I'm trying to setup Keycloak on a Linux server in order to prepare an OAuth2 server to make linking account available for my Alexa Skill.
My problem is this:
After a succesfull login, keycloak redirects the request to an Amazon server with this link:
https://skills-store.amazon.co.uk/api/skill/link/M3FC1DYEAOGRP4?code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..XDTXJ_GzoEs06ELehNLRhA.njBRnNSp0-nJN1sz9-jt-x6dWVdfIANQVfoKJsiJAYry3yW9fSNS46H5Daji-C8oY-lPQSTl_oiPbWOLmsfN5J5y5BOxlWPPBLkudyyNQj1bznmiz_flabn0JiTsqcy4V5cb07E0wgO4GBYDPh1JxMBzv1jY-8zHJFjWZ_aHJ_HN2ADSJywksp9TQlfsVFM2DoPFr-3hzerjHxJmje8AHhh3fl_hm1L8YLwZ81JxAyYbRX06vL4dDC1We0fJ1Gau.zXXS_02gcqqy7GAMt4HPNA
&state=A2SAAEAEKGYeJWc5-LPQwpOBdADVIkB4LaRW5zez4dbd6yYW8ZZNyXA_ujSlkPoxLvi-QzwydlEcAgR0Y70aJ7DuNr-vTbbowBpZzCbBzk2wfaHOa980SNhuckEERT6slAVbZ5eVKd7sLaVQ-K3qwHwUzSRRVa32Wnu__i9vMrqBhZE6rBqZjmkKvh3BwKGk2EloEc2sg64b4TQyFm8qsUmfGowSL2cKu4jYwq-utIoczJXEXg6w1Dh5wUYc3hH6b505z9Xhlw3PL7BatTRpCzX7VNq9D1gX60xWkicl2x3q5HTmSV2rviYgA1s_bEGYrv95mYxi57S1Zi4v3xGmNVn4Yt-YGJIVXRPa6wKalHedIOTDEYTunmHsmVI_EoMhx7ReJh9Ur-k1c6D3o6ul4Xmk7ue1KuU3t69aS1CEWopFTjiGHticFYOuYogvbScCgbt8Gg21o9PsL-EL0jxuH4-Zc7gjdBL_pDZCAMlVk6IOMLkMW2GQTp8rzvT7Bi-ATVvINWlS5AesggTpJH7Itm-HJsRib8DmQTd5_RL4VR7l25nLdzDdx8FA4kpESH2Rfr21hE9UM9NcBRG4T7uysvhvDzlKFMa
I understood that my problem is in the &code= format.
Amazon is waiting for application secret (36 length string) instead it is encrypted by default in Keycloak.
Is there a way to edit this behavior in Keycloak admin console?
Thank you
Edit:
Keycloak version is 4.0.0 Final standalone
To follow the Keycloak client configuration images:
That's the Amazon Skill configuration for account linking:
And these are the Keycloak client configurations:
In the end, that's the issue:
When i click on account linking link from the skill I correctly go to the login page
but then, skill is never been actived:
The study of this issue brought me to UPS Skill and using Chrome developer console I noticed that the code parameter gave to pitangui url is a 36 digit string.
So, at this point I think that Amazon requires the plain secret as code even if I'm not certain of this.
So my question is if there's a way to edit Keycloak behavior without changing Keyclok source code.
Thank you
Related
I need assistance with a company website I'm working on that should be linked up with Azure Active Directory. I have read those Azure Active Directory Docs. Our cloud team have already setup Azure Active Directory on the Azure Portal and when users including myself try to access the page they are brought to a Microsoft Login Page. Our cloud team have fulfilled Step 1 of registering our app on Azure. And this process of logging into Microsoft fulfills Step 2 of Authorization. The problem here is although the users are able to sign in through Azure active directory, once they sign in and come back to the webpage, we are unable to get the code that Azure generates.
This example Authorize link from the docs shows me the correct process for authorization.
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=6731de76-14a6-49ae-97bc-6eba6914391e&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F&response_mode=query&scope=offline_access%20user.read%20mail.read&state=12345
This link will send you to Microsoft Login page and then after you sign in, it will redirect to the specified redirect_url and it will provide the code in the query parameters. I can see it in the URL bar.
My company's app authentication currently doesn't work like this. We are able to have the user sign in and get redirect back to our page. But the redirect_url for our app is www.ourwebsite.azuresites.com/.auth/login/aad/callback I haven't seen this in any other examples and I'm not sure if this is calling a Azure Active Directory specific callback through this endpoint or if somehow the app server should be handling this.
I can see through Chrome Dev Tools when this happens it is sending a post request to www.ourwebsite.azuresites.com/.auth/login/aad/callback and I can see the payload contains the code that I need but the webpage redirects immediately after that request. I have tried to setup a controller with our .Net ASP.NET backend to handle paths from /.auth/login/aad/callback by trying to send a string response back but it doesn't appear that that works.
My Major question is does the url www.ourwebsite.azuresites.com/.auth/login/aad/callback call an azure specific callback function that our app can't interact with? Or is it sending a post request to our server that we should be handling.
After we get this code we will be able to follow the rest of the authentication process.
This picture shows the initial callback call after a user logs into the Microsoft Login page and gets redirect to the www.ourwebsite.azuresites.com/.auth/login/aad/callback I can see in the dev tools that this post request contains the code.
I'm thinking that it's probably something we need to handle on the server especially since it's a post request. Regardless, any help would be appreciated!
I am using Business Central SaaS. In Visual Studio Code, I can run "Download Symbols" to download the Application and System app shipped by Microsoft. I now want to do this outside of Visual Studio Code within a github workflow. In VS Code, I can see that the URL looks like this
GET https://api.businesscentral.dynamics.com/v2.0/Dev/dev/packages?publisher=Microsoft&appName=Application&versionText=18.0.0.0
I use a HTTP-Client to test the URL, but I always get an HTTP 401 Unauthorized as response. I tried the folowing credentials:
bcuser | bcpassword
bcuser | Web Service Access Key
The user I am testing this is a SUPER user on the sandbox. It is the same user I use when I download symbols within VS Code. I tested it with and without domain name.
Any ideas what I am doing wrong?
You have to add the Tenant-Id in the URL and also have to use oauth.
https://api.businesscentral.dynamics.com/v2.0/<your tenant id>/sandbox/dev/packages?publisher=Microsoft&appName=Application&versionText=18.0.0.0
See Postman Screenshot of GET Request
See Postman Screenshot of Auth
JenKoc's answer put me on the right track. I had to add the Tenant-ID to the URL. Downloading Symbols does work with Basic Auth. This is how it works:
Get Credentials from Business Central's User page. If the Web Service Access Key is empty, just click on the three dots and craete a new one.
Create a HTTP GET Request with Basic Auth
User: <User Name>
Password: <Web Service Access Key>
URL:
https://api.businesscentral.dynamics.com/v2.0/<tenant-id>/<sandboxname>/dev/packages?publisher=Microsoft&appName=Application&versionText=18.0.0.0
I am using facebook SDK. I am getting the following error:
Insecure Login Blocked: You can't get an access token or log in to this app from an insecure page. Try re-loading the page as https://
After studying I came to know that I have to set 'Enforce HTTPS' as NO under 'facebook login> Setting> '. But I can not set Enforce HTTPS as NO. Is this problem is from mine? OR I facebook restrict to use https instead of http?
enable Client OAuth Login and write "localhost:3000" in Valid OAuth Redirect URIs.
Save changes. it will automatically change to https://localhost:3000 , but it doesn't matter...
And set Status: In Development (THIS IS IMPORTANT!)
Then it will work in your http localhost.
But I can not set Enforce HTTPS as NO. Is this problem is from mine?
https://developers.facebook.com/docs/facebook-login/security:
Enforce HTTPS. This setting requires HTTPS for OAuth Redirects and pages getting access tokens with the JavaScript SDK. All new apps created as of March 2018 have this setting on by default and you should plan to migrate any existing apps to use only HTTPS URLs by March 2019.
Sounds to me, like they don’t want you to be able to even start without HTTPS, when you are creating a new app now.
Plus, Chrome has recently announced that they will mark all HTTP sites as insecure soon, from version 68 on, that will be released in July 2018. So you’re gonna have to go HTTPS rather sooner than later anyway.
The “big players” of the industry are currently pushing for this big time, whether we want it or not.
If you just enable Client OAuth Login and write just localhost:{port} to Valid OAuth Redirect URIs, it will work.
If you're developing locally with create-react-app, a quick solution is to add
HTTPS=true
to your .env file and just comment it out when you're not testing Facebook login.
It seems like Business apps do not have app modes and instead rely exclusively on access levels. Because of this, you can't set the app to the "Development mode".
All newly created apps start out in Development mode and you should avoid changing it until you have completed all development and testing.
https://developers.facebook.com/docs/development/build-and-test/
https://developers.facebook.com/docs/development/build-and-test/app-modes
However, if you wanna try out your app in a localhost, you need to create a test app, like you can check out in this thread:
How to fix 'Facebook has detected MyApp isn't using a secure connection to transfer information.' error in Laravel
I'm trying to build a login page for my Shiny application, using the auth0 services, nginx, node.js and the git repo github.com:auth0/shiny-auth0.git.
You can find the full tutorial here
Everything works fine, except for the fact that I can't login using a valid username/password combination (made within the auth0 webpage). It is possible though to login using for example your Google account (it's redirected to Shiny application, as expected).
The generic error message I get is stating WE COULD NOT REACH THE SERVER. PLEASE CHECK YOUR CONNECTION AND TRY AGAIN.
I can't find any working solutions in the documentation, or on the forum of Auth0. Did anyone experience similar problems, using Auth0, possibly in combination with Ubuntu 16.04, Node.js, R Shiny and Nginx and found a solution?
Help is highly appreciated!
The trick lies in the Allowed Callback URLs and the Allowed Origins (CORS). Both fields need to be filled in properly within the Auth0 Client setup. This means that the allowed callback URL needs to be equal to your domain of the Shiny app, starting with the proper protocol (in this case http) and ending with /callback. The same URL should be used in the .env file. In my case, this was something like http://ec2-123-456-789.eu-central-1.compute.amazonaws.com/callback.
Then don't forget to also use the Allowed Origins (CORS), since the origin is not exactly equal to the callback. The origin uses https protocol, instead of http. Hence use something like https://ec2-123-456-789.eu-central-1.compute.amazonaws.com for your Origin.
Background
I want to create a PHP application that eventually will be installed on a "countless" web servers.
The application is going to access the Google Drive associated with the web server's administrator Google account (it will basically write some files on user's cloud storage). So my PHP app will be authorized by the end-user to use its Google Drive storage. This is done (via the OAuth2 protocol) by connecting the Google OAuth2 service.
So basically I have to create a ClientID/Secret pair (on behalf of my Google Account) that is gonna be used to execute the authorization flow.
Google provides 3 authorization methods:
for web applications (web browsers over network)
for service account (my server to Google server)
for installed application (like Android, IPhone)
(1) is perhaps the best choice EXCEPT that I have to define a REDIRECT_URI where the authorization code will be sent. Because my APP will be installed on a "countless" different servers I don't know in advance the protocol, domain name and the path (also the URI) where the Google's response should be returned. If I would install this application only on 3 servers I could create upfront a ClientID/Secret pair for each of them. It's not the case.
(2) means to deploy my P12 private key with the PHP application and I don't feel comfortable with that!
(3) means to put the end-user to copy/paste an authorization token from a Google web page into my application web interface. I am trying to avoid doing that.
I already made it to work by using the method 1 when I know in advance the REDIRECT_URI. I also embedded the client_id/secret pair in the source code so the whole authorization process is user-friendly. But this is not going to work on a "countless" deployment scenario.
Questions
Which method and how should I use it in order to make the whole process safe for me (as developer) and for the client too (the web server administrator). Note that the authorization process should not involve the end-user to copy paste some codes. I want that step to be transparent/user-friendly for the end-user (no one likes copy-paste when it can be done automatically).
Should I embed my client_id/secret into the application or that's totally wrong? I suppose no end-user wants to go through the creation of its own ClientID in Google Developer Console, right? On the other hand why I would give my client_id/secret to an unknown end-user?
Final thoughts
I could create a proxy application on my (the developer) web server such that my PHP application (which is supposed to be deployed "everywhere") will send the authorization request to my proxy server (which has already its own client_id/secret) which in turn will redirect the call to the Google OAuth service which then REDIRECT_URI back the authorization code to my proxy and finally I will redirect back the response to the original sender (the PHP application). What do you think?
Some useful answers here and here or here.
#Edit: as I've already said earlier a proxy would be a solution. I've made it and it works. The same solutions I've received also from user pinoyyid. Thanks for your answer too.
A proxy is the only real option open to you. You can encode the originator URL in the "state" parameter, so that when the proxy receives the access token, it can call a webhook at the originator.
There are some contradictions in your question...
"The application is going to access the Google Drive associated with the web server's administrator Google account" and "So my PHP app will be authorized by the end-user to use its Google Drive storage." are mutually exclusive.
If the Drive storage belongs to the app, then the user isn't involved in any OAuth dialogue.
Could you edit your question to be clear who is the owner of the Drive storage as it greatly influences the OAuth flows.