-
Notifications
You must be signed in to change notification settings - Fork 65
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'main' into edunham-patch-1
- Loading branch information
Showing
29 changed files
with
1,741 additions
and
18 deletions.
There are no files selected for viewing
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+80.5 KB
.../_assets/img/blog/angular-dpop-jwt/bearer-network-users-api-request-headers.jpg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+86.2 KB
_source/_assets/img/blog/angular-dpop-jwt/bearer-network-users-api.jpg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
3 changes: 3 additions & 0 deletions
3
_source/_assets/img/blog/dpop-oauth/token-request-with-nonce.svg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -40,7 +40,7 @@ maurice-sharp: | |
email: [email protected] | ||
linkedin: https://www.linkedin.com/in/msharp/ | ||
bio: Maurice is a developer, author, and documentation writer. He transitioned to developer documentation after writing a book on coding for iPhone. He went from managing a mobile development team to documenting Apple developer APIs. Then he moved to Okta where he focuses on developer content strategy and writes the occasional article. | ||
Outside of work, he occasionally gives a workshop on designing and delivering engaging stories using a methodology based on cognitive biology and brain function. He's given these to presenters, entrepreneurs pitching VCs, and others. He uses the same methodology for writing documentation. | ||
Outside of work, he occasionally gives a workshop on designing and delivering engaging stories using a methodology based on cognitive biology and brain function. He's given these to presenters, entrepreneurs pitching VCs, and others. He uses the same methodology for writing documentation. | ||
|
||
|
||
victor-ronin: | ||
|
@@ -952,3 +952,18 @@ louie-campagna: | |
avatar: avatar-louie-campagna.jpeg | ||
linkedin: https://www.linkedin.com/in/louie-campagna/ | ||
bio: Louie Campagna is an Okta Developer Support Engineer. He enjoys coding creative solutions to problems and writing scripts to automate processes. Louie's previous experience spans across customer service, desktop engineering, identity and access management and governance, and programming. | ||
|
||
nick-connelly: | ||
full_name: Nick Connelly | ||
display_name: Nick Connelly | ||
avatar: avatar-nick-connelly.jpg | ||
linkedin: https://www.linkedin.com/in/nicholasconnelly/ | ||
bio: Nick Connelly is a seasoned Professional Consultant within the Okta Professional Services team, bringing over a decade of experience in cybersecurity and identity and access management. Passionate about learning new technologies and improving processes, Nick is dedicated to delivering exceptional value for customers by leveraging the latest advancements and best practices in the industry. | ||
|
||
jeff-taylor: | ||
full_name: Jeff Taylor | ||
display_name: Jeff Taylor | ||
avatar: avatar-jeff-taylor.jpg | ||
linkedin: https://www.linkedin.com/in/jeffctaylor/ | ||
github: https://github.com/jefftaylor-okta | ||
bio: Jeff is a Group Product Manager working on our Developer Products for Developers and Operators working with Workforce Identity Cloud including helping Integrators submitting to the Okta Integration Network easily and effectively. Jeff is a champion for Builders on the Okta ecosystem. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -68,6 +68,8 @@ While viewing your database locally, you'll also see an org table. By clicking t | |
- client_secret = ${ClientSecret} | ||
- apikey = 131313 | ||
|
||
>**Note**: You can also get these OIDC-related endpoints by visiting this metadata URL `https://{yourOktaOrg}/.well-known/openid-configuration` provided by the [Okta Org authorization server](https://developer.okta.com/docs/concepts/auth-servers/#discovery-endpoints-org-authorization-servers). | ||
### Create a test user | ||
|
||
To test whether UL works for our app, we'll create a user on Okta whose account we'll forcibly sign out. | ||
|
@@ -105,7 +107,7 @@ import { Router } from 'express'; | |
export const universalLogoutRoute = Router(); | ||
``` | ||
|
||
Let's add the UL route to this file: | ||
Let's add the UL route to this file as well: | ||
|
||
```ts | ||
import { Router } from 'express'; | ||
|
@@ -183,22 +185,73 @@ universalLogoutRoute.post('/global-token-revocation', async (req, res) => { | |
if (!req.body) { | ||
res.status(400); | ||
} | ||
|
||
// Find the user by email linked to the org id associated with the API key provided | ||
const domainOrgId = req['user']['id'] | ||
|
||
// Find the user | ||
const newRequest:IRequestSchema = req.body; | ||
const { email } = newRequest.sub_id; | ||
const user = await prisma.user.findFirst({ | ||
where: { | ||
email: email, | ||
org: { id: domainOrgId }, | ||
email: email | ||
}, | ||
}); | ||
|
||
// 404 User not found | ||
// 404 User not found | ||
if (!user) { | ||
res.sendStatus(404); | ||
} | ||
|
||
return res.sendStatus(httpStatus); | ||
}); | ||
|
||
universalLogoutRoute.use((err,req,res,next) => { | ||
if(err){ | ||
return res.sendStatus(404) | ||
} | ||
}) | ||
``` | ||
The apps/api/src/universalLogout.ts file now looks like the following: | ||
|
||
```ts | ||
import { Router } from 'express'; | ||
export const universalLogoutRoute = Router(); | ||
import { PrismaClient } from '@prisma/client'; | ||
const prisma = new PrismaClient(); | ||
|
||
interface IRequestSchema { | ||
'sub_id': {format:string; email: string}; | ||
} | ||
universalLogoutRoute.post('/global-token-revocation', async (req, res) => { | ||
// 204 When the request is successful | ||
const httpStatus = 204; | ||
|
||
// 400 If the request is malformed | ||
if (!req.body) { | ||
res.status(400); | ||
} | ||
|
||
// Find the user | ||
const newRequest:IRequestSchema = req.body; | ||
const { email } = newRequest.sub_id; | ||
const user = await prisma.user.findFirst({ | ||
where: { | ||
email: email | ||
}, | ||
}); | ||
|
||
// 404 User not found | ||
if (!user) { | ||
res.sendStatus(404); | ||
} | ||
|
||
return res.sendStatus(httpStatus); | ||
|
||
}); | ||
|
||
universalLogoutRoute.use((err,req,res,next) => { | ||
if(err){ | ||
return res.sendStatus(404) | ||
} | ||
}) | ||
``` | ||
|
||
>**Checkpoint**: Now is an excellent time to test our code. | ||
|
@@ -398,13 +451,30 @@ universalLogoutRoute.post('/global-token-revocation', async (req, res) => { | |
res.sendStatus(404); | ||
} | ||
|
||
return res.sendStatus(httpStatus); | ||
}); | ||
|
||
universalLogoutRoute.use((err,req,res,next) => { | ||
if(err){ | ||
|
||
return res.sendStatus(404) | ||
} | ||
}) | ||
``` | ||
So now let's do another test to make sure the authentication piece we added is working. We'll need to modify our cURL request to include an Authorization header with a `Bearer 131313`. This should result in a 204 response. | ||
|
||
```http | ||
curl --request POST \ | ||
--url http://localhost:3333/global-token-revocation \ | ||
--header 'Authorization: Bearer 131313' \ | ||
--header 'Content-Type: application/json' \ | ||
--data '{ | ||
"sub_id": { | ||
"format": "email", | ||
"email": "[email protected]" | ||
} | ||
}' | ||
``` | ||
|
||
Moving right along, now that we have the target user of a specific org. Let's figure out how to target their application session and end it. | ||
|
||
|
@@ -527,7 +597,7 @@ universalLogoutRoute.post('/global-token-revocation', async (req, res) => { | |
} | ||
|
||
// Find the user by email linked to the org id associated with the API key provided | ||
const domainOrgId = req['user']['id'] | ||
const domainOrgId = req['user']['id'] | ||
const newRequest:IRequestSchema = req.body; | ||
const { email } = newRequest.sub_id; | ||
const user = await prisma.user.findFirst({ | ||
|
@@ -602,7 +672,7 @@ if (!res.ok) | |
}} | ||
``` | ||
|
||
The onNewTask function will now look like this: | ||
The `onNewTask` function will now look like this: | ||
|
||
```ts | ||
import { useEffect, useState } from 'react'; | ||
|
@@ -635,8 +705,8 @@ export const Todos = () => { | |
}); | ||
|
||
if (!res.ok){if (res.status === 401) { | ||
// Redirect user back to the sign in page | ||
window.location.href = '/'; | ||
// Redirect user back to the sign in page | ||
window.location.href = '/'; | ||
} else { | ||
// Handle other errors | ||
throw new Error('Error occurred while fetching data'); | ||
|
@@ -659,7 +729,7 @@ window.location.href = '/'; | |
>**Improve your code**: Notice the code above only handles a 401 response from the server when adding a new task. How might you handle 401 errors globally? You can use fetch or [Axios Interceptor](https://axios-http.com/docs/interceptors). The completed workshop code handles this using fetch; check it out here [Universal Logout Workshop Complete](https://github.com/oktadev/okta-enterprise-ready-workshops/blob/ul-workshop-complete/apps/todo-app/src/app/components/useTodoApi.tsx). | ||
### Revoke a user's tokens | ||
This web application architecture uses cookie-based sessions instead of session tokens to authenticate to the backend resources. However, in the case of mobile apps and single-page applications, you'll need to revoke refresh tokens on the front end. As per the [spec](https://datatracker.ietf.org/doc/html/draft-parecki-oauth-global-token-revocation#name-revocation-expectations), written by [Aaron Perecki](https://aaronparecki.com/) a successful sign-out will require revoking a user's refresh token. | ||
This web application architecture uses cookie-based sessions instead of session tokens to authenticate to the backend resources. However, in the case of mobile apps and single-page applications, you'll need to revoke refresh tokens on the front end. As per the [spec](https://datatracker.ietf.org/doc/html/draft-parecki-oauth-global-token-revocation#name-revocation-expectations), written by [Aaron Parecki](https://aaronparecki.com/) a successful sign-out will require revoking a user's refresh token. | ||
## Initiate Universal Logout through Okta | ||
This tutorial provides the fundamental steps to creating a UL endpoint to end a user's session or tokens. However, the UL feature isn't available yet; once released, a secondary blog will be posted with further instructions on how to initiate sign-out with Okta. Stay tuned! For now, you can find the completed project [ul-workshop-complete](https://github.com/oktadev/okta-enterprise-ready-workshops/tree/ul-workshop-complete) on our Oktadev GitHub repository. | ||
|
Oops, something went wrong.