Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added e2e tests for issuer proxy for OIE #1370

Open
wants to merge 6 commits into
base: master
Choose a base branch
from

Conversation

denysoblohin-okta
Copy link
Contributor

@denysoblohin-okta denysoblohin-okta commented Jan 23, 2023

  • Added issuer proxy setup for OIE
  • Enabled e2e tests for proxy with OIE
  • Added 2 new e2e tests: should use SSO session, should end SSO session on logout

Internal ref: OKTA-416683

Proxy setup:

Proxy should use different (from your SPA) port or domain  to have different local/session storage.
SIW initially clears transaction storage, so state saved in SPA could not be read on login callback
 and `handleRedirect` would produce the error:
AuthSdkError: Could not load PKCE codeVerifier from storage. 
 This may indicate the auth flow has already completed or multiple auth flows are executing concurrently.

In e2e tests proxy has port 8082

Explanation for need of response rewrites in onProxyRes:

HTML page `<proxy>/oauth2/v1/authorize` contains script with config for SIW with var `baseUrl`.
`baseUrl` value equals to <origin>, it is used for IDX API requests.
Need to replace <origin> to <proxy> in `baseUrl`.
Otherwise response to `<origin>/idp/idx/identify` after successful login would contain redirect URL
 `<origin>/login/token/redirect?stateToken=xxx` which would render HTTP 403 error.
The problem relates to `DT` cookie which is set on page `<proxy>/oauth2/v1/authorize`
 for domain <proxy>, but not <origin>.
Since cookie for <origin> domain can't be set from <proxy> server response (unless they are in same domain)
 and there is no way to configure value of `baseUrl`, it should be intercepted and replaced in a response.

<origin> should be replaced to <proxy> in IDX API responses, but not for `/.well-known`.
Otherwise `handleRedirect` will produce error `AuthSdkError: The issuer [origin] does not match [proxy]`

Okta org setup:

- Proxy URL should be added to Trusted Origins.
- `<proxy>/login/callback` should be added to Redirect URIs of app with CLIENT_ID

Differences from classic

<proxy>/oauth2/v1/authorize just redirects to <origin>/login/login.htm?fromURI=/oauth2/v1/authorize/redirect?okta_key=xxx (with HTTP 302) so no issues with cookie

@denysoblohin-okta denysoblohin-okta force-pushed the od-proxy-OKTA-416683 branch 3 times, most recently from 8899bd5 to 2df67ae Compare January 23, 2023 12:42
@denysoblohin-okta denysoblohin-okta marked this pull request as ready for review January 23, 2023 12:52
@denysoblohin-okta denysoblohin-okta changed the title wip proxy test Added e2e tests for issuer proxy for OIE Jan 23, 2023
This reverts commit 66abe02.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant