- The Metadata URI of the Authorization Server for your Okta Application. + Your Okta account domain.
- The OIDC Configuration URI. This field is derived from the value in the OAuth Authorization Server URI field. + The OIDC Configuration URI. This field is derived from the value in the Okta Account Domain field.
@@ -123,7 +123,7 @@ defmodule Web.Settings.IdentityProviders.Okta.Components do |> Enum.join("\n") end - def visible?(value) do + defp visible?(value) do case value do nil -> false "" -> false diff --git a/elixir/apps/web/lib/web/live/settings/identity_providers/okta/edit.ex b/elixir/apps/web/lib/web/live/settings/identity_providers/okta/edit.ex index c2be08402..5027c0f8c 100644 --- a/elixir/apps/web/lib/web/live/settings/identity_providers/okta/edit.ex +++ b/elixir/apps/web/lib/web/live/settings/identity_providers/okta/edit.ex @@ -44,7 +44,7 @@ defmodule Web.Settings.IdentityProviders.Okta.Edit do def handle_event("change", %{"provider" => attrs}, socket) do attrs = attrs - |> put_discovery_document_uri() + |> Map.update("adapter_config", %{}, &put_discovery_document_uri/1) changeset = Auth.change_provider(socket.assigns.provider, attrs) @@ -56,6 +56,7 @@ defmodule Web.Settings.IdentityProviders.Okta.Edit do def handle_event("submit", %{"provider" => attrs}, socket) do attrs = attrs + |> Map.update("adapter_config", %{}, &put_discovery_document_uri/1) |> Map.update("adapter_config", %{}, &put_api_base_url/1) with {:ok, provider} <- @@ -74,22 +75,32 @@ defmodule Web.Settings.IdentityProviders.Okta.Edit do end defp put_api_base_url(adapter_config) do - uri = URI.parse(adapter_config["discovery_document_uri"]) - Map.put(adapter_config, "api_base_url", "#{uri.scheme}://#{uri.host}") + api_base_url = create_api_base_url(adapter_config["okta_account_domain"]) + + Map.put(adapter_config, "api_base_url", api_base_url) end - defp put_discovery_document_uri(attrs) do - config = attrs["adapter_config"] + defp put_discovery_document_uri(adapter_config) do + api_base_url = create_api_base_url(adapter_config["okta_account_domain"]) - oidc_uri = - String.replace_suffix( - config["oauth_uri"], - "oauth-authorization-server", - "openid-configuration" - ) + Map.put( + adapter_config, + "discovery_document_uri", + "#{api_base_url}/.well-known/openid-configuration" + ) + end - config = Map.put(config, "discovery_document_uri", oidc_uri) + # This is done for easier testing. Production should only use 'https' and Okta domains, + # but in dev and test there are times when putting an explicit URI is useful. + if Mix.env() in [:dev, :test] do + defp create_api_base_url(okta_account_domain) do + uri = URI.parse(okta_account_domain) - Map.put(attrs, "adapter_config", config) + if uri.scheme, do: okta_account_domain, else: "https://#{okta_account_domain}" + end + else + defp create_api_base_url(okta_account_domain) do + "https://#{okta_account_domain}" + end end end diff --git a/elixir/apps/web/lib/web/live/settings/identity_providers/okta/new.ex b/elixir/apps/web/lib/web/live/settings/identity_providers/okta/new.ex index 2540ee5b8..29e8b7f85 100644 --- a/elixir/apps/web/lib/web/live/settings/identity_providers/okta/new.ex +++ b/elixir/apps/web/lib/web/live/settings/identity_providers/okta/new.ex @@ -54,7 +54,7 @@ defmodule Web.Settings.IdentityProviders.Okta.New do attrs = attrs |> Map.put("adapter", :okta) - |> put_discovery_document_uri() + |> Map.update("adapter_config", %{}, &put_discovery_document_uri/1) changeset = Auth.new_provider(socket.assigns.account, attrs) @@ -66,6 +66,7 @@ defmodule Web.Settings.IdentityProviders.Okta.New do def handle_event("submit", %{"provider" => attrs}, socket) do attrs = attrs + |> Map.update("adapter_config", %{}, &put_discovery_document_uri/1) |> Map.update("adapter_config", %{}, &put_api_base_url/1) |> Map.put("id", socket.assigns.id) |> Map.put("adapter", :okta) @@ -95,22 +96,32 @@ defmodule Web.Settings.IdentityProviders.Okta.New do end defp put_api_base_url(adapter_config) do - uri = URI.parse(adapter_config["discovery_document_uri"]) - Map.put(adapter_config, "api_base_url", "#{uri.scheme}://#{uri.host}") + api_base_url = create_api_base_url(adapter_config["okta_account_domain"]) + + Map.put(adapter_config, "api_base_url", api_base_url) end - defp put_discovery_document_uri(attrs) do - config = attrs["adapter_config"] + defp put_discovery_document_uri(adapter_config) do + api_base_url = create_api_base_url(adapter_config["okta_account_domain"]) - oidc_uri = - String.replace_suffix( - config["oauth_uri"], - "oauth-authorization-server", - "openid-configuration" - ) + Map.put( + adapter_config, + "discovery_document_uri", + "#{api_base_url}/.well-known/openid-configuration" + ) + end - config = Map.put(config, "discovery_document_uri", oidc_uri) + # This is done for easier testing. Production should only use 'https' and Okta domains, + # but in dev and test there are times when putting an explicit URI is useful. + if Mix.env() in [:dev, :test] do + defp create_api_base_url(okta_account_domain) do + uri = URI.parse(okta_account_domain) - Map.put(attrs, "adapter_config", config) + if uri.scheme, do: okta_account_domain, else: "https://#{okta_account_domain}" + end + else + defp create_api_base_url(okta_account_domain) do + "https://#{okta_account_domain}" + end end end diff --git a/elixir/apps/web/test/web/live/settings/identity_providers/okta/edit_test.exs b/elixir/apps/web/test/web/live/settings/identity_providers/okta/edit_test.exs index f71ac33da..461c4304f 100644 --- a/elixir/apps/web/test/web/live/settings/identity_providers/okta/edit_test.exs +++ b/elixir/apps/web/test/web/live/settings/identity_providers/okta/edit_test.exs @@ -55,7 +55,7 @@ defmodule Web.Live.Settings.IdentityProviders.Okta.EditTest do "provider[adapter_config][client_id]", "provider[adapter_config][client_secret]", "provider[adapter_config][discovery_document_uri]", - "provider[adapter_config][oauth_uri]", + "provider[adapter_config][okta_account_domain]", "provider[name]" ] end @@ -67,11 +67,10 @@ defmodule Web.Live.Settings.IdentityProviders.Okta.EditTest do conn: conn } do bypass = Domain.Mocks.OpenIDConnect.discovery_document_server() + api_base_url = "http://localhost:#{bypass.port}" adapter_config_attrs = - Fixtures.Auth.openid_connect_adapter_config( - oauth_uri: "http://localhost:#{bypass.port}/.well-known/oauth-authorization-server" - ) + Fixtures.Auth.openid_connect_adapter_config(okta_account_domain: api_base_url) adapter_config_attrs = Map.drop(adapter_config_attrs, [ @@ -100,8 +99,7 @@ defmodule Web.Live.Settings.IdentityProviders.Okta.EditTest do |> render_submit(%{ provider: %{ adapter_config: %{ - "discovery_document_uri" => - "http://localhost:#{bypass.port}/.well-known/openid-configuration" + "discovery_document_uri" => "#{api_base_url}/.well-known/openid-configuration" } } }) @@ -119,11 +117,10 @@ defmodule Web.Live.Settings.IdentityProviders.Okta.EditTest do assert provider.adapter_config["client_id"] == adapter_config_attrs["client_id"] assert provider.adapter_config["client_secret"] == adapter_config_attrs["client_secret"] - assert provider.adapter_config["oauth_uri"] == - "http://localhost:#{bypass.port}/.well-known/oauth-authorization-server" + assert provider.adapter_config["okta_account_domain"] == api_base_url assert provider.adapter_config["discovery_document_uri"] == - "http://localhost:#{bypass.port}/.well-known/openid-configuration" + "#{api_base_url}/.well-known/openid-configuration" end test "renders changeset errors on invalid attrs", %{ @@ -133,11 +130,10 @@ defmodule Web.Live.Settings.IdentityProviders.Okta.EditTest do conn: conn } do bypass = Domain.Mocks.OpenIDConnect.discovery_document_server() + api_base_url = "http://localhost:#{bypass.port}" adapter_config_attrs = - Fixtures.Auth.openid_connect_adapter_config( - oauth_uri: "http://localhost:#{bypass.port}/.well-known/oauth-authorization-server" - ) + Fixtures.Auth.openid_connect_adapter_config(okta_account_domain: api_base_url) adapter_config_attrs = Map.drop(adapter_config_attrs, [ diff --git a/elixir/apps/web/test/web/live/settings/identity_providers/okta/new_test.exs b/elixir/apps/web/test/web/live/settings/identity_providers/okta/new_test.exs index 26898d2ce..ca26d4809 100644 --- a/elixir/apps/web/test/web/live/settings/identity_providers/okta/new_test.exs +++ b/elixir/apps/web/test/web/live/settings/identity_providers/okta/new_test.exs @@ -46,7 +46,7 @@ defmodule Web.Live.Settings.IdentityProviders.Okta.NewTest do "provider[adapter_config][_persistent_id]", "provider[adapter_config][client_id]", "provider[adapter_config][client_secret]", - "provider[adapter_config][oauth_uri]", + "provider[adapter_config][okta_account_domain]", "provider[name]" ] end @@ -57,11 +57,10 @@ defmodule Web.Live.Settings.IdentityProviders.Okta.NewTest do conn: conn } do bypass = Domain.Mocks.OpenIDConnect.discovery_document_server() + api_base_url = "http://localhost:#{bypass.port}" adapter_config_attrs = - Fixtures.Auth.openid_connect_adapter_config( - oauth_uri: "http://localhost:#{bypass.port}/.well-known/oauth-authorization-server" - ) + Fixtures.Auth.openid_connect_adapter_config(okta_account_domain: api_base_url) adapter_config_attrs = Map.drop(adapter_config_attrs, [ @@ -90,8 +89,7 @@ defmodule Web.Live.Settings.IdentityProviders.Okta.NewTest do |> render_submit(%{ provider: %{ adapter_config: %{ - "discovery_document_uri" => - "http://localhost:#{bypass.port}/.well-known/openid-configuration" + "discovery_document_uri" => "#{api_base_url}/.well-known/openid-configuration" } } }) @@ -162,7 +160,8 @@ defmodule Web.Live.Settings.IdentityProviders.Okta.NewTest do assert form_validation_errors(form) == %{ "provider[name]" => ["should be at most 255 character(s)"], "provider[adapter_config][client_id]" => ["can't be blank"], - "provider[adapter_config][oauth_uri]" => ["can't be blank"] + "provider[adapter_config][okta_account_domain]" => ["can't be blank"], + "provider[adapter_config][discovery_document_uri]" => ["is not a valid URL"] } end) end