How to Implement Google SSO in shiny proxy application - r

I have a shiny proxy application that runs on a domain let's say A.com and then I have an express application that runs on B.com.
I created Google OAuth2.0 client credentials for the app and added the following in application.yml:
proxy:
...
...
authentication: openid
openid:
auth-url: https://accounts.google.com/o/oauth2/v2/auth
token-url: https://www.googleapis.com/oauth2/v4/token
jwks-url: https://www.googleapis.com/oauth2/v3/certs
client-id: <CLIENT_ID>
client-secret: <CLIENT_SECRET>
...
...
I can successfully log in with google into my shiny-proxy application with this
and
I have also set up the express application with passport-google-oidc and successfully log in to it with google.
Now I am extremely puzzled about how can I implement SSO between them. How is this possible with Shiny proxy and expressJS? Is it possible?

Related

Google Cloud IAP: How to access App Engine API (protected by IAP) from a web application hosted on a separate Firebase project?

This is my setup
Multiple Python APIs hosted on App Engine
Angular client application hosted on Firebase. Users accessing the web application are authenticated by Firebase Auth.
When trying to send requests to the APIs hosted on App Engine from the application, an error is encountered.
401 Unauthorized: Invalid IAP credentials: empty token
Tried following multiple online articles but there were a few problems I discovered.
The Firebase web application and the App Engine APIs are on separate Google Cloud projects
Majority solutions have the web application itself deployed on App engine and hence the OAuth process for authenticating end users is pretty straightforward. My project uses Firebase authentication to allow users to access my Firebase hosted webapp. Completely disconnected from IAP.
Is there any way I can use a service account to programmatically authenticate my Firebase web app as a secure IAP user and access the APIs?
Haven't tried this...
You can programmatically make calls to an IAP secured endpoint using an OIDC token. See documentation
So maybe your flow should be -
a) Users login to your Firebase App (follow whatever authentication method you like).
b) Then you programmatically make calls to the IAP app (following the link above) on behalf of the users

How to redirect Microsoft Identity authentication to application proxy URL rather than internal URL

I recently installed the Azure AD Application Proxy connector on my company's internal server using Microsoft's tutorial. I have a Blazor application configured to use Azure AD authentication setup on this server, using all the default Microsoft Identity authentication code when initially creating the Blazor app, all I did was fill out the app settings for my tenant/client IDs. I have configured the Enterprise Application within Azure for this app to use the newly created application proxy with the pre-authentication set to passthrough. For simplicity's sake, let's say my internal URL for my web app is "myapp.domain.local" and my external URL (which is the default msappproxy URL) is "myapp-company.msappproxy.net". I have also configured the authentication section of the App Registration to use the following redirect URIs (my app's callback path is /signin-oidc):
https://myapp.domain.local/signin-oidc
https://myapp-company.msappproxy.net/signin-oidc
The problem I am encountering is when I try to access my app from the browser using the app proxy URL (myapp-company.msappproxy.net), the authentication configured on the app (not the pre-authentication for the app proxy) seems to be redirecting back to the internal URL (myapp.domain.local), rather than using the proxy URL that I had originally used to access the web app. Obviously this will not work when connected to a device off of our internal network. I do not want to disable authentication within my app and enable Azure AD authentication for the pre-authentication of the application proxy. I simply want the app's authentication to redirect to the app proxy's URL instead. Is there any way to achieve this?
To enable Application Proxy on your app service, you should be Global Administrator.
Open Azure Portal > Click on Azure Active Directory > Select Application Policy - click on Yes to enable.
Configure the application proxy connector by downloading and installing it. During the installation, it asks for Azure login details. Provide an account which have azure global admin privileges.
To publish the application: Go to Azure AD > Enterprise Applications > Click on New Application > All > On-premises application and provide configuration data for that application in that window like below:
After adding the information, click on Add and Publish.
Add users and assign the access to it.
After logging to it, the application shows like:
For more information, refer here and how to access the web apps via application proxy.

OpenID Connect session state integration

My web application using OpenID Connect provider (Keycloak) to authenticate my users. Application is built as Angular application using express.js server.
I'm trying to implement functionality to enable logout users when session on Keycloak ends. To provide session checking i'm using check_session_iframe (https://openid.net/specs/openid-connect-session-1_0.html).
My application successfully embedd iframe and communicate using messages, but always return "changed" message. Reason is that iframe cookies from Keycloak are filtered and browser has not information about Keycloak session.
Why cookies for iframe are filtered?

Keycloak realm client users authenticating in another keycloak realm containg client apps

Hi Keycloak devs and gurus,
I wanted to setup keycloak, using openid-connect with 2 realms.
Where realm1 will contain client(s) application
And realm2 contains the users
The users will then access the client applications in realm1 by authenticating through realm2.
I found this link --> idp initiated sso using keycloak, but it is implemented based on SAML not on openid-connect.
Your help will be much appreciated.
I think that you can convert realm2 as an idp keycloak OIDC and connect realm2 to realm1 (by creating an idp in realm1). Then, configure the idp redirector in the browser authentication to automaticaly redirected to realm2.

Enable cross domain integrated windows authentication

I have a web application (say app1) which is hosted in a IIS server virtual directory.
This web application needs Integrated Windows Authentication for its functioning.
I need to integrate this web application with another product which does not use supply me windows credentials.
This application sends me an http request in a specific format.
I need to validate the request and redirect it to app1 with valid windows credentials so that it logs in smoothly.
I have created another application for this purpose
This is hosted on a separate virtual directory.
It has IIS anonymous and asp.net anonymous authentication enabled.
the pseudo code is as follows :
app2
parse request
if request sucessful
get windows credentials
get identity using credentials
reponse.redirect(app1.aspx)
But app1 authentication fails, IE asks me for credentials again.
Ideally IE should not ask me for credentials.
What would be the security context sent in the request to app1.
How can I trace the authentication failure at iis and asp.net?
To do this you need a trust relationship between the domains.
The response.redirect just sends a response back to the browser which then makes a request for the page in the redirect. So the identity is the identity of the browser.

Resources