Instructions for

Sign in with Facebook

Note: In proxy model architectures, where a server-side app using the embedded SDK is used as a proxy between client apps and Okta servers, a request context for the client apps is required. The expectation is that security enforcement is based on the client request context's IP address and user agent.

However, since these values are currently derived from the server app rather than the client, this enforcement isn't available. As a result, network zones or behaviors that drive their conditions based on these request context values (geolocation, IP Address, or user agent) won't work until a solution to the issue is found.

This guide covers a sequence of steps that you can follow to build an app that allows users to sign in with the Facebook social Identity Provider.

Learning outcomes

Configure your Okta org to use Facebook as an Identity Provider.
Challenge a user's identity using Facebook.

What you need

An app that uses the embedded Identity Engine SDK
Okta org already set up for a social IdP use case
Identity Engine SDK set up for your own app

Sample code

Configuration updates

Before you build the Facebook IdP sign-in flow, ensure that you've completed the following steps:

Summary of steps

Integration steps

The user goes to the home page

When the user goes to the home page and the app loads, create an SDK client object by calling the NewClient() method.

idx, err := idx.NewClient(
      c.Okta.IDX.ClientID,
      c.Okta.IDX.ClientSecret,
      c.Okta.IDX.Issuer,
      c.Okta.IDX.Scopes,
      c.Okta.IDX.RedirectURI)
if err != nil {
    log.Fatalf("new client error: %+v", err)
}

Build a sign-in page that captures both the user's name and password, similar to the following wireframe.

A sign-in form with fields for username and password and a next button

During page load, call the Client object's InitLogin() method. This method returns an object of type LoginResponse that is used to initiate the sign-in process with Okta. The object also contains a list of available social Identity Providers (IdPs) that is discussed in more detail in the next step.

lr, err := s.idxClient.InitLogin(context.TODO())
if err != nil {
   log.Fatalf("Could not initalize login: %s", err.Error())
}

Get the available list of Identity Providers

Using the LoginResponse object, returned from InitLogin(), get the available Identity Providers from its IdentityProviders property.

idps := lr.IdentityProviders()
s.ViewData["IDPs"] = idps
s.ViewData["IdpCount"] = func() int {
  return len(idps)
}

Use the array of IdentityProvider objects to show a list of available Identity Providers on the sign-in page. The following code snippet shows how the sample app builds out links for each available Identity Provider.

{{ range .IDPs }}
<div>
  <a href="{{ .URL }}" >
    <span class="sr-only">Sign in with {{ .Name }}</span>
    {{ if eq .Type "FACEBOOK" }}
    <svg class="w-5 h-5" fill="currentColor" viewBox="0 0 20 20" aria-hidden="true">
      <path fill-rule="evenodd" d="M20 ..." clip-rule="evenodd" />
    </svg>
    {{ end }}
    <span class="px-4">{{ .Name }}</span>
  </a>
</div>
{{ end }}

The following wireframe includes Facebook and Google IdP sign-in options.

When the user clicks the Facebook IdP link, they’re sent to the Okta org using the link provided in the IdentityProvider object's HRef property. At the Org, the request gets routed to Facebook for user sign-in. You don't need to implement any code changes to perform this step.

The user signs in with Facebook

When the user clicks the sign-in link, the browser redirects them to a sign-in page hosted by Facebook. To test this step, use the Facebook test user credentials that you configured in Set up your Okta org for a social IdP use case. You don't need to make any code changes in your app to perform this step.

Facebook redirects the user to your Okta org

After the user successfully signs in, Facebook routes them to the Valid OAuth Redirect URIs and Site URL previously set in Set up your Okta org for a social IdP use case. The values use the following format: https://{Okta org domain}/oauth2/v1/authorize/callback (for example, https://dev-12345678.okta.com/oauth2/v1/authorize/callback).

Store the tokens when Okta redirects the request to your app

Facebook sends the successful login request to your Okta org. The org then redirects the request to the app's Sign-in redirect URIs field, which was configured in Create a new application.

The value for the sample app is http://localhost:8000/login/callback.

The following code wires up the callback URL to a handleLoginCallback() function.

r.HandleFunc("/login/callback", s.handleLoginCallback).Methods("GET")

The handleLoginCallback() function handles the callback and stores the incoming tokens into the session state.

func (s *Server) handleLoginCallback(w http.ResponseWriter, r *http.Request) {
  clr, _ := s.cache.Get("loginResponse")
  s.cache.Delete("loginResponse")
  lr := clr.(*idx.LoginResponse)

 //Get session store so we can store our tokens
  session, err := sessionStore.Get(r, "direct-auth")
  if err != nil {
 //Error condition
  }

  lr, err = lr.WhereAmI(context.TODO())
  if err != nil {
 //Error condition
  }

 //If we have tokens we have success, so lets store tokens
  if lr.Token() != nil {
    session.Values["access_token"] = lr.Token().AccessToken
    session.Values["id_token"] = lr.Token().IDToken
    err = session.Save(r, w)
    if err != nil {
 //Error condition
    }
  } else {
 //Error condition
  }
 //Redirect the user to /profile
  http.Redirect(w, r, "/", http.StatusFound)
}

(Optional) Get the user profile information

Optionally, you can obtain basic user information after the user successfully signs in by making a request to the Okta OpenID Connect authorization server. See Get the user profile information for more information.

Edit This Page On GitHub