Using Social Login providers with Okta

Okta makes it easy to add Social Login providers. I am investigating Okta
for the last few weeks. Okta adds authentication, authorization, and user management to your application. Okta allows users to sign in to applications using credentials from external social login providers. I will try to explain a few terms used when you are adding Social Identity Providers

Identity Provider

The identity provider is all about what users are allowed to do. It is a system entity that offers user authentication as an online service.

An identity provider (abbreviated IdP) is a system entity that creates, maintains, and manages identity information for principals while providing authentication services to relying party applications within a federation or distributed network

From wikipedia

Add a social Identity Provider in Okta

  • Login to Okta Developer console
  • Go to Users > Social & Identity Providers
  • At the time of writing this article, Okta supports 
    • the following social login providers:
    • Facebook
    • Google
    • LinkedIn
    • Microsoft

When I follow the tutorials to integrate social authentication provider with my example application, I did not make it work for the first time. I was confused with some terms. I figured out at the end. I will explain those terms below. This is not specific to any single authentication provider.

What to do

You need redirect_uri to create Social Login providers, and you need external providers app id and a secret to get redirect_uri

In Okta, You can add a provider without the client id and secret, so you need to create the application without submitting “Redirect Uri”  in Facebook or Google or other providers. Once you have id and secret you can follow the next step

Adding a provider

When you are on the screen (see below) adding a social provider most of the settings are common. Okta will configure the protocol for you which is noneditable

Client Id and Clinet Secret: When you create the app on social identity provider (facebook, linkedin, etc) they will give you a unique id and secret key for your application

Scopes: Minimum required scopes will be added by default. You may want to add more if you need. These scopes are basically requesting different permissions for the signing user’s account

Advanced Setting

  1. AUTHENTICATION SETTINGS
  2. JIT SETTINGS

Authentication settings: Default values are good enough to start with. If you disable the provision policy JIT settings will be hidden  okta documentation about this setting is here  

JIT Settings: Setting up JIT here may not just work, you need to enable for the account. Check How do I enable Just in Time Provisioning?

Finally, select Add Identity Provider. After successfully adding the Identity Server I manage to see the provider on the Identity Providers list.

Facebook as an identity provider

URIs

Redirect URI

This is the URI you need to add on your social application. For example, you need to add this as App Domains and as Valid OAuth Redirect URIs.

Authorize URL

Your application will use Authorize URL to login via social authentication provider. It may be a link in your HTML page. You must complete the url, e.g check here to find the facebook details. I have added some example values below

  • client_id: Your application registration id in Okta
  • redirect_uri: This is the login action URL of your application. After a user successfully login to social media, it will redirect to okta, okta successfully validates the access token, and then okta will redirect to this page. Most probably, this URL is responsible for challenging the user. One important note, this return URL must be encoded
  • scope: openid must be added as scope. For multiple scopes add with a leading space
  • response_type: pass code for a hybrid application. Use token or id_token for access or identity token respectively
  • response_mode: always fragment
  • state: CSRF or WM6D
  • nonce: optional, can be anything

Errors

Any errors about any wrong setup will be added as a query string to okta redirect uri. If you see the error page landed in okta, read the full error to learn about the issue

Takeway

 One thing I want to highlight again is there are two return URLs involved in this case. One is from Social provider to Okta return url and another is from okta to your application.

I have added a brief description of my findings while adding the social login provider with okta. This post is just to keep some noted for the future.

Is this help you to clarify any terms? if the answer is yes, please add a comment to let me know.

3 thoughts on “Using Social Login providers with Okta”

    1. Thanks for your feedback. Both of them are doing their job really well. IdentityServer4 is an open source project, so if are happy to do the dev work and you have enough time, then using IdS4 may reduce your cost. With okta, you could go live in two weeks (Greenfield). Basically, use something that is appropriate for your use case.

I would like to hear your thoughts