OKTA is an amazing product, it enables authentication to your applications in a very easy manner, not much coding involved just some configuration. I had tried this personally and we are using it more and more in our organization having used Azure Active Directory and On Prem Active Directory this cloud service usability is between both but functionality is way much better.
To let you know how easy it is, I will show you in few steps how to use OKTA Authentication with your MVC Application.
First make sure you have and OKTA Account if not get an Okta Developer Edition Account.
Now let’s create you application. Go to Application -> Application -> Add Application -> Create New App
Choose Web as the platform, then choose OpenID Connect, click Create
Set up your OpenID Connect
Application Name: YourWebApplication
Base URIs : http://localhost:{port}
Login redirect URIs : http://localhost:{port}/authorization-code/callback
Logout redirect URIs: http://localhost:{port}/Account/PostLogout
Click Save
Now save these and after you have created the application grab the following information and add it into your Web.config, assuming you have a website project already in place.
- Client ID
- Client Secret
- Org URL
- Login redirect URIs
- Logout redirect URIs
Using Nuget Add the following references in your Web Project
- Microsoft.Owin.Security.Cookies 4.0.0 or higher
- Microsot.Owin.Host.SystemWeb 4.0.0 or higher
- Okta.AspNet
Now add an OWIN Startup class to your project and name the file Startup.cs. Click Add
In your Startup.cs add the following lines below to configure your OktaMvc Authentication
using System.Collections.Generic; using System.Configuration; using Microsoft.Owin; using Microsoft.Owin.Security; using Microsoft.Owin.Security.Cookies; using Okta.AspNet; using Owin; [assembly: OwinStartup(typeof(OKTA_Authentication.Startup))] namespace OKTA_Authentication { public class Startup { public void Configuration(IAppBuilder app) { app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType); app.UseCookieAuthentication(new CookieAuthenticationOptions()); app.UseOktaMvc(new OktaMvcOptions() { OktaDomain = ConfigurationManager.AppSettings["okta:OktaDomain"], ClientId = ConfigurationManager.AppSettings["okta:ClientId"], ClientSecret = ConfigurationManager.AppSettings["okta:ClientSecret"], RedirectUri = ConfigurationManager.AppSettings["okta:RedirectUri"], PostLogoutRedirectUri = ConfigurationManager.AppSettings["okta:PostLogoutRedirectUri"], GetClaimsFromUserInfoEndpoint = true, Scope = new List<string> { "openid", "profile", "email" }, }); } } }
Note: If you are using .NET framework earlier than 4.6 and get the following error:
The request was aborted: Could not create SSL/TLS secure channel.
Make sure to include the following code in the Application_Start or Startup:
// Enable TLS 1.2 ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls12;
Configure your project to use the following port you set up earlier
Now lets create your AccountController to host the Login and Logout Methods.
Choose and Empty MVC Controller, Click Add
Name it AccountController
Now paste this code in your AccountController, it will contain all the methods you will need for Login and Logout
using System.Web; using System.Web.Mvc; using Microsoft.Owin.Security.Cookies; using Okta.AspNet; namespace OKTA_Authentication.Controllers { public class AccountController : Controller { public ActionResult Login() { if (!HttpContext.User.Identity.IsAuthenticated) { HttpContext.GetOwinContext().Authentication.Challenge(OktaDefaults.MvcAuthenticationType); return new HttpUnauthorizedResult(); } return RedirectToAction("Index", "Home"); } [HttpPost] public ActionResult Logout() { if (HttpContext.User.Identity.IsAuthenticated) { HttpContext.GetOwinContext().Authentication.SignOut(CookieAuthenticationDefaults.AuthenticationType, OktaDefaults.MvcAuthenticationType); } return RedirectToAction("Index", "Home"); } public ActionResult PostLogout() { return RedirectToAction("Index", "Home"); } } }
Go to your _Layout.cshtml and add the Login and Logout Links.
@if (Context.User.Identity.IsAuthenticated) { <ul class="nav navbar-nav navbar-right"> <li> <p class="navbar-text">Hello, <b>@Context.User.Identity.Name</b></p> </li> <li> <a onclick="document.getElementById('logout_form').submit();" style="cursor: pointer;">Log out</a> </li> </ul> <form action="/Account/Logout" method="post" id="logout_form"></form> } else { <ul class="nav navbar-nav navbar-right"> <li>@Html.ActionLink("Log in", "Login", "Account")</li> </ul> }
In this section
And there you go, you have enabled OKTA Authentication in your Web Application, all you need to do is to put [Authorize] attribute on your controllers for those Controllers you want to secure.
Click login and it should send you to the OKTA Login Page
Put the necessary credentials then you’re in.
Things to take note: If you are using this on a live or preview environment you might need to talk to your account executive and let them know you will be using the API as they have to enable it on their end otherwise you will encounter this error
[HttpRequestException: Response status code does not indicate success: 401 (Unauthorized).] System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode() +92828 Microsoft.IdentityModel.Protocols.<GetDocumentAsync>d__8.MoveNext() +375 [IOException: IDX20804: Unable to retrieve document from: '[PII is hidden]'.] Microsoft.IdentityModel.Protocols.<GetDocumentAsync>d__8.MoveNext() +662 System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +99 System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58 Microsoft.IdentityModel.Protocols.OpenIdConnect.<GetAsync>d__3.MoveNext() +291 System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +99 System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58 System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task) +25 Microsoft.IdentityModel.Protocols.<GetConfigurationAsync>d__24.MoveNext() +1129
This will not solve world problems, but it is an easy way to add an Authentication Mechanism to your website easily, if you want Role Based authentication then follow this post as I will share how to do that on our next article.