I'm writting authentication for flutter, which doesn't have direct access to any of the js clients so I'm trying to parse all of the stuff myself for silent renew. I'm having a number of problems and I can't find anyone that has done it so I figured I'd ask here:
When I create my iframe for silent renew I use the check_session path. This works fine, and I can send in my post message of " <session_state>". However 100% of the time I get back a response message of event.data == "changed". What am I doing wrong here?
When I do try and create a renew without prompt, I can't figure out what to put into the hidden iframe as the URL to make it work. The client uses code flow by default so I'm passing a url that looks like this:
https://localhost:44401/connect/authorize?client_id=Admin&redirect_uri=http%3A%2F%2Flocalhost%3A51190%2Fcallback.html&response_type=code%20token&scope=openid+profile+email+offline_access&code_challenge_method=S256&code_challenge=&prompt=none&state=
This always returns with login_required. I tried id id_token for the response_type but no dice there either. I just get a massively long error and it says that the grant_type is invalid in the console for identity server.
So what's the trick to getting this working?
Related
I'm trying to use ITfoxtec.Identity.Saml2.MvcCore on a .NET Core 3.1 web application using an in-house IdP.
It works great on our test server (Windows Server 2012, hosted in the IIS) but I can't get it to work on any other server.
This is what happens:
The initial call to the website is correctly identified as a non authenticated call and the user is being sent to the IdP where the user logs in as usual. The SAML-token is then posted back to the web applications assertion consumer service where everything seems like it does what its supposed to, saml2AuthnResponse.Status has statuscode Saml2StatusCodes.Success and the logfile says "AuthenticationScheme: saml2 signed in". Then it reads the ReturnUrl-parameter and log something like "Executing RedirectResult" but then it just stops. Nothing in the logfile, nothing in the IIS-logs. The user is met by the message
This site can’t be reached
...
ERR_HTTP2_PROTOCOL_ERROR
In short, every controller that has the [Authorize]-attribute gives the ERR_HTTP2_PROTOCOL_ERROR-error. When I remove all [Authorize]-attributes the application works great, although without authentication.
I've also tried the example TestWebAppCore-application from ITfoxtec.Identity.Saml2's github-page and it gives the same error. It works on our 2012 test-server but nowhere else.
Any ideas that I can try?
I think you need to trace the calls to see the actual http request and responses send between the browser and server. I usually use Fiddler for tracing the requests/response. Remember to enable Fiddler for https tracing.
My first thought is that the problem can have something to do with cookies. But it is only a guess...
You might be on to something, we disabled http/2 on the server and was greeted instead by this message:
Bad Request - Request Too Long
HTTP Error 400. The size of the request headers is too long.
It uses 5 cookie-chunks for the SAML-data for a total of 19941 bytes which is a bit to much. I've tried to make the application save the sessiondata in classic session objects instead but I cant seem to get it to work.
This is what I added to StartUp.cs:
In ConfigureService:
services.AddMvc()
.AddSessionStateTempDataProvider();
services.AddSession(options =>
options.Cookie.IsEssential = true
);
services.Configure<CookiePolicyOptions>(options =>
{
options.CheckConsentNeeded = context => false;
options.MinimumSameSitePolicy = SameSiteMode.None;
});
In Configure:
app.UseSession();
But it still fills up the header with cookies. What am I doing wrong? Is there a another way to make the session cookies smaller?
Im trying to get basic data from instagram profiles, I am using a local webpack dev server to run my react app, I am also using Firebase functions, the function on firebase sends oauth/authorize request to instagarm's api, im getting a code response back and return it to my react popup, i then send the code to instagrams api for oatuh/access_token but im getting the following error:
Error validating verification code. Please make sure your redirect_uri is identical to the one you used in the OAuth dialog request
Im running localhost:3000 as https with an ssl, i've set the redirecturl in the instagram developer tools to https://localhost:3000/instagram-popup/
the popup is the page I'm, loading to get the access token, it does get the code from the firebase function correctly, but fails the last call... I have lost SO many hours on this issue, if anyone has been in this situation and solved it, or didnt even encounter it but knows what i can do to fix it, i would really appreciate any guidance here
I hope you are all doing good,
I have a question that I've been stuck on for the past couple of days.
I am building a website with React that uses AWS-Amplify for user authentications (For users on the Cognito AWS database).
I am working on the Log-in and Sign-up page, and it's working fine when using Chrome, but whenever I am using Firefox there is an issue (Specifically the Log-in).
Problem: There is a part in the JS code that uses the Auth.signin() function from the aws-amplify extension. This function takes in the username and password and returns if the user is authenticated or not. However, when using Firefox, this function gets timed-out, as if the browser can't get the response from the server. Here is a screenshot of the console:
Seems like the response is 403 but I am guessing it's because of the time-out.
(The try/catch doesn't catch anything because it looks as if the page freezes)
I hope I made it clear, and thank you for your time reading everything!
Do your request headers/body contain the correct username and password for the user in Firefox, and is it sending the request to the same endpoint as in Chrome? The 403 code makes me think that the endpoint is malformed on the Firefox request. Finally, is it sending with SRP_AUTH or USER_PASSWORD_AUTH?
Also, since you're using React with Cognito+Amplify for auth*, you might want to consider using the withAuthenticator higher-order-component provided by aws-amplify-react and styling it to your needs. Then you won't need to maintain your own login logic, won't need to worry about fixing it yourself if a browser change breaks your code, etc.
I'm using AuthServices to implement single sign in. Everything works OK if I go directly to the IDP's sign in page:
https://fedserver/saml2sso?SPID=https://myapp.com
However if I click a link in my app which requires a login, it redirects to /AuthServices/SignIn, which in turn, redirects to the sign in URL but with "&SAMLRequest=" appended to the URL. This causes a 403 Request Forbidden response from the remote server.
https://fedserver/saml2sso?SPID=https://myapp.com&SAMLRequest=.....
If I delete this extra parameter and submit, I then get signed in OK and sent back to my app.
What I can't work out is, which end is misbehaving? Should the remote server allow the (seemingly redundant SAMLRequest parameter, or should AuthServices not be appending it in the first place?
EDIT:
I've tried to use an alternative commercial component (ComponentSpace SAML2) and it works OK with the same IdP server out of the box, so it looks like this might be a bug or configuration problem with Kentor. I'd still like to know if this is solvable with Kentor.
I'm creating an app that prints out a pdf from the server after it has been generated.
When using google cloud print I keep getting:
User credentials required
Error 403
Note: making this print request in the simulating page works fine, but that's because I'm already logged into my google account.
After doing some research I found out I need to use OAuth to get an access token to send with the request to make a print job.
And every single page I can find tells me to redirect me to: https://www.googleapis.com/auth/cloudprint, which gives me a 404 error, neither can I find it in the google playground, and using any older versions of authentication ends up in the request to sign in being flagged as an attack from a hacker.
Is there any way around this?
I was stuck on this for a while. The docs don't tell you which scope to use or how to use it. I haven't implemented a Google API using OAuth2 yet, so I didn't have an understanding of how the scoping works.
It turns out the scope is just the base API route for CloudPrint.
To make sure your refresh_token or access_token is scoped properly to use the CloudPrint API you need to use have the following string in your scope object:
https://www.googleapis.com/auth/cloudprint