Site is protected with username and password. How can i do get some data from that page if it is protected. Any suggestion? When i access it i need to enter username and password to get content. I owe that site and i know username and password but it need to be protected because its in develop mode.
Send an authentication request simulating the login form (using $http) to gain an authenticated session, then request the data as normal.
Try adding usrename and password in request url like this
http://username:password#kodex.dev.lapps.ws/
or
you can use basic Authorization header in your http request
Related
I am trying to integrate my application with AAD authentication but the replyurls which i am configuring in the AAD application is
https://www.example1.com/abc/account/login.aspx
but when i am coming back after authentication i am getting redirected to
https://www.example1.com/
Only and my request is coming as authenticated but i want user to redirect to full url which i have configured.
I have tried sending RedirectUri at the time of app configuration in startup class as same as https://www.example1.com/abc/account/login.aspx that time user is redirect to this url but that time request is not getting authenticated
any one knows how i will achieve this?
thank you in advance.
Reply URL is where the token would send to . It means that it is a endpoint
which signs in users for that provider. But after signing in, the user will be redirect to the Homepage(Sign-on) URL.
For your scenario, you can change the Home page (Sign-on)URL in both AAD Application and your APP config file to the URL which you want to use.
Please refer to this documentation for detailed instructions on how to set up these configurations. Like Wayne said, you need to make sure that the home page URL is matched to whatever site you want the users to be redirected to after login. Then make sure that the reply URL and the RedirectURI are matching.
I am trying to delete a user from a realm using keycloak admin client api.
I am following an example from here:
https://gist.github.com/thomasdarimont/43689aefb37540624e35
Here is what my code looks like:
Keycloak kc = KeycloakBuilder.builder().serverUrl("https://localhost:8445/auth")
.realm("sensorcloud-auth").username("admin").password("admin").clientId("admin-cli")
.clientSecret("b6b4f0ec-9936-46a2-9f40-69c207e2e0f2")
.resteasyClient(new ResteasyClientBuilder().connectionPoolSize(10).build()).build();
kc.realm("sensorcloud-auth").users().get("a3fdac49-f7eb-4be7-a81f-b48b09a6694c").remove();
I can login to keycloak admin console using username admin and password admin, and I am pretty sure there is no typo with other parameters, but every time when I try to delete the user with that userId, I will be given a 401 Unauthorized error. Can someone help me figure out what is going on?
Not sure which version of keycloak admin client api you are using, with current API there is no remove operation.
It should be kc.realm(realmName).users().delete(id) . You can check the REST API for Delete User
We kept getting HTTP 401 status code responses when the hostname stamped on the iss field of the bearer's/user's access token had a different case i.e. lowercase vs. uppercase than the url used to post an HTTP request to keycloak's token endpoint.
While creating Keycloak instance, Realm should be master realm.
After creating instance with Master Realm, you can delete the user by using your code.
Using IdentityServer 4 for authentication which work with different clients, that support OpenID Connect and OAuth 2.0 protocols for AAD authentication
In scenario, if there is an error before Login or after Login (authentication)
User is redirected to Home\Error, default exception middlerware handler. Here I want to provide user with 'Retry Url' which redirects to Client link.
Appreciate if any body can suggest on this.
In Account Controller Login() you can get the return_url from the model(check LoginViewModel). Just validate this return_url and Redirect the user, it will take it to the client. You can also fetch the redirect_uri from return_url which have the client info - if thats what you are looking for!
You can always pass the return_url to error view and inject it in a hyperlink where user can click to go back to the client.
So this is my structure:
HTML form sends authentication to nodejs.
Authenticate using passportjs > res.send the userid with jwt-simple (json web token).
The received info is saved in $localStorage.user. I use that info in any of the controllers needed and include it and send my post/get requests to nodejs.
I decode the info in nodejs and query the DB.
Is this safe? Is this how it works in real world?
Many thanks.
#Somename:
The workflow which you have mentioned is slightly correct.
The ideal way to get passport authentication done is,
User log's in entering his username and passport.
Send a post request with these form data.
Authenticate the credentials using Passport. Using the passport.authenticate will invoke the serializeUser and get you the valid user if it exists. Else we return a login error response.
A Successful login will automatically create a session in back end, save it in the sessionStorage and adds it with the response.
This cookie will be saved automatically into browser's local storage once the response is fetched at client side.
Every time we send a subsequent API request we need to include this cookie in the req headers.
This cookie should be validated each time in back end. passport.authorize will again make use of the cookie and check if the session is valid.
Logout session once the User logs out.
Hope I've made things clear for you.
I have a Angular + Spring boot single page web app. The server also acts as an Auth Server which issues tokens for the angular app to use to make Restful API calls.
My old login flow uses a grant_type=password POST call to the /oauth/token endpoint to get a Bearer token. And all further API calls on behalf of the user will include the Bearer token as the "Authorization" http header.
Now I need to integrate social login (facebook, twitter, etc.), which means I don't have username/password to generate tokens so I'm not sure how to make it work.
I have been using the following two tutorials as my template:
Spring Security and Angular JS
Spring Boot and OAuth
In the first tutorial's oauth-vanilla example, the username passwork login flow brings up the authorization page. But I'd like to have the traditional username/password form login experience (log user in directly instead of showing the Authorization page).
In the second tutorial, after facebook login, I'd like to use the facebook id to look up my internal user database and create a new user if not exist and logs him in as the user. And use the internal db user's identity and authorities to authorize future API calls to my API server.
I have a stripped down sample at at
https://github.com/dingquan/spring-angular-oauth
I can make POST calls to /oauth/token endpoint and use the returned token to make further api calls to my protected /api/blogs endpoint. But I haven't figure out how to make the following things work:
Username/password login that will create a session cookie so I don't need to send the Authorization bearer token for future API calls to the resource endpoint
After facebook login (the facebook login link is under the username/password login form), calls to my endpoint still fails with 401 error (I have a "test" button that makes a get call to /api/blogs, you can click on it to see the behavior). So what am I missing to make the API call succeed?
=== UPDATE ===
Just to clarify. Here are the goals I'm trying to achieve:
multiple ways of authentication (traditional username/password, third party oauth login such as facebook, possibly cellphone number + SMS code in the future)
we do need our own user model backed by DB to store other user attributes, pure social login is not enough
social login needs to be implicit. Meaning user should not be required to create a user account in our system manually once they login through a 3rd party (facebook, etc.). We're not just grabbing users' social profile data to pre-populate the registration form. We want to create new DB users automatically behind the scene if no existing db user is associated with the given external social account. i.e. if user is logged in through facebook, they don't need to enter username/password. Authentication through facebook will automatically log the user into our system as well and user should be able to access restricted resources after facebook login.
There's some confusion that I might be asking people to put their facebook username/password in a login form hosted by my app and I'll login facebook on behalf of the user. That's not what I was asking for.
You don't need such a complicated configuration. Add #EnableOAuth2Sso to your MainConfiguration and set appropriate application properties.
Here is what I have done in order to use Facebook as a authorization server.
a) Remove clientId and authServer from UserServiceImpl. Otherwise you'll be forced to configure an authorization server that is not needed.
b) Remove AuthorizationServerConfiguration completely.
c) Add #EnableWebSecurity and #EnableOAuth2Sso to your MainConfiguration.
d) Change MainConfiguration::configure to
http
.logout().logoutSuccessUrl("/").permitAll().and()
.authorizeRequests().antMatchers("/", "/login", "/home.html").permitAll()
.anyRequest().authenticated()
.and().csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
e) Delete everything else except nested class AuthenticationSecurity from MainConfiguration.
f) Change ResourceServerConfiguration::configure(HttpSecurity) to
http.antMatcher("/api/**").authorizeRequests().anyRequest().authenticated();
f) Remove attribute tokenStore and method ResourceServerConfiguration::configure(ResourceServerSecurityConfigurer) from ResourceServerConfiguration.
g) Remove configuration block security and facebook from application.yml. Instead add this
security:
oauth2:
client:
client-id: <CLIENT_ID>
token-name: oauth_token
authentication-scheme: query
client-authentication-scheme: form
access-token-uri: https://graph.facebook.com/oauth/access_token
user-authorization-uri: https://www.facebook.com/dialog/oauth
resource:
user-info-uri: https://graph.facebook.com/me
client-id: <CLIENT_ID>
client-secret: <CLIENT_SECRET>
token-type: code
h) In index.html change login to login.
i) Replace the content of hello.js with this one.
But I'd like to have the traditional username/password form login experience (log user in directly instead of showing the Authorization page).
I would never use a site that requires my credentials without redirecting me to the origin! I don't know you and you are under suspicion being a phishing site.
You should really reconsider your decision.
Btw, I created a pull request with these changes.