I have a frontend (SPA, angular2, lite-server) and a hidden backend (not exposed to public, i.e. localhost:8080, spring boot+spring security), frontend can access backend by proxying frontend/api calls to backend/api under the hood.
Basically, the steps for this kind of OAuth2 flow are:
On UI - hit url to authorization server with redirect_uri specified
Authorize
Get back to redirect_uri with access code
???
Server exchanges access code for an authorization token and keeps it
User(authenticated) gets back to the page he was restricted to access
I can't get the steps between 3 and 5. As my backend server is invisible, the redirect_uri should be the one in the frontend. I could possibly use a frontend/api/auth which will proxy the call to backend/api/auth and backend will succesfully get the authorization grant however in this case user won't be redirected back to a frontend. So, should I get the code in the javascript and do a POST to /api/auth from the javascript instead?
Also I don't get how to get back to step 6 after that as after all redirects SPA app will be reloaded(dropping the state) and redirect_uri is an url to /api/auth.
If I get the question right, the easiest would be to "expose" the server via localtunnel or ngrok.
Related
I'm working on a tool that embeds an iframe of an external app. The authentication to this external app is via SAML and Keycloak. However when using the iframe, the SAML request to Keycloak does not work: "... has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource."
Scenario 1: Accessing the external app using the browser (normal way)
I get redirected to the Keycloak login page and after successful authentication, it redirects to the external app and everything works fine.
Scenario 2: Loading the external app using the iframe
The iframe is loaded and the Keycloak login page is shown. However, after entering the credentials, the triggered SAML request to Keycloak is blocked due to the CORS issue, see
Failed SAML request to Keycloak within the iframe.
Once I click on the failed URL (starting with "saml?SAMLRequest=...") and access it the normal way (browser), everything works fine.
I read on multiple sites, e.g. here Keycloak Access-Control-Allow-Origin, that you have to enter your webpage (in this case localhost:8080) to the Web Origin field within the Keycloak interface. This one only exists when choosing the openid-connect value in Client Protocol though. So, when switching from openid-connect to SAML, which I use, the Web Origin field disappears. I even tried to export the config file for that Keycloak client in order to manually enter the WebOrigin property, which did not work either.
How can I change the CORS policy for this iframe when using SAML (not openid-connect) since I don't have access to the Web Origin field?
Thanks in advance!
Keycloak doesn't allow to be loaded in the iframe by default.
Keycloak admin must allow that explicitly per realm in the Realm settings->Security Defenses->Headers->X-Frame-Options. Make sure you understand all security consequences before you allow Keycloak in the iframe. It's a security setting.
We have two Azure AD Web Apps Registered under one outlook account for OneDrive Development under the portal apps.dev.microsoft.com . We have created two apps because we need our app to support callback URLs from two servers with different DNS. Unfortunately only the first app that was created works in which we can get the access token using V2.0 end point and then subsequently can access One Drive Resources using graph API.
The second App that we created to supported another server with a different DNS does not work. We are unable to get access token and the response is below,
AADSTS70000: The request was denied because one or more scopes requested are unauthorized or expired. The user must first sign in and grant the client application access to the requested scope
One App: reply URLs: https://www.example.org/OneDriveApp/callback.jsp - works great
Second App: reply URL https://www.example2.net/OneDriveApp/callback.jsp - failure to get OAuth Access Token.
This error generally means the auth code you've gotten is not meant for tokens on the specified endpoint. This can happen from misconfiguring the auth endpoints, registering the app in the wrong spot, or a malformed request.
The first thing to check with this error is your auth endpoints.
Next, make sure you're using the correct library to obtain the authorization code.
Also, make sure that you are not registering the app in the wrong blade (regular AD vs b2c).
What do you have as the URL for the token endpoint?
I'm having difficulty using Nginx's http_auth_request_module with dynamic, user specific URLs.
http://nginx.org/en/docs/http/ngx_http_auth_request_module.html
I need to authenticate (using OAuth 2) a user whenever they attempt to access their notifications. I've got an Nginx instance acting as a reverse proxy to an API (api.*) built on Django, and a Node server (notifications.*) for real-time notifications.
Assuming I can authorize requests (return 200 on success, 403 on failure) through my API at:
api.example.com/authorize/user_id/ 'Authorization:Bearer user_access_token'
And the user's request is:
notifications.example.com/user_id/ 'Authorization:Bearer user_access_token'
How would I dynamically take the user's request to the notifications subdomain, proxy it (including user ID & access token) to my API to authenticate, then continue proxying to notifications iff the user is authorized?
I think the problem really comes down to how do I dynamically set the auth_request URL with the request's user ID and access token. Any help would be greatly appreciated!
I've written my own login app to protect my api following the oauth-login-app example.
I've implemented the web server flow and everything works great.
My question is: how should I handle an authentication failure at step 3? How do I tell he client app that the authentication failed? The user could either press the cancel button, or refuse permission or just enter the wrong details.
When you initiate OAuth 2.0 (dance) with
/authorize
the user-agent land on /login page (created/hosted by you),
post redirect.
enduser(user-agent) submits the username/password
to the page hosted by you. Here you collect the credentials and
submit to Apigee, and if authentication fails, send a HTTP 401
response. Now your application should be in position to re-render
the login page and with a flash "invalid credential".
Now coming to if user is authenticated but rejects the authorization request in
consent page, you should redirect to the "redirect_uri" provided
by client, with error code.
How do I tell he client app that the authentication failed?
The login app will redirect the control back to the application redirect URI - with added error code/description in the URL as hash parameters. In case of success the URL is appended with code or token.
You can do this redirect from your login app directly but I would suggest to make the redirect call first to an Apigee Proxy and let Apigee Proxy send the redirect back to app. Both in case of success and failure. In this way you will have the benefit of using Apigee analytics that helps your understand how many OAuths failed for what reason etc.
EDIT:
You can use the same GenerateAuthorizationCode proxy you have built for the success flow. When login fails or succeeds, in either case you need to pass that information to this proxy. Generally the login app and this proxy should share this information using a common session store. You can not pass this information just using a redirect parameter because that can be changed by the client user agent. When you redirect to the GenerateAuthorizationCode redirect proxy, do so by appending a random session ID in the URL. That id can be used by the GenerateAuthorizationCode proxy to look up the login status from the session store. Then you can either send back a redirect with error or a proper oauth code based on if the login was successful. An easy implementation of the session store can be done using a distributed caching resource in the apigee gateway. Login app can put/get the session using an internal API. While the proxy can use policies to retrieve the session information.
I know there has to be an obvious solution to this problem and I am missing it, so I would much appreciate someone enlightening me so I don't spin my wheels...
I am writing an ASP.Net application that will interact with a service API (Evernote specifically). Evernote requires OAuth for security and before I can actually interact with the objects I need to obtain a token.
The workflow goes like this (explaining it to myself as much as anyone else!):
Build a url with my development api key and secret key and some other OAuth stuff, send it to Evernote to request an access token.
Send the url as a request to Evernote and pull the new access token out of the response
Build another url with the access token to request an authentication token for the user. This url goes to a page the user must interact with to login (if they haven't already) and then authorize my application to access their account. The last param of the url I build is a callback url which will be called from Evernote's servers.
If all goes well, Evernote will request the callback url and include the new authentication token as a param.
Once my server receives the callback with the embedded token I can use it so that my app can interact with the users' notes on subsequent requests.
The problem is that I'm writing this app on a local box, not an ISP under a public domain. So my callback is to the localhost server. Of course, localhost is relative, so Evernote can't resolve my callback... I can't ever receive an authentication token and debug at the same time.
There has to be a way around this problem because this authentication model is not unique to Evernote (by a longshot... Flickr uses it as do a lot of other services). So can someone tell me how to set things up so I can get the authentication token and still be able to debug on my local box?
Help is much appreciated!
OAuth is quite tough to implement. It may not be the answer you're looking for, but this is how I managed to get the job done:
Write some code on my local dev machine.
Run a bat file (or alternatively hook a post-build event in VS) that executes a msbuild deploy script and deploys the application to a test server.
Run the application on the test server. After obtaining the request token and requesting for authorization it redirects to the Evernote website.
After successful authorization the Evernote website redirects back to my test server and the authorized request token is exchanged for an access token.
Instead of debugging (I don't have VS on the test server) I examine the logs of the application (the logging I used was as simple as writing to a text file).
Rinse and repeat
For the purposes of testing I registered a temporary public subdomain (e.g. testing.oauth.mydomain.com) so that Evernote will be able redirect to that url.
According to this (How do I develop against OAuth locally?) the callback is issued by the browser, so it should be able to hit localhost.