My web application using OpenID Connect provider (Keycloak) to authenticate my users. Application is built as Angular application using express.js server.
I'm trying to implement functionality to enable logout users when session on Keycloak ends. To provide session checking i'm using check_session_iframe (https://openid.net/specs/openid-connect-session-1_0.html).
My application successfully embedd iframe and communicate using messages, but always return "changed" message. Reason is that iframe cookies from Keycloak are filtered and browser has not information about Keycloak session.
Why cookies for iframe are filtered?
Related
We have a blazor webassembly hosted application (SPA) and we need to implement authentication using Azure Active Directory.
The Documentation explains how to do that using JWT bearer tokens.
The problem is that we need cookie authentication, not JWT.
Ideally we would have the following authentication process :
When the user hits the application url, (s)he is redirected to the login/consent page.
Once credentials entered, an authentication cookie is generated.
The cookie would then be accessible to the SPA and subsequent queries to the host/server would all be authenticated.
Is there a way to achieve that and how ?
Notes:
I'm no OAuth/OpenId guru
The real problem we're trying to solve behind is that we need to share the authentication context between two applications (this blazor application and another .NET Framework legacy application). The Legacy application already uses cookie authentication. We need the authentication process to be "transparent", so that when a user is authenticated in one of them, (s)he doesn't need to authenticate again in the second.
I have this legacy intranet app using an AngularJS SPA consuming an an ASP.NET Web API (on .NET 4.6.1) and I can't manage to get the user authenticated on the domain inside the API, when calls are made by AngularJs.
Inside the API I have situations where I need to get the domain authenticated user. I have tried several combinations inside IIS to set both the AngularJS app and the API with Windows authentication, Impersonation, Authorization Rules. I've read several questions in Stackoverflow and other forums and also searched through several articles but I can't manage to find a solution, I'm feeling helpless in this one.
When I make a direct call to the API using a tool like Postman or through Swagger, System.Web.HttpContext.Current.Request.LogonUserIdentity.Name shows the correct authenticated user.
When I make the very same call to the API but through the client, like loading a page that requests data from the API, the user shown in LogonUserIdentity, is the one set on the app pool.
The authentication between the client and the API uses bearer token.
Here's my current scenario:
IIS:
Windows authentication enabled for both the client and the API, Impersonation enabled for both the client and the API
Authorization rules for ASP.NET and IIS set with allow all users for both Client and API
Session state in-proc, using cookies and with UseHostingIdentity set to false on both Client and API
Both the client and the API are using the same AppPool, with integrated Pipeline, .NET CLR v4.0,
If there's more info to supply please let me know, I'll update the question with the required info.
I have a web SPA that currently connects to a Rails backend, authentication handled via auth0. We have a new server that has some endpoints that the SPA needs to connect to. What is an elegant way of authenticating against both servers considering I have auth0 implemented in the SPA and the legacy server already? Is there some way to pass the authenticated token back to the new server from the legacy server? Or do I just authenticate against both servers when logging in as a user on the SPA? The user db sits in a separate db, shared by both servers.
If the credentials are stored in your database, then use an Auth0 Custom DB Connection to authenticate against Auth0 from your SPA. Auth0 has quickstart samples for all the popular SPA frameworks / libraries (angular 1.x, 2+, React.js etc). You authenticate against Auth0 (not the legacy or new server). As a result, you receive a (JWT) ID Token and a (JWT) Access Token. It is the Access Token you send from your SPA to each of of your Servers for the purpose of making Authorized requests. Your Server (legacy and new) should be secured to verify the JWT Access Token as valid and optionally check the scope attributes match the request endpoint. That's all that is required. The Auth0 documentation covers all this, and there are samples too that demonstrate how to set this up.
I have an API proxy that do the rest of my business login, identityserver for authorization and Android Client.
I using implicit flow with the android client.
I request an access token from idsrv then make a request including this token to contact with the api and every things works correctly.
Now i want an API or any way to register new user instead of the default web page so i can use this APIs to create new users from my proxy or from my android app.
What is the better way to do that?
This is, by design, out of the scope of IdentityServer. You can build your own API that can update the user database for user provisioning.
I have an Adobe AIR/FLEX app packaged as a native installer application running on the desktop. From there, I need to do the following:
a) stay in the "app:" application sandbox so I can load "file://" JPGs into my mx:HTML control
b) authenticate with my server (CAKEPHP) to get a valid CAKEPHP Session Cookie, and
c) securely GET/POST XHR requests from javascript.
Can I authenticate using something like OAUTH or Facebook Connect without losing the application sandbox? It seems if I redirect from my mx:HTML, I lose my local privileges.
Can I authenticate with my server using a different sandbox (remote?) and safely pass the Session Cookie to my application sandbox?
Are either of these methods safe against scripting attacks?
Can I authenticate using something like OAUTH or Facebook Connect without losing the application sandbox? It seems if I redirect from my mx:HTML, I lose my local privileges.
Can I authenticate with my server using a different sandbox (remote?) and safely pass the Session Cookie to my application sandbox?
I don't know Air/FLEX but certainly you can integrate OpenID / OAUTH / Facebook Connect into your cake application's registration / login screen with no problems, and then use it to authenticate your users.
I wouldn't redirect, rather use post/get methods to send login data to the cake application (users/login), ensure there's no views/layouts being rendered for login() and return the user session data (json_encode the $this->Auth->user).
Are either of these methods safe against scripting attacks?
They can be if you ensure the login() function is only reachable by the application, perhaps send a unique identifier, encrypt the data (via SSL or just serialize it). Also put in standard checks for XSS, methods to delay bruteforce and cake actually has some good sanitize methods for dealing with injectons (usually enabled by default).