I am working on a web application. I am setting up a third-party service provider as an authentication provider (Okta). I have two applications.
Application 1:
This is a central app to many other applications where users visit this website and are redirected to Application 2 after validating credentials against a third-party authentication provider. in my case, I am using Okta for authentication. I set up the application 2 URL as a redirect URL for this app
Application 2: This app is purely user content app it will check for sessions or cookies created by the Application 1 redirect URL.
This application working as expected in the local host, But not working after hosting in our DEV environment. Application 1 successfully validates user credentials and redirects with valid sessions to token to application 2. The required sessions are not created in application 2 through its redirect URL.
Our dev environments are protected by VPN.
I suspect this is due to our DEV environment URLS being VPN-protected.
Please suggest a way to troubleshoot to find the solution.
Startup.CS (Application 1)
public void Configuration(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
LoginPath = new PathString("/Login/Login"),
});
app.UseOktaMvc(new OktaMvcOptions()
{
OktaDomain = ConfigurationManager.AppSettings["okta:OktaDomain"],
ClientId = ConfigurationManager.AppSettings["okta:ClientId"],
ClientSecret = ConfigurationManager.AppSettings["okta:ClientSecret"],
RedirectUri = ConfigurationManager.AppSettings["okta:RedirectUri"],
AuthorizationServerId = ConfigurationManager.AppSettings["okta:AuthorizationServerId"],
PostLogoutRedirectUri = ConfigurationManager.AppSettings["okta:PostLogoutRedirectUri"],
Scope = new List<string> { "openid", "profile", "email", "offline_access" },
LoginMode = LoginMode.SelfHosted,
});
}
private void SetCookieAuthenticationAsDefault(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
}
private void AddOktaAuthenticationMiddleware(IAppBuilder app)
{
app.UseOktaMvc(new OktaMvcOptions()
{
OktaDomain = ConfigurationManager.AppSettings["okta:OktaDomain"],
ClientId = ConfigurationManager.AppSettings["okta:ClientId"],
ClientSecret = ConfigurationManager.AppSettings["okta:ClientSecret"],
RedirectUri = ConfigurationManager.AppSettings["okta:RedirectUri"],
PostLogoutRedirectUri = ConfigurationManager.AppSettings["okta:PostLogoutRedirectUri"],
GetClaimsFromUserInfoEndpoint = true,
Scope = new List<string> { "openid", "profile", "email" },
});
}
Validation credentials and redirecting to other application 2
if (!User.Identity.IsAuthenticated)
{
LoginModel objlogin = new LoginModel();
objlogin.username = email;
objlogin.password = password;
// Validate user credentials in Okta
OktaModel oktaApiResponse = oktaLoginBO.ValidateUser(username,password);
// 1. If no errors occured while validating okta.
// 2. If credentials are correct
if (oktaApiResponse.status == true)
{
var properties = new AuthenticationProperties();
properties.Dictionary.Add("sessionToken", oktaApiResponse.oktaAuthenticationResponse.sessionToken);
properties.Dictionary.Add("useremail", oktaApiResponse.oktaValidateUserResponseModel._embedded.user.profile.login);
properties.RedirectUri = ConfigurationManager.AppSettings["okta:RedirectUri"].ToString();
HttpContext.GetOwinContext().Authentication.Challenge(properties,
OktaDefaults.MvcAuthenticationType);
return new HttpUnauthorizedResult();
}
else
{
return View("UnAuthorized");
}
}
}
I have tried different ways to read the okta sessions. application successfully connects to a third-party authentication provider and returns a valid session token. However, the required sessions are not created on redirect URLs. I don't find the root cause of this.
I want to know if this could be a reason because our URL is being protected by VPN.