Okta configuration?

[ciscomonkey]

I have Okta working, but I think I'm missing something in the docs for the proper way to configure the URLs in the config. Dumping the backend object, I didn't see any URLs set as I do in my working Github provider.

I can set these by providing my own backend, but I'm still looking for the "correct" way to do this.

myOktaClient = OktaOAuth2
myOktaClient.API_URL = os.getenv("OKTA_DOMAIN_URL")
myOktaClient.AUTHORIZATION_URL = os.getenv("OKTA_DOMAIN_URL") + "/oauth2/v1/authorize"
myOktaClient.ACCESS_TOKEN_URL = os.getenv("OKTA_DOMAIN_URL") + "/oauth2/v1/token"

[ArtyomVancyan]

@ciscomonkey, I am not sure what you tried to do with the provided code, but if you want to configure Okta OAuth2 for your FastAPI application, you should provide your client id and secret generated on the Okta console.

OAuth2Client(
    backend=OktaOAuth2,
    client_id=os.getenv("OAUTH2_OKTA_CLIENT_ID"),
    client_secret=os.getenv("OAUTH2_OKTA_CLIENT_SECRET"),
    scope=["openid", "profile", "email"],
    claims=Claims(
        identity=lambda user: f"{user.uid}:{user.sub}",
    ),
)

The OktaOAuth2 constructs authorization and token URLs using the given client id.

[ciscomonkey]

I'm replacing the backend of the OAuth2Client with it. When I use the stock OktaOAuth2 backend, (as shown in your example), there are no URL tokens set at all:

{
    '__module__': 'social_core.backends.okta',
    '__doc__': 'Okta OAuth authentication backend',
    'name': 'okta-oauth2',
    'REDIRECT_STATE': False,
    'ACCESS_TOKEN_METHOD': 'POST',
    'SCOPE_SEPARATOR': ' ',
    'ID_KEY': 'preferred_username',
    'DEFAULT_SCOPE': ['openid', 'profile', 'email'],
    'EXTRA_DATA': [
        ('refresh_token', 'refresh_token', True), 
        ('expires_in', 'expires'), 
        ('token_type', 'token_type', True)
    ],
    'get_user_details': <function OktaOAuth2.get_user_details at 0x111b2e2a0>,
    'user_data': <function OktaOAuth2.user_data at 0x111b2e340>
}

If instead I use the myOktaClient for the backend, I do see URLs populated. Something is still off as the middleware is generating an error for me (when it hits the /oauth2/{provider}/token route), but I'll dig into that later today.

[ArtyomVancyan]

Well, I have configured Okta to reproduce the issue and faced the error discussed in this discourse. So it turns out that Okta has non-ordinary requirements for /token endpoint. So, I have fixed this problem locally and will merge it into the master branch soon.

This is what my client looked like when I made it work:

from urllib.parse import urljoin
from social_core.backends.okta import OktaOAuth2 as Okta

class OktaOAuth2(Okta):
    ACCESS_TOKEN_URL = "https://trial-5865777.okta.com/oauth2/v1/token"
    AUTHORIZATION_URL = "https://trial-5865777.okta.com/oauth2/v1/authorize"

    def _url(self, path):
        return urljoin("https://trial-5865777.okta.com/oauth2/", path)

The OAuth2Client configuration looks the exact same as I provided in my earlier response. Also, I am going to release these changes before the end of August, so you should install them with VCS temporarily. Please use pip install https://github.com/pysnippet/fastapi-oauth2/archive/master.zip, and be pationed. Hope this helps you to solve your issue.

[ArtyomVancyan]

@ciscomonkey, you can now use the latest release. It's just been published.

[ciscomonkey]

Thanks for getting that fix in so quickly! Works great!