1
votes

I'm testing proof of concept using php, no frameworks. I want to use Onelogin with the OpenID connect flow to confirm the identity of an existing user (already setup on Onelogin) with Onelogin and then get redirected to my login page to finish the process. I cannot find similar issues answered so here i am.

Using https://developers.onelogin.com/openid-connect/api/authorization-code i've set up the first api call with the OpenId Connect (OIDC) -> SSO -> Application Type set to Web and Token endpoint set to POST. With this i am able to go through the flow once successfully back to my test system login. But this doesn't pass back any user identifiable information so i cannot confirm the user on our db system.

As far as I can tell in all examples here i am logging into Onelogin and using the MFA okay. I have Google Auth on my phone. All looks good. I can then confirm i am logged into Onelogin under my test user.

The test user has no Privileges as my end user will be only using Onelogin to confirm identity on my final system.

So i guess this is fine if someone does not care about confirming the user on the initiating system. But i do need that so unless i missed something i can't use that way (Web).

Also i seem to be able to login and get redirected back to my test system login once using this but then if i try again soon after i get UnauthorizedError. Which makes me think of logging the user out of Onelogin first but no, logging user out between has no effect.

So then i tried setting Application Type set to Native hoping that we get redirected back to my redirect URL i've set in the App but I then keep getting UnauthorizedError after MFA and i can't seem to get past this bit even after checking over the Roles, Policies and App settings.

I've tried Token Endpoint to all the options but i still get UnauthorizedError after MFA or I get logged into Onelogin but I don't get redirected to my test login url set in the App settings.

Now at a loss and need help.

edited to add- the user has been added to the app which i can confirm via the app and the user. Also i can see that within the Activity for my user i can see it says 'logged into Openid Connect (OIDC)'. So it seems like i am getting logged in but i am still getting an UnauthorizedError 401.

2

2 Answers

0
votes

Authentication is performed first, then authorization. So if you are authenticating to Onelogin OK, and are recieving an "Unauthorized" error, then all things being equal the OIDC app you have configured in Onelogin does not have you user assigned to it, either directly or through a Onelogin role.

So, check your app. Go to the Access tab. See who the app is assigned to. Confirm your test user is assigned to that role. Or go to the Users tab and check there whether your user is assigned.

0
votes

The comment from @nial_atlasidentity is correct. The most likely answer here is that your user is not assigned to your OIDC app.

Once you have the user assigned you will be able to complete the second part of the Auth Code Flow and gain the user information from the id_token that is returned. You can also use the access_token that is returned to get user details from the User Info Endpoint.

If you want to test the flow and inspect the content of the tokens returned I recommend using the OIDC Inspector tool.