Proxy support for Okta DPoP.

[Sw1m1k]

Describe the feature request?

Hello,

I am exploring the possibility of using a reverse proxy in front of Okta for additional security. When DPoP is enabled, OAuth client generate DPoP proofs with the 'htu' claim set to the issuer URL. However, Okta validates the 'htu' claim against its own authorization server URL and because the 'htu' value is the proxy URL and not the Okta authorization server URL, DPoP validation fails.

Would it be possible to enhance okta-auth-js library to support proxy scenarios, where the htu claim may be populated directly in config?

Happy to hear any suggestions.

Thank You.

New or Affected Resource(s)

Okta DPoP support with a proxy.

Provide a documentation link

No response

Additional Information?

No response

[jaredperreault-okta]

Thanks for reaching out! I've engaged some teams internally regarding this request. Updates to come

[jaredperreault-okta]

@Sw1m1k Just curious, did you explore configuring an Okta Custom Domain in conjunction with your proxy?

[Sw1m1k]

@jaredperreault-okta Yes, I attempted it, but I couldn't configure Brand and Authorization Server in a needed way to fully support proxy in front of it. Thanks.

[jaredperreault-okta]

@Sw1m1k Can you expand on what the blockers were?

[Sw1m1k]

Hello @jaredperreault-okta,

To enable support for a proxy (with DPoP enabled), the following two changes would need to be implemented in Okta:

1. The Okta Authorization Server URL should be accessible under a "some" Okta URL (e.g., idp-test.com), allowing the proxy to properly route traffic to Okta.
2. The Okta Authorization Server should support accepting a custom value in the 'htu' claim. (e.g., proxy-test.com)

Currently, I couldn’t find a way to address both of these requirements.
While the Custom Domain functionality in Okta allows making Okta available under a custom domain (e.g., idp-test.com), it does not resolve the issue where the "htu" claim does not match the Okta issuer-defined URL.
In my case, the "htu" claim would still not equal the Okta URL (idp-test.com), leading to the same problem.

[jaredperreault-okta]

While the Custom Domain functionality in Okta allows making Okta available under a custom domain (e.g., idp-test.com), it does not resolve the issue where the "htu" claim does not match the Okta issuer-defined URL.
In my case, the "htu" claim would still not equal the Okta URL (idp-test.com), leading to the same problem

With a custom domain, your issuer URL becomes the URL you configure. So if you configure auth.idp-test.com to be your custom domain, the issuer will become auth.idp-test.com and therefore the htu claim will reflect the same

I asked around and we are hesitate to support this pattern because there will be other possible instances of the dissimilar domains causing problems (similar to the htu claim issue you're experiencing). The server does not support this pattern, so the open question is "should the client?".

I'm trying to see if the custom domain can satisfy your requirements instead

[Sw1m1k]

Just to summarize:
Proxy is available at: "auth.proxy-test.com"
Okta is available at: "auth.idp-test.com"

The client communicates with the proxy URL (auth.proxy-test.com) and sends this URL to the proxy in 'htu' claim. The proxy then forwards the request to Okta. However, Okta blocks the request because the 'htu' claim contains the proxy URL instead of the Okta URL.
If I configure a custom domain for Okta to use (auth.proxy-test.com) as the issuer, the Okta Authorization Server will then be available under "auth.proxy-test.com". This would mean that the proxy cannot use the same address since it would already be reserved.

I believe this could be a valuable feature, even if the server doesn’t currently support it now, as it would eliminate the need for clients to write custom SDKs to support it.

Thanks.