How can I force basic http authentication instead of cookie authentication for one url / browser view and not to switch complete site away from cookie thing.
We do not want to allow login parameters in url anymore.:
/foren/RSS?__ac_name=meinloginname&__ac_password=meinpassword
So feed readers need basic http authentication to access the feed.
Basic authentication is always supported; if a basic auth header is present the cookie-based login form redirect will not be shown.
Presumably you want to disable the redirect for the RSS feed instead, so when basic auth headers are not present a 401 auth-required response is sent instead of a redirect?
If so, then you'll need to provide PluggableAuthService plugin, implementing the IChallengePlugin interface to intercept the challenge() call and make sure unathorized is raised before the CookieAuthHelper plugin can redirect.
Related
I have a Wordpress website and a Chrome Extension. If the user logs in on the website, I want the Chrome Extension to be aware of that (and vice-versa). The Chrome Extension won't have a login form in it; the user will always log in through the website login form.
When you log in on the website, Wordpress by default sets its authentication cookies to identify the user. What I initially had in mind: I would also like to return some kind of access token, which I would store somewhere where the extension can find it and use it to make authenticated requests to the Wordpress REST API. But.. where do I store it (in a safe manner) so I can find it within the extension?
Perhaps I should try a different approach?
Thank you!
What you could do, the simpler way:
create an Ajax action or a REST API route
as you can read in the documentation, the authentication is cookie-based. So once the user is logged in from the WordPress login form, the authentication cookie is added to your browsing session
without overrides, the cookie will also be forwarded when using JS HTTP queries (eg ajax)
your route could check something like is_user_logged_in() or wp_get_current_user() like available methods. And return the result (among other things if needed) to your plugin JS
you may need to change the WordPress cookie configuration, so they can be accessed from anywhere (any domain), check this.
Better way:
would be to use a plugin like this to implement REST API Oauth2 authentication
user should be able to login directly from the extension window (need development), and then use a refresh token feature to keep the user logged in.
I believe you may also need to update your actual login form, if its classic or OAuth rest API login, should be able to send back the required OAuth token (access and refresh tokens), to the frontend (then stored in local storage or else) to be used by the extension. To prevent having to log in twice.
I successfully authenticated my user with my firebase app in the browser. Now I want my custom backend to know that the user is authenticated.
How do I go about this? Can I tell the client to include the firebase JWT in every request to my backend, so that the backend knows the user is logged in? (This is necessary so that the backend will not redirect a logged-in user to the login page, for example.)
Background Research:
The firebase authentication docs explain how to get the firebase token, send it to your custom backend, and then do something on the backend with the user data. That's fine for an XHR request, where you can tell the browser to include the token as a header. I don't understand how to get the browser to include the token in a normal HTTP request to the server, like when the user opens a new tab and navigates to the admin panel at https://example.com/admin.
This is a related question, but I didn't understand the answer (or at least how I could apply it to my use case).
Here's how the good guys at jwt.io explain it:
Whenever the user wants to access a protected route or resource, the user agent should send the JWT, typically in the Authorization header using the Bearer schema. The content of the header should look like the following:
Authorization: Bearer <token>
This is a stateless authentication mechanism as the user state is never saved in server memory. The server's protected routes will check for a valid JWT in the Authorization header, and if it's present, the user will be allowed to access protected resources.
Can someone explain what the Callback URL is and what exactly it's used for?
I'm setting up Social login for my WordPress website and in Facebook and Twitter it asks for a callback URL.
At the moment i have left these blank and it works fine but was wondering what exactly are they used for?
I've read on other websites that it should be set like this:
http://mywebsite.com/user/facebook/login
But I don't understand what to use it for.
Is it to redirect the user to your site after they login via their social accounts? If that's the case, doesn't it do that without a callback URL?
Is it to redirect the user to your site after they login via their social accounts?
Yes.
If that's the case, doesn't it do that without a callback URL?
How would it know where to redirect back to, if that information wasn’t passed to it in the first place?
The callback URL is passed as a parameter in the login dialog call. That allows the login provider to a) redirect back to the app, and b) check if the app is even allowed to perform login under that URL.
I want to implement oauth2 in my website.
I have the server configured.
In current scenario there is a login page, where user puts her credentials which in turn is submitted to my login controller. Now I want to authenticate user using oauth2. Since the server and client are part of same application I am wondering how to go ahead.
I want to authenticate the user via oauth and return the dashboard along with the bearer token so that next call can me made from here.
Please suggest how to go ahead. If there is a better way to do i am more than happy to adapt it.
Thanks
Configure authorization server with spring-security-oauth. All the necessary endpoints will be mapped automatically (including /oauth/token)
Make a simple webpage with login form
Make POST request to /oauth/token with the username and password. In addition you have to send field called grant_type which will be filled with 'password' value.
As a response you will receive the access token. This means that you are authenticated.
P.S. Please pay attention that Oauth is the authorization standard, not the authentication one!
I have a loosely coupled web app (one part uses PHP, the other uses WGSI). The WSGI/python framework shares the authentication with the PHP app, meaning that generally, the user should
Log in via the PHP interface
Now the user can access any of the WSGI pages [this part works if the user has logged in]
What I want to do though, is if a user tries to access a WSGI page while not logged in (maybe from a previous bookmark), I would like to redirect him to the login page, and after logging in redirect him back to the orignal URL.
I'm not very experienced with server-side programming, so here are my questions.
How should I redirect the user back to the PHP login page? What should the HTTP status code be? Do I need to set any extra header information?
What is a good way/best practice method to pass the original URL to the login page, and then after logging have it redirect the user back.
Thank you!
If the user isn't logged in, you could set the status code to 401 Unauthorized and redirect with location: /login.php?dest=/admin/only.php.
This would look like:
header("HTTP/1.0 404 Not Found");
header("Location: /login.php?dest=" . $_SERVER['PHP_SELF']);
in php.