Context
I'm developing a browser application that uses msal.js library to allow Azure Active Directory accounts to access our website. The application has the clientId and the scopes properly set and it uses loginRedirect and acquireTokenSilent successfully.
Problem
The issue I'm facing is that I'm unable to keep the session open because I don't see the Keep Me Signed In message (KMSI) so I can not answer 'YES' and make the AADSSO cookie persistent. For that reason after the login process, if the browser is closed I need to log in again.
Expectation
If I'm redirected to microsoft login from my website using msal.js library, I expect to see the KMSI message to enable persistent session (which for some reason I can see if I go directly to login.microsoftonline.com)
Sorry for the spanish: It says Do you want to keep the session open? No / Yes
Question
How can I enable KMSI with msal.js ?
The cause of not seeing 'Keep me signed in' login message when using msal.js is because when the library builds the URL to perform the login, it contains a query string item called x-client-Ver that changes the microsoftonline.com login flow.
If you remove that item from the URL (&x-client-Ver=1.1.3 for example), you can see the 'Keep me signed in' message.
The solution is to manually patch the library removing this until Microsoft fixes it. Like that: https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/982/commits
Related
Integrated a web application(SPA) with azure B2C for user authentication. During logging from web app, I’m seeing this b2c exception code (AADB2C99059) on the UI instead of actual b2c login screen. Please suggest me on this scenario, whether I have to make any changes in b2c configuration or the backend application code to make any changes.
The Error (AADB2C99059: The supplied request must present a code challenge) generally comes when you are missing your code challenge in run now URL. You can test the user flow without implementing it in an application by appending a static value for the code_challange on the run now url.
For example, you can append &code_challenge=YTFjNjI1OWYzMzA3MTI4ZDY2Njg5M2RkNmVjNDE5YmEyZGRhOGYyM2IzNjdmZWFhMTQ1ODg3NDcxY2Nl to the url and it should work for you.
If above code challenge is not working for you can also generate your code challenge using C# code and pass it to the request URL.
You can refer this document to know how to generate the code_challenge
This should be automatic in an SPA.
It's part of the "Run Now" flow.
Say I have two applications open, one in each tab, and they both leverage the same SSO server. The user globally logs out (front-channel) in App A, but App B remains open in another tab. The front-channel takes care of wiping the cookies but ideally there would be a way to redirect App B to a "you've been logged out" page. However, since it's not possible to detect HTTPOnly cookies via javascript, how can the javascript running in App B's tab detect the removal of the cookie and direct the user? I suppose we could write a non-HTTPOnly cookie as well and monitor that but I thought there may be a better solution out there.
IdentityServer4 supports this via the "session status change" spec here:
https://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification
This allows your app to ping (via postMessage calls to an iframe) for changes to the current session and receive a response indicating if it's changed or not. This all happens client-side and it uses a non-HTTP-only cookie which is populated with the current session ID.
The endpoint in question is advertised as check_session_iframe in the /.well-known/openid-configuration
oidc-client-js implements this out of the box but for a server-side app you may have to roll your own.
I've been learning Auth0 for a React / React Native project. With two different apps now, including one from their site, I see the following behavior:
clear browser cache
login
enter password, now logged in
select logout
--> now logged out
select login
am NOT prompted for password again, just logged in without interaction.
It seems the session has been kept alive even though I logged out. I would expect that if I manually log out of an application, I must re-authorize with my password on the next login attempt.
As I said I've seen this twice now, once with my own project and once with the tutorial they provide at https://auth0.com/blog/react-tutorial-building-and-securing-your-first-app/ . Doesn't make any sense to me. Am I missing something?
Thanks ~~
This is the Seamless SSO behaviour explained here. This is now enabled by default on all tenants and it "seamlessly" logs the user in without showing any prompts if a session exists for the user in the Authorization server (Auth0 in this case). Previously you would get a prompt that said "Last time you logged in with ..." Clicking it would login you in without requiring a password.
If you are "Logging out" and yet you can log back in again without needing to enter credentials, the most likely explanation is that you are actually not calling the https://YOUR_AUTH0_DOMAIN/v2/logout endpoint which logs out the user by clearing their SSO cookie in Auth0. You can confirm this endpoint is called from Network tab in your browser when you click to logout.
The Auth0 React quickstart by default does not call the logout endpoint, it only removes the tokens from browser storage. To clear the SSO cookie and logout from IdP using Auth0.js you need to call the logout function as well. Refer to the Auth0.js logout function here.
Hope that helps.
We're currently evaluating Keycloak as our SSO solution and while it works for our servlet-based applications there's a question regarding our (React-based) SPAs.
What our designers want: as an example let's say we have an email client spa. The user is in the process of writing an email but then gets distracted. When he returns the SSO session has already timed out and a re-login is required. The user should now be presented with a login form and after login it should be possible to send the email that's still in the SPA's local storage (i.e. re-login without restarting the SPA or losing data).
AFAIK Keycloak doesn't provide an authentication-api (for good reasons) and uses a redirect to the login page and back to the application (as I understand it for mobile apps the system browser would be used). If I'm not mistaken that redirect would then mean the SPA is then reinitialized and thus the data would be lost.
So here's the question: is what our designers want possible to do with Keycloak?
If yes, how would it be done? Directly posting to the login-url that Keycloak is using seems like a bad idea since the tokens would probably not be stored correctly and there might be same-origin policy problems. Would doing it inside an iframe or popup-window work?
For someone who comes back to this question,
I think it's better to stick to the best practice for oAuth2/OpenId Connect for SPAs which is currently "Authorization Code Flow" with PKCE.
https://oauth.net/2/pkce/
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-13
A normal flow here needs a complete redirect to the auth server and back so your app will completely re-initialize. Or you use check-sso like Sébastien already mentioned with silent mode.
https://github.com/keycloak/keycloak-documentation/blob/master/securing_apps/topics/oidc/javascript-adapter.adoc
You can configure a silent check-sso option. With this feature enabled, your browser won’t do a full redirect to the {project_name} server and back to your application, but this action will be performed in a hidden iframe, so your application resources only need to be loaded and parsed once by the browser when the app is initialized and not again after the redirect back from {project_name} to your app. This is particularly useful in case of SPAs (Single Page Applications).
This way the login will happen in an iframe and the app initializes only once and should preserve state.
Even if it's not considered as a best practice you can turn on Direct Grant Access for your client which enables to login through a REST call.
Anyway, about not loosing the state of your app, this is a bit outside the scope of Keycloak but you should be able to achieve that with having the state in your redirect URL for instance ?
Also, if you don't want your app to automatically reidrects to the login page you can use : keycloak.init({ onLoad: 'check-sso' }) instead of login-required
In my websphere portal 8 I need to redirect user to custom page after session timeout.
As was described in all tutorials I set
redirect.logout = true
redirect.logout.url = /wps/portal/uec/uechidden/sessiontimeout
in WP_ConfigService but that had no effect.
I have check all access permissions to redirect page and portlet and other.
Also I have Logout filter in my app, but even when I removed it I've been redirected to "Your portal session has timed out because of no activity. Please start a new session at your portal Home."
My timeout settings are set for server not for one application.
Any suggestions?
To redirect to the login page (or any other page) when the session expires, use one of the following methods:
Option 1.
Extend the authentication filter chain and implement the desired logic in code. Refer to the following articles for more information: "Configuring authentication filters" and " New security APIs in WebSphere Portal".
Option 2:
Modify the ErrorSessionTimeOut jsp to add Java script to redirect to the login page when the session times out. This option is simpler to implement but you may see a momentary "flash" when the redirect occurs.
More information: http://www-01.ibm.com/support/docview.wss?uid=swg21419230
To redirect the user to custom page after session times out, you need to perform following steps.
Define ImplicitLogoutFilter by implementing com.ibm.portal.auth.ImplicitLogoutFilter.
While defining ImplicitLogoutFilter, set the the redirect url in filterChainContext using method:
filterChainContext.setRedirectURL("URL of custom page where user should be redirected to");
Configure this filter in web sphere.
In WP_ConfigService, create a new custom property redirect.logout=true
Restart the server.
Follow these steps, it works when session times out and user try to view authenticated page. In case any issue is faced, please let me know. I'll help you in resolving this issue..