So I was asked to add OKTA authentication to FusionPBX/CoolPBX. Yes! Why not? I have seen more than one customer using OKTA.
The first thing we need to demystify is what OKTA is. OKTA is many things, but for the effects of this article, OKTA is an OpenID implementation (a very popular one). You also need to know that you can't talk about OpenID without talking about OAuth. Yes, it is a little confusing, I highly recommend watching the following video.
Besides the excellent information flow this video shows, there is another piece of information that worth mentioning:
- OpenID is for identification and authentication, and
- OAuth is for authorization.
First Reading and The Sample Code
There is this article https://developer.okta.com/blog/2018/07/09/five-minute-php-app-auth that claims that you will be able to give OKTA authentication to any PHP code. So, why is this very catchy? Well, the thing here is that if you have googled it, OKTA (the company) doesn't provide any PHP SDK for developers!
This article has some important parts. You must create an OpenID OKTA application. I won't describe how to do that as that document explains it in detail. However, the source code that used to work in 2018, won't run anymore in 2024. OKTA has changed. I have forked and done some modifications:
- The Metadata URL in the original code is wrong. It is right if you only want to authorize, but since we are interested in identification and authentication we use a different one. In my case, it was https://COMPANY.okta.com/.well-known/openid-configuration.
- The code fails to specify the POST method.
- There is no way to trace the error, so I added several syslog traces; they will help to debug if something fails as pressing ctrl+U to see the source code will create another request that will fail with a different error.
There are also https://oidcdebugger.com/ and https://oauthdebugger.com/ that I didn't get to use, but they are recommended to understand how OpenID and OAuth work.
So, here is what it looks like after pressing the Log-In link.
Next Step
So, the next step is moving this working piece of software into FusionPBX/CoolPBX. The challenge here is to make coexist with the current authentication scheme that comes from the original FusionPBX code.
An oversimplified explanation about how the authentication in FusionPBX/CoolPBX works could be by mentioning that the authentication code works with plugins. Each plugin does a 100% server-side authentication, and when the authentication is successful, it will inject some _SESSION[] variables.
This is a problem as OpenID requires a call-back.
I will keep you posted and make the announcement when this is ready.
Good Luck!