Add Okta to the list of supported providers

2 years ago · 8b590c67cd
3 changed files with 50 additions and 6 deletions
--- a/sandbox/OpenIddict.Sandbox.Console.Client/InteractiveService.cs
+++ b/sandbox/OpenIddict.Sandbox.Console.Client/InteractiveService.cs
@ -58,16 +58,22 @@ public class InteractiveService : BackgroundService

                    if (result.VerificationUriComplete is not null)
                    {
-                        AnsiConsole.MarkupLineInterpolated(
-                            $"[yellow]Please visit [link]{result.VerificationUriComplete}[/] and confirm the displayed code is '{result.UserCode}' to complete the authentication demand.[/]");
+                        AnsiConsole.MarkupLineInterpolated($"""
+                            [yellow]Please visit [link]{result.VerificationUriComplete}[/] and confirm the
+                            displayed code is '{result.UserCode}' to complete the authentication demand.[/]
+                            """);
                    }

                    else
                    {
-                        AnsiConsole.MarkupLineInterpolated(
-                            $"[yellow]Please visit [link]{result.VerificationUri}[/] and enter '{result.UserCode}' to complete the authentication demand.[/]");
+                        AnsiConsole.MarkupLineInterpolated($"""
+                            [yellow]Please visit [link]{result.VerificationUri}[/] and enter
+                            '{result.UserCode}' to complete the authentication demand.[/]
+                            """);
                    }

+                    AnsiConsole.MarkupLine("[cyan]Waiting for the user to approve the authorization demand.[/]");
+
                    // Wait for the user to complete the demand on the other device.
                    principal = (await _service.AuthenticateWithDeviceAsync(new()
                    {
@ -90,6 +96,8 @@ public class InteractiveService : BackgroundService
                        ProviderName = provider
                    });

+                    AnsiConsole.MarkupLine("[cyan]Waiting for the user to approve the authorization demand.[/]");
+
                    // Wait for the user to complete the authorization process.
                    principal = (await _service.AuthenticateInteractivelyAsync(new()
                    {
--- a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs
+++ b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs
@ -706,6 +706,21 @@ public static partial class OpenIddictClientWebIntegrationHandlers
                    _ => context.SendUserinfoRequest
                },

+                // Note: some providers don't allow querying the userinfo endpoint when the "openid" scope
+                // is not requested or granted. To work around that, userinfo is disabled when the "openid"
+                // scope wasn't requested during the initial authorization request or during the token request.
+                ProviderTypes.Okta => context.GrantType switch
+                {
+                    GrantTypes.AuthorizationCode or GrantTypes.Implicit when
+                        context.StateTokenPrincipal is ClaimsPrincipal principal && !principal.HasScope(Scopes.OpenId)
+                        => false,
+
+                    GrantTypes.DeviceCode or GrantTypes.RefreshToken when !context.Scopes.Contains(Scopes.OpenId)
+                        => false,
+
+                    _ => context.SendUserinfoRequest
+                },
+
                _ => context.SendUserinfoRequest
            };

--- a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml
+++ b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml
@ -711,6 +711,27 @@
    </Environment>
  </Provider>

+  <!--
+                                                ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
+                                                ██ ▄▄▄ ██ █▀▄█▄▄ ▄▄█ ▄▄▀██
+                                                ██ ███ ██ ▄▀████ ███ ▀▀ ██
+                                                ██ ▀▀▀ ██ ██ ███ ███ ██ ██
+                                                ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
+  -->
+
+  <Provider Name="Okta" Id="f225bf31-d16f-4580-b276-79f5fe270562"
+            Documentation="https://developer.okta.com/docs/reference/api/oidc/">
+    <!--
+      Note: Okta is a multitenant identity provider that doesn't have a generic
+      issuer URI. As such, the complete URI must always be set in the options.
+    -->
+
+    <Environment Issuer="{settings.Issuer}" />
+
+    <Setting PropertyName="Issuer" ParameterName="issuer" Type="Uri" Required="true"
+             Description="The URI used to access the Okta instance (e.g https://fabrikam.okta.com/)" />
+  </Provider>
+
  <!--
                                        ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
                                        ██ ▄▄ █ ▄▄▀█▄▄ ▄▄██ ▄▄▀██ ▄▄▄██ ▄▄▄ ██ ▀██ ██
@ -1403,8 +1424,8 @@
                                        ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
  -->

-  <Provider Name="WorldId" Id="cd8724ff-2413-4dd5-a18d-5979c9ddaa14"
-            DisplayName="World ID" Documentation="https://docs.worldcoin.org/reference/sign-in">
+  <Provider Name="WorldId" DisplayName="World ID" Id="cd8724ff-2413-4dd5-a18d-5979c9ddaa14"
+            Documentation="https://docs.worldcoin.org/reference/sign-in">
    <Environment Issuer="https://id.worldcoin.org/" />
  </Provider>