Issues implementing OIDC authentication with Okta

Hi, I am attempting to configure OIDC with Okta by following instructions Configure OpenID Connect 1.0 protocol (OIDC) authentication - Sensu Docs as closely as possible.

After following the instructions it appears I can login successfully

$ ./sensuctl login oidc
Launching browser to complete the login via your OIDC provider at following URL:

        https://our-api-domain-name//api/enterprise/authentication/v2/oidc/authorize?callback=http%3A%2F%2Flocalhost%3A8000%2Fcallback

You may also manually open this URL. Waiting for callback...

OIDC authentication has been successful

however, it seems I am not authenticated when I attempt commands

$ ./sensuctl event list
Error: unauthorized to perform action

$ ./sensuctl auth list
Error: unauthorized to perform action

$ ./sensuctl entity list
Error: unauthorized to perform action

Then when I attempt to login using the new dashboard login button “SIGN-IN WITH OKTA” it again appears my login was partially successful but with errors


Note: the blue block-out is my email address

To setup the OIDC in Sensu I used the following yaml file

type: OIDC
api_version: authentication/v2
metadata:
  created_by: admin
  labels:
    sensu.io/managed_by: sensuctl
  name: okta
spec:
  additional_scopes:
  - email
  - groups
  client_id: our-client-id
  client_secret: our-client-secret
  groups_claim: groups
  groups_prefix: ""
  redirect_uri: https://our-api-domain-name/api/enterprise/authentication/v2/oidc/callback
  server: https://our-domain-name.okta.com
  username_claim: email
  username_prefix: ""

and my Okta configuration is

General Tab
   Client Credentials:
      Client ID: our-client-id
      Client secret: our-client-secret
   General Settings
      Okta domain: our-domain-name.okta.com
         Application:
            Application name: our-application-name
            Application type: Web
            Allowed grant types:
               Client acting on behalf of itself: [x] Client Credentials
               Client grant types:
                  [x] Authorization Code
                  [x] Refresh Token
                  [x] Implicit (Hybrid)
                     [x] Allow Token with implicit grant type
                     [ ] Allow Access Token with implicit grant type
   USER CONSENT
      User consent: [x] Require consent
      Terms of Service URI:
      Policy URI:
      Logo URI:
   LOGIN
      Login redirect URIs: https://our-api-domain-name/api/enterprise/authentication/v2/oidc/callback
      Logout redirect URIs:
      Login initiated by: Either Okta or App
      Application visibility:
         [x] Display application icon to users
         [ ] Display application icon in the Okta Mobile app
      Login flow:
         (x) Redirect to app to initiate login (OIDC Compliant)
         ( ) Send ID Token directly to app (Okta Simplified)
      Initiate login URI: https://our-api-domain-name/api/enterprise/authentication/v2/oidc/callback

Sign on Tab
      Settings
         Sign on methods: (x) OpenID Connect
      Token Credentials: Automatic
      OpenID Connect ID Token
         Issuer: https://our-domain-name.okta.com
         Audience: client-id
         Claims: Claims for this token include all user attributes on the app profile.
         Groups claim type: Filter
         Groups claim filter: [groups][Matches reges][.*]
      Sign On Policy
         Default sign on rule

Versioning:

  • Sensu Go Backend (Docker): 5.21.3
  • sensuctl: 5.21.4

Is there something I have misconfigured?

Hi @jbs,

Do you have appropriate roles and role bindings defined for those OIDC users/groups? Without those, you can login with OIDC, like you did, but it’s expected that you would have no permissions whatsoever by default. In other words, you would have authentication working correctly but there is no authorization configured!

I see you’re using 5.21; here is a relevant entry point in the docs:
https://docs.sensu.io/sensu-go/5.21/operations/control-access/#authorization

2 Likes

Hi @ccressent,

Thanks, as a test I created a cluster-role-binding for the default cluster-role cluster-admin:

sensuctl cluster-role-binding create okta --cluster-role=cluster-admin --group=our-group

With this sensuctl authentication worked correctly.

To get a direct Okta auth to redirect me to the dashboard I had to modify my Okta configuration with:

Initiate login URI: https://our-api-domain-name/api/enterprise/authentication/v2/oidc/authorize?callback=https://our-dashboard-domain-name/a/oidc/callback?redirect-to=/c/~/n/default/events

All is working now. Thanks again.

1 Like