Add Okta to the list of supported providers

openiddict · Jan 9, 2024 · 8b590c6 · 8b590c6
1 parent 0658668
commit 8b590c6
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 6 deletions.
diff --git a/sandbox/OpenIddict.Sandbox.Console.Client/InteractiveService.cs b/sandbox/OpenIddict.Sandbox.Console.Client/InteractiveService.cs
@@ -58,16 +58,22 @@ await UseDeviceAuthorizationGrantAsync(stoppingToken))
 
                     if (result.VerificationUriComplete is not null)
                     {
-                        AnsiConsole.MarkupLineInterpolated(
-                            $"[yellow]Please visit [link]{result.VerificationUriComplete}[/] and confirm the displayed code is '{result.UserCode}' to complete the authentication demand.[/]");
+                        AnsiConsole.MarkupLineInterpolated($"""
+                            [yellow]Please visit [link]{result.VerificationUriComplete}[/] and confirm the
+                            displayed code is '{result.UserCode}' to complete the authentication demand.[/]
+                            """);
                     }
 
                     else
                     {
-                        AnsiConsole.MarkupLineInterpolated(
-                            $"[yellow]Please visit [link]{result.VerificationUri}[/] and enter '{result.UserCode}' to complete the authentication demand.[/]");
+                        AnsiConsole.MarkupLineInterpolated($"""
+                            [yellow]Please visit [link]{result.VerificationUri}[/] and enter
+                            '{result.UserCode}' to complete the authentication demand.[/]
+                            """);
                     }
 
+                    AnsiConsole.MarkupLine("[cyan]Waiting for the user to approve the authorization demand.[/]");
+
                     // Wait for the user to complete the demand on the other device.
                     principal = (await _service.AuthenticateWithDeviceAsync(new()
                     {
@@ -90,6 +96,8 @@ await UseDeviceAuthorizationGrantAsync(stoppingToken))
                         ProviderName = provider
                     });
 
+                    AnsiConsole.MarkupLine("[cyan]Waiting for the user to approve the authorization demand.[/]");
+
                     // Wait for the user to complete the authorization process.
                     principal = (await _service.AuthenticateInteractivelyAsync(new()
                     {

diff --git a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs
@@ -706,6 +706,21 @@ GrantTypes.DeviceCode or GrantTypes.RefreshToken when
                     _ => context.SendUserinfoRequest
                 },
 
+                // Note: some providers don't allow querying the userinfo endpoint when the "openid" scope
+                // is not requested or granted. To work around that, userinfo is disabled when the "openid"
+                // scope wasn't requested during the initial authorization request or during the token request.
+                ProviderTypes.Okta => context.GrantType switch
+                {
+                    GrantTypes.AuthorizationCode or GrantTypes.Implicit when
+                        context.StateTokenPrincipal is ClaimsPrincipal principal && !principal.HasScope(Scopes.OpenId)
+                        => false,
+
+                    GrantTypes.DeviceCode or GrantTypes.RefreshToken when !context.Scopes.Contains(Scopes.OpenId)
+                        => false,
+
+                    _ => context.SendUserinfoRequest
+                },
+
                 _ => context.SendUserinfoRequest
             };
 

diff --git a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml
@@ -711,6 +711,27 @@
     </Environment>
   </Provider>
 
+  <!--
+                                                ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
+                                                ██ ▄▄▄ ██ █▀▄█▄▄ ▄▄█ ▄▄▀██
+                                                ██ ███ ██ ▄▀████ ███ ▀▀ ██
+                                                ██ ▀▀▀ ██ ██ ███ ███ ██ ██
+                                                ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
+  -->
+
+  <Provider Name="Okta" Id="f225bf31-d16f-4580-b276-79f5fe270562"
+            Documentation="https://developer.okta.com/docs/reference/api/oidc/">
+    <!--
+      Note: Okta is a multitenant identity provider that doesn't have a generic
+      issuer URI. As such, the complete URI must always be set in the options.
+    -->
+
+    <Environment Issuer="{settings.Issuer}" />
+
+    <Setting PropertyName="Issuer" ParameterName="issuer" Type="Uri" Required="true"
+             Description="The URI used to access the Okta instance (e.g https://fabrikam.okta.com/)" />
+  </Provider>
+
   <!--
                                         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
                                         ██ ▄▄ █ ▄▄▀█▄▄ ▄▄██ ▄▄▀██ ▄▄▄██ ▄▄▄ ██ ▀██ ██
@@ -1403,8 +1424,8 @@
                                         ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
   -->
 
-  <Provider Name="WorldId" Id="cd8724ff-2413-4dd5-a18d-5979c9ddaa14"
-            DisplayName="World ID" Documentation="https://docs.worldcoin.org/reference/sign-in">
+  <Provider Name="WorldId" DisplayName="World ID" Id="cd8724ff-2413-4dd5-a18d-5979c9ddaa14"
+            Documentation="https://docs.worldcoin.org/reference/sign-in">
     <Environment Issuer="https://id.worldcoin.org/" />
   </Provider>