Application is throwing "Unauthorized" error after successful openid connection

[sohemokashi]

The code goes to /authorization-code/callback with state and code querystring but throws "Unauthorized" error after successful openid connection.

[denysoblohin-okta]

Thank you for reporting the issue.
Can you please provide some more information about this issue, like error description in /authorization-code/callback response body?

[MiepjeMadelon]

Hi, I think sohemokashi and I are having the same issue, so I'll try to clarify it, especially since I can't really find a solution anywhere.
I was following this tutorial from the guides: https://developer.okta.com/docs/guides/sign-into-web-app/nodeexpress/redirect-to-sign-in/
However, when clicking on the button to go to the login page I get a blank page with only the word 'Unauthorized'. This is from the url: error=access_denied&error_description=User+is+not+assigned+to+the+client+application.

This is my code, I think sohemokashi's code is somewhat similar, or at least there is a chance we have made the same mistake.

const { ExpressOIDC } = require('@okta/oidc-middleware');

// session support is required to use ExpressOIDC
app.use(session({
  secret: 'this should be secure',
  resave: true,
  saveUninitialized: false
}));

const oidc = new ExpressOIDC({
  appBaseUrl: 'insert link here',
  issuer: 'https://{insert link here}/oauth2/default',
  client_id: 'xx',
  client_secret: 'yy',
  loginRedirectUri: 'http://localhost:3000/authorization-code/callback',
  scope: 'openid profile'
});

// ExpressOIDC attaches handlers for the /login and /authorization-code/callback routes
app.use(oidc.router);

[sohemokashi]

Thanks for looping me in, my issue is different and I’ve worked with Okta support Person to figure it out. It was related to bluecoat certificate error where my local machine is throwing error while in server code my code works fine Please let me know if you need any other details from my side Thanks Sohel

…

On Thu, Mar 4, 2021 at 5:23 PM MiepjeMadelon ***@***.***> wrote: Hi, I think sohemokashi and I are having the same issue, so I'll try to clarify it, especially since I can't really find a solution anywhere. I was following this tutorial from the guides: https://developer.okta.com/docs/guides/sign-into-web-app/nodeexpress/redirect-to-sign-in/ However, when clicking on the button to go to the login page I get a blank page with only the word 'Unauthorized'. This is from the url: error=access_denied&error_description=User+is+not+assigned+to+the+client+application. This is my code, I think sohemokashi's code is somewhat similar, or at least there is a chance we have made the same mistake. const { ExpressOIDC } = ***@***.***/oidc-middleware'); // session support is required to use ExpressOIDC app.use(session({ secret: 'this should be secure', resave: true, saveUninitialized: false })); const oidc = new ExpressOIDC({ appBaseUrl: 'insert link here', issuer: 'https://{insert link here}/oauth2/default', client_id: 'xx', client_secret: 'yy', loginRedirectUri: 'http://localhost:3000/authorization-code/callback', scope: 'openid profile' }); // ExpressOIDC attaches handlers for the /login and /authorization-code/callback routes app.use(oidc.router); — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#105 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ASTLZ52LOEH4NTBH2MSK6PTTCAB6RANCNFSM4XCCATMQ> .

[swiftone]

@MiepjeMadelon - You may be running against a change in the Okta Admin Console - by new default, your application does not have any users assigned to it (which would lead to the error message you see - the message is accurate). This change is very recent, and our documentation has not yet caught up to it.

In the Admin Console, you will have to assign user/groups to your application (for example, adding group "Everyone" to your application will allow all of your users access (but not outside users that haven't been added to your organization).

Let us know if that does or does not address the situation.

[MiepjeMadelon]

@swiftone It does address the situation, thanks!

[michaelallenprofessional]

I also encountered this error on a freshly cloned sample app using the Okta hosted login page and was able to fix it by modifying the following file: git/samples-nodejs-express-4/node_modules/openid-client/lib/client.js

On line 460 you insert the following two lines in the if (params.code) { block of the callback function

client_id: this.client_id,
client_secret: this.client_secret,

So before we have:

if (params.code) {
      const tokenset = await this.grant({
        ...exchangeBody,
        grant_type: 'authorization_code',
        code: params.code,
        redirect_uri: redirectUri,
        code_verifier: checks.code_verifier,
      }, { clientAssertionPayload });

      await this.decryptIdToken(tokenset);
      await this.validateIdToken(tokenset, checks.nonce, 'token', checks.max_age);

      if (params.session_state) {
        tokenset.session_state = params.session_state;
      }

      return tokenset;
    }

and after:

if (params.code) {
      const tokenset = await this.grant({
        ...exchangeBody,
        client_id: this.client_id,
        client_secret: this.client_secret,
        grant_type: 'authorization_code',
        code: params.code,
        redirect_uri: redirectUri,
        code_verifier: checks.code_verifier,
      }, { clientAssertionPayload });

      await this.decryptIdToken(tokenset);
      await this.validateIdToken(tokenset, checks.nonce, 'token', checks.max_age);

      if (params.session_state) {
        tokenset.session_state = params.session_state;
      }

      return tokenset;
    }

It looks like the oidc client library is not adding the client_id and client_secret to the POST body when calling the /token endpoint.

I have opened a case with number 01062513 and the support agent should have a recording of a demonstration of the issue and fix.

[aarongranick-okta]

internal ref: OKTA-379204