for the last few weeks. Okta adds authentication, authorization, and user management to your application. Okta allows users to sign in to applications using credentials from external social login providers. I will try to explain a few terms used when you are adding Social Identity Providers
The identity provider is all about what users are allowed to do. It is a system entity that offers user authentication as an online service.
An identity provider (abbreviated IdP) is a system entity that creates, maintains, and manages identity information for principals while providing authentication services to relying party applications within a federation or distributed networkFrom wikipedia
Add a social Identity Provider in Okta
- Login to Okta Developer console
- Go to Users > Social & Identity Providers
- At the time of writing this article, Okta supports
- the following social login providers:
- Add Identity Provider – Okta provides a tutorial about how to connect to their supported providers.
When I follow the tutorials to integrate social authentication provider with my example application, I did not make it work for the first time. I was confused with some terms. I figured out at the end. I will explain those terms below. This is not specific to any single authentication provider.
What to do
You need redirect_uri to create Social Login providers, and you need external providers app id and a secret to get redirect_uri
In Okta, You can add a provider without the client id and secret, so you need to create the application without submitting “Redirect Uri” in Facebook or Google or other providers. Once you have id and secret you can follow the next step
Adding a provider
When you are on the screen (see below) adding a social provider most of the settings are common. Okta will configure the protocol for you which is noneditable
Client Id and Clinet Secret: When you create the app on social identity provider (facebook, linkedin, etc) they will give you a unique id and secret key for your application
Scopes: Minimum required scopes will be added by default. You may want to add more if you need. These scopes are basically requesting different permissions for the signing user’s account
- AUTHENTICATION SETTINGS
- JIT SETTINGS
Authentication settings: Default values are good enough to start with. If you disable the provision policy JIT settings will be hidden okta documentation about this setting is here
JIT Settings: Setting up JIT here may not just work, you need to enable for the account. Check How do I enable Just in Time Provisioning?
Finally, select Add Identity Provider. After successfully adding the Identity Server I manage to see the provider on the Identity Providers list.
This is the URI you need to add
Your application will use Authorize URL to login via social authentication provider. It may be a link in your HTML page. You must complete the
- client_id: Your application registration id in Okta
- redirect_uri: This is the login action URL of your application. After a user successfully login to social media, it will redirect to okta, okta successfully validates the access token, and then okta will redirect to this page. Most probably, this URL is responsible for challenging the user. One important note, this return URL must be encoded
openidmust be added as scope. For multiple scopes add with a leading space
- response_type: pass code for a hybrid application. Use token or id_token for access or identity token respectively
- response_mode: always fragment
- state: CSRF or WM6D
- nonce: optional, can be anything
Any errors about any wrong setup will be added as a query string to okta redirect
One thing I want to highlight again is there are two return URLs involved in this case. One is from Social provider to Okta return
I have added a brief description of my findings while adding the social login provider with okta. This post is just to keep some noted for the future.
Is this help you to clarify any terms? if the answer is yes, please add a comment to let me know.