Authentication Provider - Okta

[iulian]

Hey guys,
Is it possible to configure authentication to work directly with Okta ? To be more specific, can I specify for JWT configuration which is part of host authentication setup, the audience and issuer of an Okta Authorization Server created specifically for protecting the APIs exposed by DAB ? I don't want to add an extra configuration hop in Azure services.

In terms of authentication providers currently are supported:

• StaticWebApps ( DAB running running within a Static Web Apps environment )
• AppService ( DAB hosted in Azure AppService with AppService Authentication
  enabled and configured (EasyAuth).
• AzureAd (Microsoft Entra Identity)
• Simulator ( All requests are authenticated)

I have tried using AzureAD provider with aud and issuer values from okta. When passing JWT issued by okta I am getting 401 with invalid key id ( kid ). kid from the JWT header matches 100% the key id present in my Okta Authorization server JWKS endpoint. So clearly the signature is valid.

Thank you,
Iulian

[iulian]

Authorization flows and responses for the following authentication setup:

 "host": {
      "authentication": {
        "provider": "AzureAD",
        "jwt": {
          "audience": "api://dab",
          "issuer": "https://{OKTA_TENANT}/oauth2/{AUTH_SERVER_ID}"
        }
      }
    }

"permissions": [
    {
      "role": "authenticated",
      "actions": [
        {
          "action": "execute"
        }
      ]
    }
  ] 

Case 1 - No Bearer access token present in Authorization header

Response: 403 ( valid )

{
    "error": {
    "code": "AuthorizationCheckFailed",
    "message": "Authorization Failure: Access Not Allowed.",
    "status": 403
    }
}

---

Case 2 - Expired access token in authorization header

Response: 401

* Mark bundle as not supporting multiuse

< HTTP/1.1 401 Unauthorized
< Content-Length: 0
< Date: Thu, 24 Oct 2024 08:53:43 GMT
< Server: Kestrel
< WWW-Authenticate: Bearer error="invalid_token", error_description="The token expired at '10/03/2024 07:26:44'"
< x-ms-correlation-id: 44c0b940-af30-4ca2-8c2e-faf358350808


* Connection #9 to host localhost left intact

---

Case 3 - Valid Bearer access token issued by okta

Response: 401

* Mark bundle as not supporting multiuse

< HTTP/1.1 401 Unauthorized
< Content-Length: 0
< Date: Thu, 24 Oct 2024 09:18:10 GMT
< Server: Kestrel
< WWW-Authenticate: Bearer error="invalid_token", error_description="The signature key was not found"
< x-ms-correlation-id: 4cb07176-7acb-4db3-a7fc-c9e8656d3758


* Connection #11 to host localhost left intact