect username or password"

This is with the built-in Okta provider on 9.9.6.

Event viewer shows a warning message with:

Action: Authentication
Category: Security
Level: Warn
User Id: -1
User Name: System
Description: Login by {my okta account} failed - Auto login: False
Exception type and File log are empty

Replies

Nicolai Pedersen

Posted on 04/01/2021 09:42:01

Nope, that has not been confirmed. Will have it checked out...

Scott Forsyth

Posted on 04/01/2021 15:18:31

Thanks!

Oleg Rodionov

Posted on 11/01/2021 06:09:14

Hi Scott,

I've tested the case on environment based on DW996 and was not able to catch the issue - proof. The results can be taken either with 'Add user to group' or 'User group from Okta' option in the provider settings. SSL connection is used (it's mandatory condition to use the provider on further releases).

BR, Oleg QA

Scott Forsyth

Posted on 11/01/2021 16:43:22

Hi Oleg,

Thanks for looking into this, and it's encouraging to know that it should work.

I'm getting different results than you. Do you have any suggestions on what I can look next? Here's what I see: https://www.dropbox.com/s/yeghb5x0lgeog3a/OktaBackend.MP4?dl=0

Scott

Oleg Rodionov

Posted on 12/01/2021 06:19:21

This post has been marked as an answer

Hi Scott,

Thanks for specifying. I was able to dig more deep. The issue seems to be reproduced if user is initialy created using 'Create local account by showing the "Create new user" page' option in provider settings. I've created TFS 89836 to fix the bug. You can try to use other two options as workaround, I was not able to catch the bug using them.

BR, Oleg QA

Votes for this answer: 1

Scott Forsyth

Posted on 13/01/2021 06:41:51

Hi Oleg,

That sounds promising. I wasn't able to get it to work in my environment yet, but since you found something that is wrong, it sounds promising that there is a bug that will possibly fix this for me. I'll wait for that fix.

Thanks!

Scott

Alexey Tanchenko

Posted on 15/01/2021 04:00:24

Hi Scott,

I cannot reproduce your problem on my solution. Steps described by Oleg looks more likely as a wrong use case, since he using the form which allow to change username and set password for user. But it must never be possible, since it break the major idea of external auth - username and some other data must always be retrieved from external resource.

I do not see in your video how the user has been created to make sure that you was not changed his login data during user creation.

In your current OKTA configuration I see that you use 'Create local account by showing the "Create new user" page' option which is referenced to the page which just says that user was not created. This option should be used when you need to redirect to a page where user fills in some additional data (not related to login data) and completes the creation. You probably should change it to 'Add user to groups' option instead.

Also, I cannot use my own OKTA account on your solution for tests since it looks like you have custom changes in the OKTA provider code. My acoount always fails with message "External login info object is null. Authentication failed.". It even do not try to redirect me to OKTA auth page.

You must be logged in to post in the forum

Developer forum

Using Okta for backend authentication

Replies