I am trying to get spring security oauth2 setup on my application in Google app engine. Everything seems to work fine locally but when i deploy to app engine things start to break down. After I authenticate through google its forwarding me to a Whitelabel error page. In the console I see this error:
http://my-application.appspot.com/login?state=t…m&session_state=8b67f5df659a8324430803973b9e1726e39fd454..1ae3&prompt=none
401 (Unauthorized)
I setup my auth with this application.yml file:
security:
oauth2:
client:
clientId: client-key
clientSecret: secret-key
accessTokenUri: https://www.googleapis.com/oauth2/v4/token
userAuthorizationUri: https://accounts.google.com/o/oauth2/v2/auth
clientAuthenticationScheme: form
scope:
- openid
- email
- profile
- https://www.googleapis.com/auth/cloud-platform
resource:
userInfoUri: https://www.googleapis.com/oauth2/v3/userinfo
preferTokenInfo: true
My security config looks somethign like this:
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.and()
.authorizeRequests()
.antMatchers("/static/**").permitAll()
.antMatchers("/**").hasAuthority("ROLE_ADMIN")
.anyRequest().authenticated()
.and()
.exceptionHandling()
.accessDeniedPage("/403");
}
I have configured the Oauth ID on the google credential pages to allow authorized javascript origins to be:
http://my-application.appspot.com
https://my-application.appspot.com
http://localhost:8080
And the authorized redirect URIs to:
http://my-application.appspot.com/login
https://my-application.appspot.com/login
http://localhost:8080/login
Any ideas why i might be getting unauthorized errors once I deploy to GAE?
Thanks,
Craig
Your problem is about Authorization, maybe missed step on fully authorizing application, such as moving your client_secret.json to your working directory.
https://developers.google.com/drive/v3/web/quickstart/java#step_1_turn_on_the_api_name
Step 1: Turn on the Drive API
Use this wizard to create or select a project in the Google
Developers Console and automatically turn on the API. Click
Continue, then Go to credentials. On the Add credentials to your
project page, click the Cancel button.
At the top of the page, select the OAuth consent screen tab. Select
an Email address, enter a Product name if not already set, and click
the Save button. Select the Credentials tab, click the Create
credentials button and select OAuth client ID.
Select the application type Other, enter the name "Drive API
Quickstart", and click the Create button.
Click OK to dismiss the resulting dialog.
Click the file_download (Download JSON) button to the right of the
client ID.
Move this file to your working directory and rename it
client_secret.json.
helpful link :
GCM http 401 authorization error
Related
I've configured Spring Authorization server 1.0 which issues JWT tokens using Authorization_Code Grant PKCE. While I test it using Postman (pls see the screenshot), I am presented with the login screen only the first time I click on 'Get New Access Token' and the token is issued successfully. When I click the button again, a new Token is issued without asking user to log in again. However if I click 'Clear Cookies' a login screen is presented.
This is the exact problem I'm facing in my application. When user is issued the Token 1st time, login screen is presented but, after logout, on the subsequent attempts no login screen is presented and the Token is issues straight away. I believe in my logout flow I need to mimic what 'Clear Cookies' does in Postman and this is where I need help. Can someone pls advise how do I achieve this? any example would greatly help.
My application has react js front end and Spring boot rest APIs microservices (catalog, order, Billing etc) on the backend.
Note: Earlier I used CLIENT_SECRET_BASIC for authorization but later changed to PKCE however that doesnt impact the question/issue I am facing.
#Bean
#Order(2)
public SecurityFilterChain appSecurityFilterChain(HttpSecurity http) throws Exception {
http.formLogin()
.loginPage("/login")
.and()
.logout()
.addLogoutHandler(new HeaderWriterLogoutHandler(
new ClearSiteDataHeaderWriter(CACHE, COOKIES, STORAGE, EXECUTION_CONTEXTS)));
return http.build();
}
My web app, stockbets.io, uses Facebook login for oauth. On a desktop web browser this works fine, and none of my pilot users have had any trouble signing in. When they try the exact same flow on mobile, however, we get this error:
URL Blocked: This redirect failed because the redirect URI is not whitelisted in the app’s Client OAuth Settings. Make sure Client and Web OAuth Login are on and add all your app domains as Valid OAuth Redirect URIs.
Here is a snapshot of my settings panel for the Facebook Login service:
This seems like it should be straightforward, but I'm at a loss as to why this works on desktop but not mobile. The expected behavior, if you'd like to test, is that you should receive a message saying that the product is in early beta but send us an email if you'd like early access. What happens currently is the above error message.
Any tips?
According to GitHub, this seems like something related to the react-facebook-login library. According to a similar thread on GitHub... looks like you'll just need to make sure the following props are added to you React component.
<FacebookLogin
appId="13xxxxxxxxxxx09"//TODO: Replace yours...
autoLoad={false}
fields="first_name, last_name ,email, picture"
callback={(resp)=>this.responseFacebook(resp)}//TODO: Replace your callback
cssClass="fbtn"
disableMobileRedirect={true}
/>
I have a webforms web app in which I'm integrating Azure AD SSO. I have a login sequence working ok, but the post-logout redirect is giving me a CORS error.
In my call to app.UseOpenIdConnectAuthentication() in my startup class I've got the following (actually the the URI is not hard-coded but set up in the web.config)
.PostLogoutRedirectUri = "https://localhost:44370/LoggedOut.aspx"
The error is
SEC7120: [CORS] The origin 'https://localhost:44370' did not find
'https://localhost:44370' in the Access-Control-Allow-Origin response
header for cross-origin resource at
'https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https%3A%2F%2Flocalhost%3A44370%2FLoggedOut.aspx&x-client-SKU=ID_NET451&x-client-ver=5.2.1.0'.
I have tried calling HttpContext.Current.GetOwinContext().Response.Headers.Add("Access-Control-Allow-Origin", {"*"}) but no change.
edit: I have the URL configured in the RedirectURIs section for the app in Azure portal.
You say you have the URL configured in the RedirectURIs section for the app in the Azure portal but it should be configured under Properties in App Registrations > My App > Properties > Logout URL
The Reply URL section should just have whatever page you want the user to get redirected to after logging in.
]1
Is is possible to obtain an AAD token in Postman by letting the user to Sign In using the standard AAD sign in form?
I know how to obtain token using the request to AAD (grant_type = client_credentials) but such a token does not have a UPN (user identity).
I would like to somehow type in my credentials in Postman and get the token. So it is a manual interaction, the user(me) needs to manually sign in - the same way how ie. Visual Studio verifies your identity.
Postman now offers the ability to "Authorize using browser." You'll need to make changes to your AAD application to support it in addition to configuring Postman.
Configure your AAD application
Add a redirect URI to your AAD application for Postman to receive the authorization code. In the AAD Portal, navigate to your app registration, then to the "Authentication" tab, then add https://oauth.pstmn.io/v1/callback as a new redirect URI. This URI was provided by Postman when you check the ✅ Authorize using browser box (below) and is also documented on their website.
Configure Postman
You can set this up under "Authorization" for a single request, a folder of requests, or a Collection. Open the "Authorization" tab and select OAuth 2.0. Under the "Configure New Token" section, enter the following information:
Token Name: anything you want. I chose the name of the AAD application.
Grant Type: Authorization Code (With PKCE)
Callback URL: check the ✅ Authorize using browser box
Auth URL: copy this from the AAD portal under Overview > Endpoints (on top bar) > OAuth 2.0 authorization endpoint (v2). Mine looks like https://login.microsoftonline.com/<tenant>/oauth2/v2.0/authorize
Access token URL: copy this from the AAD portal under Overview > Endpoints (on top bar) > OAuth 2.0 token endpoint (v2). Mine looks like https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token
Client ID: copy this from the AAD portal under Overview. It's also commonly referred to as an "Application ID" and is a GUID.
Client Secret: leave blank (not used by this grant type)
Code Challenge Method: SHA-256
Code Verifier: leave blank or provide your own
Scope: the scopes you're requesting in your token, separated by spaces
State: leave blank or provide a value such as a random GUID.
Client Authentication: Send as Basic Auth Header (not used by this grant type)
Refer to Postman's documentation on OAuth 2.0 options for more information.
Get a token
Click Get New Access Token to open the auth flow in your machine's default web browser. After authentication, it should redirect back to the Postman application and a new token will be created with the name you provided earlier for "Token Name." Select "Use Token" in the top-right corner of the popup to copy it into your current token. If the token expires and your requests start failing authorization (probably a 401 or 403 error), you can revisit this tab and get a new access token.
Occasionally, you may want to visit Current Token > Access Token > Manage Tokens > Delete > Expired tokens, otherwise you'll be inundated with nearly-identical tokens.
Postman cannot popup the sign in page as it only does HTTP requests. As you stated, it can do confidential client flows.
What you could do is hand-construct an auth request, sign in, and grab the auth code. Then take that auth code and drop it into the Postman authorization form, and let it hit the Azure AD token endpoint:
https://login.microsoftonline.com/common/oauth2/v2.0/token
The Azure AD protocol referene will be super helpful for you.
I think if you're wanting to quickly generate Access Tokens your best bet is to pick a framework/language and build a lightweight app that gets and logs tokens. Azure AD has a Python Flask sample for the v2 endpoint that takes 5 minutes to setup and could be converted to printing out access tokens. If you want to use v1, you can checkout the list of samples at the Azure AD developer guide.
So I am trying to setup Okta as an identity provider, and I want to login to an application using the Service Provider initiated workflow. I've setup the template SAML 2.0 application in Okta and setup the entry point and SAML certificate on the Service provider. The Service Provider initiates the workflow just fine, a popup opens with the Okta login dialogue. But once the login is complete I am taken into the Okta portal with a list of my apps. What should be happening is a re-direct back to the Service Provider so that it can use the userID to login the user there.
I followed the instruction here for setting up the IdP https://support.okta.com/entries/23364161-Configuring-Okta-Template-SAML-2-0-application
Here is what my config in Okta looks like
Application Label: App Name
Force Authentication: no
Name ID format: EmailAddress
Recipient: https://serviceprovider.com/_saml/validate/okta/
Audience Restriction: https://serviceprovider.com/
authnContextClassRef: Password Protected Transport
Destination: https://serviceprovider.com/_saml/validate/okta/
Response: signed
Assertion: signed
Request: uncompressed
Default Relay State: Leave blank since we are only doing SP initiated workflow
Post Back URL: https://serviceprovider.com/_saml/validate/okta/
Attribute Statements: none
Group Name: leave blank
Group filter: leave blank
I don't see any errors in the Okta portal or in the Okta administration panel, so I can't figure out why it is not completing the workflow and re-directing back to the SP.
Is there a place in Okta to see any errors that might be getting thrown by the process?
Anyone know what might be up?
I had a similar problem a while back. In my case, the "Rquest" was set to "compressed". changing it to "uncompressed" solved the issue. But in your case I see it is already "uncompressed"...
However, try to contact OKTA's support - they can help you out.
The answer is different depending on the type of SAML HTTP BINDING used for the SAML Authentication Request.
For HTTP Redirect Bindings you need to set the Okta Request to "compressed".
For HTTP POST Bindings you need to set the Okta Request to "uncompressed".