I changed OAuth2 Login form frontend to backend implementation. OAuth2Login is setup using spring security configuration.
Everything worked in local machine.
But on server it doesn't create Session Cookie anymore. Which, I guess, creates the following exception:
org.springframework.security.oauth2.core.OAuth2AuthenticationException: [authorization_request_not_found]
at org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter.attemptAuthentication(OAuth2LoginAuthenticationFilter.java:165) ~[spring-security-oauth2-client-5.1.2.RELEASE.jar!/:5.1.2.RELEASE]
So it wasn't entirely accurate that the session cookie wasn't being set. I think I looked it wrongly in chrome when I was looking it in production. But the cookie was seemed to be reset.
spring:
security:
oauth2:
client:
registration:
google:
redirectUri: https://<youurl>/login/oauth2/code/google
When I added this it created new problem:
org.springframework.security.oauth2.core.OAuth2AuthenticationException: [invalid_redirect_uri_parameter]
at org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider.authenticate(OidcAuthorizationCodeAuthenticationProvider.java:132) ~[spring-security-oauth2-client-5.1.2.RELEASE.jar!/:5
.1.2.RELEASE]
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:175) ~[spring-security-core-5.1.6.RELEASE.jar!/:5.1.6.RELEASE]
at org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter.attemptAuthentication(OAuth2LoginAuthenticationFilter.java:186)
This is because redirectUri is HTTPS but google always returns HTTP
So I ended up adding reading a Stack Overflow post and added a OncePerRequestFilter to my project. Since it's google that is sending this over HTTP they must be thinking it's secure. Couldn't find any way to make google send it over HTTPS
Related
I have a Single page web application with consists of the following
Angular 8 Front End
.Net Core Web Api Back End
.Net Core Identity Server Authentication Server
I recently started to see a few warnings in my console which reads - "A cookie associated with a cross-site resource at "" was set without the 'SameSite' attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with 'SameSite=None' and 'Secure'.
So based upon this a did a little bit of research and landed on the following article, which happens to explain everything that is going on in detail.
Explanation of Cookie Issue
I read the article over several times and think I have a grasp of it, but still I am struggling on one simple aspect of it. There is a few areas where they ask you to add some code to your "Project". My question is (being still somewhat of a newbie with Identity Server and its inner workings), is what is the "Project" they are referring to. I am not exactly sure where to put the code they provide in order to fix the issue.
For me its not so obvious on where exactly to put the provided code. I have 2 Visual Studio solutions - one representing my authentication server (Identity Server) and one for my Web Api. Which of these solutions' Startup.cs files do I add the code solution?
If I add it to my Identity Server project, my confusion is that I am not using any "Cookie Based Authentication" so there exists nowhere in my identity server project which I have a place that sets a cookie and I know part of the solution, mentioned in the article, is to add a cookie which is both "Secure" and is set to "Same-Site=None". Where in the project do I create this type of cookie?
One more thing I did notice is that once the cookies are set they are not being deleted when a logout is performed.
Keep in mind that these issues are only occuring on a MacOS running Google Chrome. If I run my application on a Windows PC, I still see the warnings, but I am able to log out and clear all existing cookies
You will get below console warring in Google Chrome and your Identity server failed to redirect to Client that could be React App or Angular App for Chrome version 80.
A cookie associated with a resource at was set with SameSite=None but without Secure. It has been blocked, as Chrome now only delivers cookies marked SameSite=None if they are also marked Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5633521622188032.
To Fix this , you need to do changes mention in below link -
https://www.thinktecture.com/en/identity/samesite/prepare-your-identityserver/
NOTE : For .Net Core 2.2 , set SameSite = (SameSiteMode)(-1) , For .Net Core 3.0 or above , set SameSite = SameSiteMode.Unspecified
Also , for Chrome 80 version , add this extra condition -
if ( userAgent.Contains("Chrome/8"))
{
return true;
}
IdentityServer will always create cookie when you login.
You can read more here - http://docs.identityserver.io/en/3.1.0/topics/signin.html
It mean identityserver use cookie to authenticated user
You can configure same site cookie as follow
services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie("Cookies", options =>
{
options.Cookie.SameSite = SameSiteMode.Lax;
});
I am trying to configure alfresco 5.0d community to use kerberos and SSO via active directory.
My setup works fine when I login in the alfresco form login page (without SSO),
However, When enabling SSO, I see this exception in the alfresco logfile:
KrbException: KDC cannot accommodate requested option (13)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:70)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:259)
After looking at it with wireshark, it seems like the difference in the TGS-REQ message is that when using SSO, there is an option flag called request-anonymous that is enabled. This causes the KDC to answer with a KDC_ERR_BADOPTION message.
Is there a way to configure kerberos to not set the request-anonymous flag?
Or alternitavely, is there a way to tell the KDC server to deal with it properly?
I am working on a Symfony2 app. I'm using FOSUserBundle to handle authentication and recently integrated it with FOSUserBundle using this tutorial: https://gist.github.com/danvbe/4476697 .
The problem is:
I can login using the google api on localhost and everything works fine.
However when I try to login on a real server I get:
Error: invalid_request
device_id and device_name are required for private IP: http://<server_ip>/login/check-google
Request details:
response_type=code
scope=https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile
redirect_uri=http://<server_ip>/login/check-google
client_id=<my_id>
Google documents don't mention these two parameters. I tried to manually send a request with device_id being a UUID and device_name set to "notes". The response I get this time is:
Error: invalid_request
Device info can be set only for native apps.
Request details:
cookie_policy_enforce=false
response_type=code
device_name=notes
scope=https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile
redirect_uri=http://<server_ip>/login/check-google
device_id=4b3403665fea6
client_id=<my_id>
Now, what am I doing wrong?
Google will not accept a local (private) IP address when doing Oauth or API calls. My workaround was to add an entry in my Windows hosts file for the local IP:
\Windows\System32\drivers\etc
192.168.1.2 fakedomain.com
then register it with Google in their dev console. That appears as a "real" domain to them, but will still resolve in your browser or code to the local IP. I'm sure a similar approach on Mac or Linux would also work.
It really looks like your using the wrong flavor of oauth. device_id is used with Devices. I would really expect you to be using the WebServer flow. You may need one of the other flows as I don't see enough detail here to judge, but they all can be found at the links.
I am applying this tutorial into symfony 2.4, I've finished the setup in the config.yml and everything, I managed to visit the admin/google/analytics page, but the problem is when I tried to authenticate with the parameters I've created in the config.yml file, it is searching for the scope, here is the parameters.
happy_r_google_analytics:
host: www.example.com
profile_id: MyProfileId
tracker_id: UA-TRACKER-ID
token_file_path: %kernel.root_dir%/var/storage
happy_r_google_api:
application_name: Project Default Service Account
oauth2_client_id: OAuthClientID
oauth2_client_secret: OAuthClientSecret
oauth2_redirect_uri: http://www.example.com/app_local.php/admin/google/analytics/oauth2callback
developer_key: DevelopperKey
site_name: http://www.example.com
I think there's no problem here, I've got no idea where I can set the scope so the google Api client can set it to https://www.googleapis.com/auth/analytics.readonly
You need to define a scope. If you use Google Auth, check Authorization scopes for it.
You must do something like:
$googleClient = new \Google_Client();
$googleClient->setScopes(array(
'https://www.googleapis.com/auth/plus.me',
'https://www.googleapis.com/auth/userinfo.email',
'https://www.googleapis.com/auth/userinfo.profile',
));
I would like to get a list of meetings on the server however when i do a https://example.com/api/xml?action=report-bulk-objects&filter-type=meeting replacing the domain with my connect domain i get an access denied response. I am signed in to the connect work space and I am in the admin group. What could be the cause of this?
response:
<results>
<status code="no-access" subcode="denied"/>
</results>
This should work if you're in the admin group, logged in, and submitting the request from the same browser that's logged in. You might try adding the session parameter to your request ("&session=breez123abc456def")
The value of the parameter must be that of the BREEZESESSION cookie set by the Connect server on your authenticated session. One of several ways to discover that is with the common-info API method: https://connect.example.com/api/xml?action=common-info It'll be in the /results/common/cookie element.
If this still isn't working, check the debug.log on the server(s) for the failing request; there should be additional information there.