Hi, I am attempting to configure OIDC with Okta by following instructions OpenID Connect 1.0 protocol (OIDC) reference - Sensu Docs as closely as possible.
After following the instructions it appears I can login successfully
$ ./sensuctl login oidc Launching browser to complete the login via your OIDC provider at following URL: https://our-api-domain-name//api/enterprise/authentication/v2/oidc/authorize?callback=http%3A%2F%2Flocalhost%3A8000%2Fcallback You may also manually open this URL. Waiting for callback... OIDC authentication has been successful
however, it seems I am not authenticated when I attempt commands
$ ./sensuctl event list Error: unauthorized to perform action $ ./sensuctl auth list Error: unauthorized to perform action $ ./sensuctl entity list Error: unauthorized to perform action
Then when I attempt to login using the new dashboard login button “SIGN-IN WITH OKTA” it again appears my login was partially successful but with errors
Note: the blue block-out is my email address
To setup the OIDC in Sensu I used the following yaml file
type: OIDC api_version: authentication/v2 metadata: created_by: admin labels: sensu.io/managed_by: sensuctl name: okta spec: additional_scopes: - email - groups client_id: our-client-id client_secret: our-client-secret groups_claim: groups groups_prefix: "" redirect_uri: https://our-api-domain-name/api/enterprise/authentication/v2/oidc/callback server: https://our-domain-name.okta.com username_claim: email username_prefix: ""
and my Okta configuration is
General Tab Client Credentials: Client ID: our-client-id Client secret: our-client-secret General Settings Okta domain: our-domain-name.okta.com Application: Application name: our-application-name Application type: Web Allowed grant types: Client acting on behalf of itself: [x] Client Credentials Client grant types: [x] Authorization Code [x] Refresh Token [x] Implicit (Hybrid) [x] Allow Token with implicit grant type [ ] Allow Access Token with implicit grant type USER CONSENT User consent: [x] Require consent Terms of Service URI: Policy URI: Logo URI: LOGIN Login redirect URIs: https://our-api-domain-name/api/enterprise/authentication/v2/oidc/callback Logout redirect URIs: Login initiated by: Either Okta or App Application visibility: [x] Display application icon to users [ ] Display application icon in the Okta Mobile app Login flow: (x) Redirect to app to initiate login (OIDC Compliant) ( ) Send ID Token directly to app (Okta Simplified) Initiate login URI: https://our-api-domain-name/api/enterprise/authentication/v2/oidc/callback Sign on Tab Settings Sign on methods: (x) OpenID Connect Token Credentials: Automatic OpenID Connect ID Token Issuer: https://our-domain-name.okta.com Audience: client-id Claims: Claims for this token include all user attributes on the app profile. Groups claim type: Filter Groups claim filter: [groups][Matches reges][.*] Sign On Policy Default sign on rule
Versioning:
- Sensu Go Backend (Docker): 5.21.3
- sensuctl: 5.21.4
Is there something I have misconfigured?