Okta: Setting up the Sign-in Widget with All Custom Redirect Options

This article will guide through the various redirect settings together with the sign-in widget from Okta. This post will focus on redirects with social login, routing rules and email.

Please be aware, that the following article was only tested with Okta Classic Engine.
If you’re not sure which solution you’re using, check the footer on any page of the Admin Console. The version number is appended with E for Identity Engine orgs and C for Classic Engine orgs.

A custom hosted sign-in widget from Okta is the perfect way to both reduce development effort, by using a library with a ton of pre-existing features, and at the same time having full flexibility on design and configuration. Using a custom hosted solution typically comes with the need to redirect a user to a custom page. Redirection to a custom page is needed for example after authentication. Due to the necessary redirect to an external page for e.g. social authentication, the redirect back to the custom page doesn't always work as expected. Sometimes the user ends up in the Okta End User Dashboard. This leads to confusion for the user and so a bad user experience.

This guide will show you: 

  • How to set up a sample application with a self hosted sign-in widget 
  • Configure the target redirect after social authentication (e.g. with Facebook or Apple)
  • Configure the target redirect with the IDP discovery feature
  • Set up custom redirect targets for emails (e.g. verification email)

Prerequisites

To work with this guide, you need to have the following: 

If you are using the example with NodeJS, you need also a recent version of Node.js and git downloaded and installed

Setup sample application with custom login page

For this example we will use the Okta + NodeJS + Express sample with custom login page: https://github.com/okta/samples-nodejs-express-4/tree/master/custom-login 


Start deployment with: 

git clone https://github.com/okta/samples-nodejs-express-4.git
cd samples-nodejs-express-4/
npm install


In your Okta Admin Dashboard create a new OIDC app by navigating to Applications > Add Application > select Web, and click Next. Fill in the following values:

Write down your client id and client secret. 


Create a file with the name testenv and add the following values:

ISSUER=https://<YourOktaURL>/oauth2/default
CLIENT_ID=123xxxxx123
CLIENT_SECRET=1234XXX


Run your application with: 

npm run custom-login-server


Now navigate to http://localhost:8080 in your browser.


If you see a homepage that prompts you to login, then things are working! Clicking the Log in button will render a custom login page, served by the Express application, that uses the Okta Sign-In Widget to perform the authentication.


Note: If you are currently using your Okta Tenant, you already have a Single Sign-On (SSO) session for your Org. You will be automatically logged into your application as the same user that is using your Okta Tenant. You may want to use an incognito tab to test the flow fully. 


If you go to My Profile in the left menu, you should see the data provided by Okta. 


Customization of your sign-in widget can be done by editing the file common/views/custom-login.mustache 

Sign-in Widget with Social Login with custom redirect 

Using a social login provider for authentication is a good way to enhance user experience in B2C scenarios. In this section we will set up social authentication with Facebook and the custom hosted sign-in widget and configure the redirect routes. 


Your  configuration for the sign-in widget in the file common/views/custom-login.mustache will currently look like:

     const signIn = new OktaSignIn({
       baseUrl: '{{{baseUrl}}}',  // e.g. https://dev-1234.oktapreview.com
     });


To enable a button for Facebook, you need to add the configuration option idps:

     const signIn = new OktaSignIn({
       baseUrl: '{{{baseUrl}}}',  // e.g. https://dev-1234.oktapreview.com
       idps: [
         {type: 'Facebook', id: 'IdpIdFromFacebook'}
       ]
     });


You can find your IdP ID in your Admin Dashboard from your Okta Tenant in the section 

SecurityIdentity Providers


Restart your application and the Login screen will look like this: 

If you use Facebook to login, you will not be redirected to your NodeJS example application. Instead, the browser will show you the End User Dashboard from Okta. To have a proper redirect back to your application, you will need to configure the option “relayState” as shown below: 

     const signIn = new OktaSignIn({
       baseUrl: '{{{baseUrl}}}',  // e.g. https://dev-1234.oktapreview.com
       relayState: 'http://localhost:8080/authorization-code/callback',
       idps: [
         {type: 'Facebook', id: 'IdpIdFromFacebook'}
       ]
     });


Try to sign-in again with Facebook, and your browser should redirect you back to the sample application. 


Using a custom domain

If you are using a custom domain, please make sure that the settings for the IdP and authorization server both show the same domain. If this is not configured correctly, cookies can't be exchanged properly in the authentication, and your user is required to authenticate again, after the redirect back from Facebook. 

  • Facebook IdP settings in Okta
  1. Go to SecurityIdentity Provider 
  2. On the Facebook item click on ConfigureConfigure Identity Provider
  3. Redirect Domain: Custom URL
  • Authorization Server
  1. Go to SecurityAPI 
  2. Edit your authorization server (if you followed the guide above: default)
  3. Click on Edit
  4. Issuer: Custom URL

Sign-in Widget with IDP Discovery with custom redirect

One great feature of Okta for B2B use cases is to enable business partners to bring their own IdP (Bring-Your-Own-Identity). To enable a great user experience, it is necessary to use Okta's routing rules feature, to automatically detect which IdP the user belongs to. The sign-in widget allows you to use this functionality in custom built portals. This requires proper setup with the right redirect after final authentication in the target IdP. 


Additional prerequisites:

Example of a routing rule: 


In this section we will set up the routing feature and the custom hosted sign-in widget and configure the redirect routes. Your  configuration for the sign-in widget in the file common/views/custom-login.mustache is currently:

     const signIn = new OktaSignIn({
       baseUrl: '{{{baseUrl}}}',  // e.g. https://dev-1234.oktapreview.com
     });


To enable routing rules, you just need to enable this feature:

     const signIn = new OktaSignIn({
       baseUrl: '{{{baseUrl}}}', 
       features: {
         idpDiscovery: true
       }
     });


After restarting the sample application, your sign-in widget will look like this: 

As you probably noticed, the password field disappeared. This is necessary, because the user probably doesn't have a password for Okta, but only in the target IdP. 


If you are now using this feature to login, you will not be redirected to your NodeJS example application. Instead, the browser will show you the End User Dashboard from Okta. To have a proper redirect back to your application, you need to configure the “requestContext” option as shown below: 

     const signIn = new OktaSignIn({
       baseUrl: '{{{baseUrl}}}',  // e.g. https://dev-1234.oktapreview.com
       features: {
         idpDiscovery: true
       },
       idpDiscovery:{
         requestContext: 'http://localhost:8080/authorization-code/callback'
       }
     });


The next time, you try to sign-in with an external IdP, your browser will redirect you back to the sample application.

Email verification with custom redirect 

Using Okta to send an email is an easy way to initiate communication with your users. A use case for this is to send out verification emails. In sending emails, Okta doesn't know the context, the user is in that moment. So the target is always Okta's End User Dashboard. Seeing the Dashboard in CIAM use cases can be confusing for the user. So it is best practice to redirect the user automatically to the application after using the link from the Email. 


You can set up your email templates in SettingsEmails & SMSEmail. In this example we will change the template for Registration - Activation

In this example, the standard HTML code for the link will look like this: 

             <tbody>
               <tr>
                 <td style="padding-top:24px;vertical-align:bottom"> Hi $StringTool.escapeHtml($user.profile.firstName), </td>
               </tr>
               <tr>
                 <td style="padding-top:24px"> Welcome to $instanceDisplayName! </td>
               </tr>
               <tr>
                 <td style="padding-top:24px"> To verify your email address and activate your account, <br /> please click the following link: </td>
               </tr>
               <tr>
                 <td align="center">
                   <table border="0" cellpadding="0" cellspacing="0" valign="top">
                     <tbody>
                       <tr>
                         <td align="center" style="height:39px;padding-top:24px;padding-bottom:8px"><a id="registration-activation-link" href="$registrationActivationLink" style="text-decoration:none"><span style="padding:9px 32px 7px 31px;border:1px solid;text-align:center;cursor:pointer;color:#fff;border-radius:3px;background-color:#44bc98;border-color:#328c71 #328c71 #2f856b;box-shadow:#d8d8d8 0 1px 0">Activate Account</span></a> </td>
                       </tr>
                     </tbody>
                   </table>
                 </td>
               </tr>
             </tbody>


Or specifically the button: 

<td align="center" style="height:39px;padding-top:24px;padding-bottom:8px"><a id="registration-activation-link" href="$registrationActivationLink" style="text-decoration:none"><span style="padding:9px 32px 7px 31px;border:1px solid;text-align:center;cursor:pointer;color:#fff;border-radius:3px;background-color:#44bc98;border-color:#328c71 #328c71 #2f856b;box-shadow:#d8d8d8 0 1px 0">Activate Account</span></a> </td>


To redirect to your application, add a redirect uri to the link: 

<td align="center" style="height:39px;padding-top:24px;padding-bottom:8px"><a id="registration-activation-link" href="$registrationActivationLink?fromURI=http://localhost:8080/authorization-code/callback" style="text-decoration:none"><span style="padding:9px 32px 7px 31px;border:1px solid;text-align:center;cursor:pointer;color:#fff;border-radius:3px;background-color:#44bc98;border-color:#328c71 #328c71 #2f856b;box-shadow:#d8d8d8 0 1px 0">Activate Account</span></a> </td>


For better visibility, just the href part: 

href="$registrationActivationLink?fromURI=http://localhost:8080/authorization-code/callback"

With the ?fromURI=targetURL part in the link, the user will be automatically redirected to the page http://localhost:8080/authorization-code/callback after using the link from the email.