Blue Flower

Modern Security and SSO implementation using Okta

Details
Category: Technology
Hits: 38947

What is SSO (Single Sign-On)?
Single Sign-on (SSO) occurs when a user logs in to one application and is then signed in to other applications automatically, regardless of the platform, technology, or domain the user is using. The user signs in only one time, hence the name of the feature (Single Sign-on).


Can you give some popular tool used to implement SSO?
Autho & Okta were 2 popular tool
Recently Okta acquired Autho tool and now both areas of expertise complement each other well

Why use Okta?
It use to implement modern security policy to a software services in on-prem or cloud platform

Can you explain authentication and SSO with an use case?
Yes, let we have a 2 application as below

1) .NET Core MVC
2) .NET Framework MVC

- We want to login in either one of the application then gain automatic access to another application
- Why we choose .NET Core & Framework MVC ? because implementation of Okta slightly differs in both framework and plan to cover that as well

Step 1: Create an account in Okta portal (https://developer.okta.com/)
Once account is created note URL of it and used to login https://dev-<<ID>>.okta.com


Step 2: register an application and generate client ID & secret, oktadomain
Under Application => Grant Type => Client acting on behalf of user =>

For .NET core application,

       => select "Authorization Code"
For .NET Framework,

       => select "Authorization Code" + "Implici(Hybrid)" (Allow ID token with implicit grant type + Allow access token with implicit grant type)


Step 3: Add following Okta credentials in MVC application

For .NET CORE MVC (in appsettings.json)

"Okta": {
 "ClientId": "id",
 "ClientSecret": "",
 "OktaDomain": "https://dev-78187217.okta.com",
 "PostLogoutRedirectUri": "https://localhost:5001/"
 },


For .NET Framework MVC (in web.config)


<appSettings>
 ..................
 ..................
 <add key="okta:ClientId" value="id" />
 <add key="okta:ClientSecret" value="" />
 <add key="okta:OktaDomain" value="https://dev-78187217.okta.com" />
 <add key="okta:RedirectUri" value="http://localhost:8080/authorization-code/callback" />
 <add key="okta:PostLogoutRedirectUri" value="http://localhost:8080/Account/PostLogout" />
 </appSettings>


Step 4: Add reference in MVC application

For .NET Core MVC

dotnet add package Okta.AspNetCore

For .NET framework MVC

dotnet add package Okta.AspNet


The Okta ASP.NET & Core SDK configures and hosts this route for you. By default, the route is hosted at /authorization-code/callback


Step 5: Add following lines of Okta code to enable

For .NET Core MVC

 public void ConfigureServices(IServiceCollection services)
 {
 var oktaMvcOptions = new OktaMvcOptions();
 Configuration.GetSection("Okta").Bind(oktaMvcOptions);
 oktaMvcOptions.Scope = new List<string> { "openid", "profile", "email" };
 oktaMvcOptions.GetClaimsFromUserInfoEndpoint = true;
 
 services.AddAuthentication(options =>
 {
 options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
 options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
 options.DefaultChallengeScheme = OktaDefaults.MvcAuthenticationScheme;
 })
 .AddCookie()
 .AddOktaMvc(oktaMvcOptions);

services.Configure<CookiePolicyOptions>(options =>
 {
 // This lambda determines whether user consent for non-essential cookies is needed for a given request.
 options.CheckConsentNeeded = context => true;
 options.MinimumSameSitePolicy = SameSiteMode.None;
 });
 
 services.AddDbContext<ApplicationDbContext>(options => options.UseSqlite("Data Source=LiveMusicFinder.db"));
 services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_3_0);
 
 }


 Make sure in Configure mthod, UseMVC not used and instead use UseRouting() & UseEndPoints() methods (version difference.. if needed do a deep dive on this)

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ApplicationDbContext dbContext)
 {
 .............................
 .............................
 .............................

//app.UseMvc(routes =>
 //{
 // routes.MapRoute(
 // name: "default",
 // template: "{controller=Home}/{action=Index}/{id?}");
 //});

app.UseRouting();
 app.UseEndpoints(endpoints =>
 {
 endpoints.MapControllerRoute("default", "{controller=Home}/{action=Index}");
 });

.............................
 .............................
 .............................
 }

 

For .NET framework MVC

public void Configuration(IAppBuilder app)
 {
 app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

app.UseCookieAuthentication(new CookieAuthenticationOptions());

app.UseOktaMvc(new OktaMvcOptions()
 {
 OktaDomain = ConfigurationManager.AppSettings["okta:OktaDomain"],
 ClientId = ConfigurationManager.AppSettings["okta:ClientId"],
 ClientSecret = ConfigurationManager.AppSettings["okta:ClientSecret"],
 RedirectUri = ConfigurationManager.AppSettings["okta:RedirectUri"],
 PostLogoutRedirectUri = ConfigurationManager.AppSettings["okta:PostLogoutRedirectUri"],
 GetClaimsFromUserInfoEndpoint = true,
 Scope = new List<string> { "openid", "profile", "email", "address" },
 });


 }


Step 6: Controller Logic

For .NET Core MVC

public class AccountController : Controller
 {
 public IActionResult Login()
 {
 if (!HttpContext.User.Identity.IsAuthenticated)
 {
 return Challenge(OktaDefaults.MvcAuthenticationScheme);
 }
 return RedirectToAction("Index", "Home");
 }

public IActionResult Logout()
 {
 return new SignOutResult(new[]
 {
 OktaDefaults.MvcAuthenticationScheme,
 CookieAuthenticationDefaults.AuthenticationScheme
 });
 }

//public IActionResult PostLogout()
 //{
 // return RedirectToAction("Index", "Home");
 //}
 }

 

For .NET framework MVC

public class AccountController : Controller
 {
 public ActionResult Login()
 {
 if (!HttpContext.User.Identity.IsAuthenticated)
 {
 HttpContext.GetOwinContext().Authentication.Challenge(
 OktaDefaults.MvcAuthenticationType);
 return new HttpUnauthorizedResult();
 }

return RedirectToAction("Index", "Home");
 }

[HttpPost]
 public ActionResult Logout()
 {
 if (HttpContext.User.Identity.IsAuthenticated)
 {
 HttpContext.GetOwinContext().Authentication.SignOut(
 CookieAuthenticationDefaults.AuthenticationType,
 OktaDefaults.MvcAuthenticationType);
 }

return RedirectToAction("Index", "Home");
 }

//public ActionResult PostLogout()
 //{
 // return RedirectToAction("Index", "Home");
 //}
 }

References:

https://auth0.com/docs/sso

https://developer.okta.com/docs/guides/sign-into-web-app/aspnetcore3/define-callback/

 

Comments  

#1 먹튀검증 2022-04-09 05:05
I'm really inspired together with your writing talents as well
as with the structure to your weblog. Is that this a paid subject or did you modify it yourself?
Anyway stay up the nice quality writing, it's rare to look a nice blog like this one nowadays..

You have no rights to post comments

  • You are here:  
  • Home
  • Security
  • Modern Security and SSO implementation using Okta