Skip to content

Commit

Permalink
Merge branch 'main' into edunham-patch-1
Browse files Browse the repository at this point in the history
  • Loading branch information
edunham authored Nov 5, 2024
2 parents 050ad64 + 14570bf commit b7b57e1
Show file tree
Hide file tree
Showing 29 changed files with 1,741 additions and 18 deletions.
Binary file added _source/_assets/img/avatar-jeff-taylor.jpg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added _source/_assets/img/avatar-nick-connelly.jpg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified _source/_assets/img/avatar-raphael.jpg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added _source/_assets/img/blog/dpop-oauth/social.jpg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
3 changes: 3 additions & 0 deletions _source/_assets/img/blog/dpop-oauth/token-request.svg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
17 changes: 16 additions & 1 deletion _source/_data/authors.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ maurice-sharp:
email: [email protected]
linkedin: https://www.linkedin.com/in/msharp/
bio: Maurice is a developer, author, and documentation writer. He transitioned to developer documentation after writing a book on coding for iPhone. He went from managing a mobile development team to documenting Apple developer APIs. Then he moved to Okta where he focuses on developer content strategy and writes the occasional article.
Outside of work, he occasionally gives a workshop on designing and delivering engaging stories using a methodology based on cognitive biology and brain function. He's given these to presenters, entrepreneurs pitching VCs, and others. He uses the same methodology for writing documentation.
Outside of work, he occasionally gives a workshop on designing and delivering engaging stories using a methodology based on cognitive biology and brain function. He's given these to presenters, entrepreneurs pitching VCs, and others. He uses the same methodology for writing documentation.


victor-ronin:
Expand Down Expand Up @@ -952,3 +952,18 @@ louie-campagna:
avatar: avatar-louie-campagna.jpeg
linkedin: https://www.linkedin.com/in/louie-campagna/
bio: Louie Campagna is an Okta Developer Support Engineer. He enjoys coding creative solutions to problems and writing scripts to automate processes. Louie's previous experience spans across customer service, desktop engineering, identity and access management and governance, and programming.

nick-connelly:
full_name: Nick Connelly
display_name: Nick Connelly
avatar: avatar-nick-connelly.jpg
linkedin: https://www.linkedin.com/in/nicholasconnelly/
bio: Nick Connelly is a seasoned Professional Consultant within the Okta Professional Services team, bringing over a decade of experience in cybersecurity and identity and access management. Passionate about learning new technologies and improving processes, Nick is dedicated to delivering exceptional value for customers by leveraging the latest advancements and best practices in the industry.

jeff-taylor:
full_name: Jeff Taylor
display_name: Jeff Taylor
avatar: avatar-jeff-taylor.jpg
linkedin: https://www.linkedin.com/in/jeffctaylor/
github: https://github.com/jefftaylor-okta
bio: Jeff is a Group Product Manager working on our Developer Products for Developers and Operators working with Workforce Identity Cloud including helping Integrators submitting to the Okta Integration Network easily and effectively. Jeff is a champion for Builders on the Okta ecosystem.
2 changes: 1 addition & 1 deletion _source/_includes/header.html
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@
</ul>
</li>
<li class="menu-item {% if page.url contains '/blog/' %}active{% endif %}">
<a href="/blog" class="nav-link">Blog</a>
<a href="/blog/" class="nav-link">Blog</a>
</li>
<li class="menu-item {% if page.url contains '/pricing/' %}active{% endif %}">
<a href="{{ site.external_domain }}/pricing/" class="nav-link external-link">
Expand Down
6 changes: 3 additions & 3 deletions _source/_includes/promo_banner.html
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{% assign show_promo_banner = true %}
{% assign show_promo_banner = false %}
{% assign documentation_subdirs = "docs,standards,use_cases,reference,authentication-guide" | split:"," %}

{% for dir in documentation_subdirs %}
Expand All @@ -8,11 +8,11 @@
{% endfor %}

{% if show_promo_banner %}
<a href="https://regionalevents.okta.com/enterprisereadyworkshops" class="DocsPromoBanner">
<a href="/blog/2024/09/26/oktane-saas-developers" class="DocsPromoBanner">
<div class="Wrap">
<!-- <svg width="26px" height="32px" viewBox="0 0 26 32" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g stroke="none" stroke-width="1" fill="none" fill-rule="evenodd"><g transform="translate(1.000000, 1.000000)" stroke="#FFFFFF" stroke-width="0.5" fill="#FFFFFF"><path d="M7.73510684,22.7384868 L7.73510684,23.4543421 C9.42771234,23.4182237 10.7943389,22.0291447 10.7943389,20.3268421 C10.7943389,19.7915789 10.6564931,19.2634211 10.3955916,18.7980263 L10.2494631,18.5375 L13.529367,15.2548684 L13.7890852,15.4011184 C14.2540932,15.6622368 14.7824038,15.8001974 15.316039,15.8001974 C17.0181103,15.8001974 18.406035,14.4330263 18.4421234,12.7384211 L17.726863,12.7384211 L16.4489784,14.0173684 L13.976035,14.0173684 L13.976035,11.5423684 L15.253328,10.2634211 L15.253328,9.54401316 C13.5589476,9.57717105 12.1905462,10.9680263 12.1905462,12.6721053 C12.1905462,13.1819079 12.3100521,13.6698026 12.5466974,14.1209868 L12.6809936,14.3779605 L9.37328392,17.6884211 L9.11652377,17.5540132 C8.66571448,17.3177632 8.17881677,17.1981579 7.66825454,17.1981579 C5.96618323,17.1981579 4.57648371,18.5671053 4.54276175,20.2634868 L5.26157185,20.2634868 L6.53945646,18.9845395 L9.01299145,18.9845395 L9.01299145,21.4601316 L7.73510684,22.7384868 Z M6.9476696,24.2584211 L6.9476696,22.4122368 L8.22555422,21.1332895 L8.22555422,19.7720395 L6.86543536,19.7720395 L5.58755075,21.0509868 L3.75,21.0509868 L3.75354968,20.6536842 C3.75354968,20.6536842 3.75473291,20.4363816 3.75473291,20.3268421 C3.75473291,18.1668421 5.51064103,16.4100658 7.66825454,16.4100658 C8.20011485,16.4100658 8.73020032,16.5201974 9.21709802,16.7303947 L11.7231717,14.2216447 C11.5137407,13.7343421 11.4037006,13.2038158 11.4037006,12.6721053 C11.4037006,10.5126974 13.1590171,8.75532895 15.316039,8.75532895 C15.4266707,8.75532895 15.6432011,8.75355263 15.6437927,8.75355263 L16.0407652,8.75 L16.0407652,10.5890789 L14.7628806,11.8686184 L14.7628806,13.2292763 L16.1229995,13.2292763 L17.4008841,11.9503289 L19.2449426,11.9503289 L19.2348851,12.3547368 C19.2348851,12.3553289 19.2301522,12.5649342 19.2301522,12.6721053 C19.2301522,14.8315132 17.4742441,16.5882895 15.316039,16.5882895 C14.7480903,16.5882895 14.1860577,16.4633553 13.673129,16.2259211 L11.2197089,18.6807895 C11.4569458,19.1953289 11.5817762,19.7584211 11.5817762,20.3268421 C11.5817762,22.4856579 9.82586806,24.2430263 7.66825454,24.2430263 C7.56176416,24.2430263 7.35292468,24.2483553 7.35174145,24.2483553 L6.9476696,24.2584211 Z" id="Fill-28"></path><path d="M0.787437233,29.4140132 L23.0912567,29.4140132 L23.0912567,0.788092105 L6.85443109,0.788092105 L0.787437233,6.86013158 L0.787437233,29.4140132 Z M23.8786939,30.2021053 L0,30.2021053 L0,6.53388158 L6.52845219,0 L23.8786939,0 L23.8786939,30.2021053 Z" id="Fill-29"></path><polygon points="7.94173745 6.69730263 1.25 6.69730263 1.25 5.90921053 7.15489183 5.90921053 7.15489183 0 7.94173745 0"></polygon></g></g></svg> -->
<svg id="Layer_2" xmlns="http://www.w3.org/2000/svg" width="26px" height="32px" viewBox="0 0 26 32"><defs><style>.cls-1{fill:#fffefa;}</style></defs><g id="Layer_1-2"><g><path class="cls-1" d="M13.48,3.28c-1.9,.69-3.89,1.04-5.91,1.04h-.82c-1.84,0-3.56,.73-4.84,2.05C.62,7.69-.05,9.43,0,11.28c.05,1.66,.75,3.17,1.84,4.33l.12,9.21H6.43l2.08-6.96c1.7,.09,3.37,.42,4.98,1l9.02,3.28V0L13.48,3.28ZM2.98,7.42c1-1.03,2.34-1.59,3.77-1.59h.82c.82,0,1.63-.07,2.43-.17v10.85c-.8-.1-1.61-.17-2.43-.17h-.57c-2.95,0-5.42-2.28-5.5-5.09-.04-1.43,.48-2.79,1.48-3.82Zm2.33,15.91h-1.86l-.08-6.51c1.05,.63,2.28,.99,3.59,1l-1.64,5.5Zm15.69-3.32l-7-2.55c-.82-.3-1.65-.52-2.5-.7V5.39c.84-.18,1.68-.4,2.5-.7l7-2.55V20Z"/><g><polygon class="cls-1" points="24 9.2 28.14 6.71 27.36 5.43 24 7.45 24 9.2"/><polygon class="cls-1" points="24 14.7 27.36 16.71 28.14 15.43 24 12.95 24 14.7"/><rect class="cls-1" x="24" y="10.32" width="5.75" height="1.5"/></g></g></g></svg>
<span class="promo-body">Check out the free virtual workshops on how to take your SaaS app to the next level in the enterprise-ready identity journey!</span>
<span class="promo-body">See you at Oktane in Las Vegas on October 15-17, 2024. Read more about the activities planned with you mind here.</span>
<!-- <span class="cta">
REGISTER
<span class="code-icon cir-arrow-16"></span>
Expand Down
2 changes: 1 addition & 1 deletion _source/_posts/2022-02-08-cookies-vs-tokens.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,7 @@ Tokens—or JWTs in this context—are stateless in nature, meaning the server d

* **Multiple storage options**: Tokens can be stored in a number of ways in browsers or front-end applications.

If you use a browser's local storage, tokens can't be accessed by a subdomain. However, they can be accessed and manipulated by any JavaScript code on the webpage, as well as by browser plugins. This isn't a recommended method: first, itposes a security risk, plus you must manage the storage.
If you use a browser's local storage, tokens can't be accessed by a subdomain. However, they can be accessed and manipulated by any JavaScript code on the webpage, as well as by browser plugins. This isn't a recommended method: first, it poses a security risk, plus you must manage the storage.

Session storage is another way to store tokens. The drawback is that the token is destroyed when the browser is closed.

Expand Down
1 change: 1 addition & 0 deletions _source/_posts/2024-02-29-third-party-cookies.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ image: blog/3pc/social.jpg
type: awareness
---

**NOTE**: In July, Google provided an update on their [third-party cookie deprecation effort](https://privacysandbox.com/news/privacy-sandbox-update/). Okta will work with Google to understand the specific impact on Okta customers. In the meantime, we continue to advise customers to migrate away from using third-party cookies, as outlined below.


## What are third-party cookies?
Expand Down
94 changes: 82 additions & 12 deletions _source/_posts/2024-04-30-express-universal-logout.md
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,8 @@ While viewing your database locally, you'll also see an org table. By clicking t
- client_secret = ${ClientSecret}
- apikey = 131313

>**Note**: You can also get these OIDC-related endpoints by visiting this metadata URL `https://{yourOktaOrg}/.well-known/openid-configuration` provided by the [Okta Org authorization server](https://developer.okta.com/docs/concepts/auth-servers/#discovery-endpoints-org-authorization-servers).
### Create a test user

To test whether UL works for our app, we'll create a user on Okta whose account we'll forcibly sign out.
Expand Down Expand Up @@ -105,7 +107,7 @@ import { Router } from 'express';
export const universalLogoutRoute = Router();
```

Let's add the UL route to this file:
Let's add the UL route to this file as well:

```ts
import { Router } from 'express';
Expand Down Expand Up @@ -183,22 +185,73 @@ universalLogoutRoute.post('/global-token-revocation', async (req, res) => {
if (!req.body) {
res.status(400);
}

// Find the user by email linked to the org id associated with the API key provided
const domainOrgId = req['user']['id']

// Find the user
const newRequest:IRequestSchema = req.body;
const { email } = newRequest.sub_id;
const user = await prisma.user.findFirst({
where: {
email: email,
org: { id: domainOrgId },
email: email
},
});

// 404 User not found
// 404 User not found
if (!user) {
res.sendStatus(404);
}

return res.sendStatus(httpStatus);
});

universalLogoutRoute.use((err,req,res,next) => {
if(err){
return res.sendStatus(404)
}
})
```
The apps/api/src/universalLogout.ts file now looks like the following:

```ts
import { Router } from 'express';
export const universalLogoutRoute = Router();
import { PrismaClient } from '@prisma/client';
const prisma = new PrismaClient();

interface IRequestSchema {
'sub_id': {format:string; email: string};
}
universalLogoutRoute.post('/global-token-revocation', async (req, res) => {
// 204 When the request is successful
const httpStatus = 204;

// 400 If the request is malformed
if (!req.body) {
res.status(400);
}

// Find the user
const newRequest:IRequestSchema = req.body;
const { email } = newRequest.sub_id;
const user = await prisma.user.findFirst({
where: {
email: email
},
});

// 404 User not found
if (!user) {
res.sendStatus(404);
}

return res.sendStatus(httpStatus);

});

universalLogoutRoute.use((err,req,res,next) => {
if(err){
return res.sendStatus(404)
}
})
```

>**Checkpoint**: Now is an excellent time to test our code.
Expand Down Expand Up @@ -398,13 +451,30 @@ universalLogoutRoute.post('/global-token-revocation', async (req, res) => {
res.sendStatus(404);
}

return res.sendStatus(httpStatus);
});

universalLogoutRoute.use((err,req,res,next) => {
if(err){

return res.sendStatus(404)
}
})
```
So now let's do another test to make sure the authentication piece we added is working. We'll need to modify our cURL request to include an Authorization header with a `Bearer 131313`. This should result in a 204 response.

```http
curl --request POST \
--url http://localhost:3333/global-token-revocation \
--header 'Authorization: Bearer 131313' \
--header 'Content-Type: application/json' \
--data '{
"sub_id": {
"format": "email",
"email": "[email protected]"
}
}'
```

Moving right along, now that we have the target user of a specific org. Let's figure out how to target their application session and end it.

Expand Down Expand Up @@ -527,7 +597,7 @@ universalLogoutRoute.post('/global-token-revocation', async (req, res) => {
}

// Find the user by email linked to the org id associated with the API key provided
const domainOrgId = req['user']['id']
const domainOrgId = req['user']['id']
const newRequest:IRequestSchema = req.body;
const { email } = newRequest.sub_id;
const user = await prisma.user.findFirst({
Expand Down Expand Up @@ -602,7 +672,7 @@ if (!res.ok)
}}
```

The onNewTask function will now look like this:
The `onNewTask` function will now look like this:

```ts
import { useEffect, useState } from 'react';
Expand Down Expand Up @@ -635,8 +705,8 @@ export const Todos = () => {
});

if (!res.ok){if (res.status === 401) {
// Redirect user back to the sign in page
window.location.href = '/';
// Redirect user back to the sign in page
window.location.href = '/';
} else {
// Handle other errors
throw new Error('Error occurred while fetching data');
Expand All @@ -659,7 +729,7 @@ window.location.href = '/';
>**Improve your code**: Notice the code above only handles a 401 response from the server when adding a new task. How might you handle 401 errors globally? You can use fetch or [Axios Interceptor](https://axios-http.com/docs/interceptors). The completed workshop code handles this using fetch; check it out here [Universal Logout Workshop Complete](https://github.com/oktadev/okta-enterprise-ready-workshops/blob/ul-workshop-complete/apps/todo-app/src/app/components/useTodoApi.tsx).
### Revoke a user's tokens
This web application architecture uses cookie-based sessions instead of session tokens to authenticate to the backend resources. However, in the case of mobile apps and single-page applications, you'll need to revoke refresh tokens on the front end. As per the [spec](https://datatracker.ietf.org/doc/html/draft-parecki-oauth-global-token-revocation#name-revocation-expectations), written by [Aaron Perecki](https://aaronparecki.com/) a successful sign-out will require revoking a user's refresh token.
This web application architecture uses cookie-based sessions instead of session tokens to authenticate to the backend resources. However, in the case of mobile apps and single-page applications, you'll need to revoke refresh tokens on the front end. As per the [spec](https://datatracker.ietf.org/doc/html/draft-parecki-oauth-global-token-revocation#name-revocation-expectations), written by [Aaron Parecki](https://aaronparecki.com/) a successful sign-out will require revoking a user's refresh token.
## Initiate Universal Logout through Okta
This tutorial provides the fundamental steps to creating a UL endpoint to end a user's session or tokens. However, the UL feature isn't available yet; once released, a secondary blog will be posted with further instructions on how to initiate sign-out with Okta. Stay tuned! For now, you can find the completed project [ul-workshop-complete](https://github.com/oktadev/okta-enterprise-ready-workshops/tree/ul-workshop-complete) on our Oktadev GitHub repository.
Expand Down
Loading

0 comments on commit b7b57e1

Please sign in to comment.