Authentication of Staged user about okta-auth-java HOT 10 CLOSED

Hey @vekdeq!

What call is failing? What is the error you are seeing? What have you tried so far?

from okta-auth-java.

Hi Brian,

Thanks for quick response !! Here is the code :

public boolean isUserAuthenticated(String uid, String pwd) {
    try {
        AuthenticationResponse response = oktaAuthClient.authenticate(uid, pwd.toCharArray(), null, null);
        if (response !=null && response.getSessionToken() !=null && response.getStatus() == AuthenticationStatus.SUCCESS) {
            return true;
        } else {
            return false;
        }
    } catch (AuthenticationException e) {
        LOGGER.error("---- Unable to Authenticate User : ----"+ uid, e);
        return false;
    }		 
}

We are getting AuthenticationException. The moment, we activate user from Okta Portal - it goes through. The exception trace is as below :

 at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: com.okta.sdk.resource.ResourceException: HTTP 401, Okta E0000004 (Authentication failed), ErrorId oaecVQ9r54bStaWdl1SHc4yyQ
        at com.okta.sdk.impl.ds.DefaultDataStore.execute(DefaultDataStore.java:453)

Okta Support replied to case just now:

When a user has a staged status, it needs to be activated first with : https://developer.okta.com/docs/reference/api/users/#activate-user , and only then the auth will work.

So it seems we hit the roadblock now.

Vivek V. Bedekar

from okta-auth-java.

Are you using the temporary password for this attempt?

from okta-auth-java.

Yeah - the pwd which we / application create as part of createUser Api call as below :

String tempPwd = generatePassword(10);
UserBuilder.instance()
.setEmail(email)
.setFirstName(firstname)
.setLastName(lastName)
.setLogin(email)
.setPassword(tempPwd.toCharArray())
.setActive(false)
//.addGroup(TODO)
.buildAndCreate(oktaClient);

	 return tempPwd;

from okta-auth-java.

this inactive user was allowed to authenticate in other places? Or are the users ACTIVE when you attempt to login directly with Okta?

from okta-auth-java.

It's not inactive user - the status says staged on OKTA dashboard below. Should I try creating without - .setActive(false) ?

from okta-auth-java.

Yes, .setActive(true) would allow the user to login

from okta-auth-java.

yeah - but don't want user to do that - till he complete other formalities which are built as part of account setup app/flow on our side. Hence, we need temp pwd to authenticate user and then force him to complete account setup includes - setting permanent pwd & other steps. Till that time, we were hoping to keep user in staged status and activate after account set up is complete.

The reason, for not activating upfront is - user can then log in actual site using temp pwd (without completing other legal formalities). I think, I got a work around to it as below;

activate user on approval - but don't add user to group - Only Okta User.
add to group & apps - on completing account setup. - Okta + Our Apps.

I hope it works : Question on that.
How to add groups dynamically - do you have any property file configuration for that ? As Grp ID will be different for environments.

Vivek V. Bedekar

from okta-auth-java.

@vekdeq I'm not sure I'm following, you want the user to be able to login from one place but not another?

I think you will need to take another approach, like a role/group check.

You should also take a look at our new Hooks (specifically the registration hook: https://developer.okta.com/docs/reference/registration-hook/#see-also)

from okta-auth-java.

I'm going to close this issue, as this is the intended result (you cannot login with a user that is deactivated)

from okta-auth-java.