I am currently developing a web application that has separate API and Front end.
For production purpose, I wish to develop the web app locally while hosting the API on the remote server.
The issue is the API is behind a SAML authentication along with Mod Auth in second stage.
Using postman and wget I am able to access the API endpoint by adding a auth_tkt cookie in the request.However I am unable to access the same using AJAX.
I need help in executing the same.
Just to help anyone else facing similar problem. The solution to this problem is using chromium with disabled security. It sends your session cookies along with the request. Also there is no problem of CORS that was coming in picture before.
Related
I am having a bit of a problem here.
I have Keycloak where I have enabled CORS (value '*') and I can call endpoint:
/auth/realms/master/protocol/openid-connect/token
from Postman, where I get response with access token and other stuff, but when I try to call that endpoint from my React application, I get CORS error:
I don't get why, since I have set '*' value for Web Origins in that client.
Is this a Keycloak bug, or am I missing something trivial?
Do you have the address 'http://localhost:3000/*' added on the Valid Redirect URIs keycloak config?
I have fixed this issue by creating Web API project in .NET Core (this could be done in any other technology). I have setted CORS policy in my project to allow any domains and then I make direct calls to Keycloak endpoints from .NET Core project. Besides fixing this issue (since .NET Core Web API project is not a browser application, this is working like a charm), this adds another security layer to the Keycloak by hidding client information that is only accessible from .NET Core application. Information like client_id and client_secret are not visible from browser application and no one can do any damage to my clients in Keycloak.
I'm implementing login functionality on my site and I'm running into some problems when sending jwt tokens as cookies.
When the user logs in on the frontend, a POST request is sent with "credentials: 'include'" (I'm using fetch) to my backend API, which returns a jwt token if the login was successful. This all works fine, and I can see the cookie in chrome dev tools, and performing actions that require authentication work fine.
However, when I refresh the site, the jwt cookies disappear. I have ruled out errors with expiration. Through experimentation I've figured out that the domain is the problem. The cookie's domain is "127.0.0.1" from the locally hosted instance of the API, which is different than the domain of the locally hosted website. If I manually change the domain of the cookie to the same as the website, the cookie doesn't disappear.
But that does not solve my problem permanently, as the backend API is hosted on a different domain than the frontend. I've been reading up on cross-domain requests but I'm not sure how to proceed from here. I control both the frontend and the backend, but I'm starting to wonder if I might be going about this the wrong way? Would the simplest solution be to host my api on, say 'api.mydomain.com' instead?
my ignorance is shining brightly on this one. I have a Web App that uses the MEAN stack (Mongo, Express, Angularjs, Nodejs) and some of the functionality is lackluster on mobile devices. So I'm developing a mobile version of the app on the Appgyver Supersonic platform. The Appgyver framework is based on an Angularjs front-end.
So I was hoping to just use the same Express/Nodejs server that I have running for the Web App and make queries/requests from the mobile app. Authentication is my current challenge. I assumed that I could send the username and password via a POST request and sign in and create a new session. I can sign in but I can't get access to the session cookie connect.sid so my next request has no session data with it.
TLDR; I have an Angular app that is on a different server than my Express/Nodejs back-end. I wish to authenticate the Angular app but can't figure out how to access the connect.sid cookie.
Since this never got any traction and I found what I think is a 'workable' solution I figure I'll answer my own question. If you see that I'm doing something really stupid here, please let me know.
When I login my client to the server, I respond with a session token. I store that same token on the User profile in Mongoose. I store the token on the mobile device using localStorage.
Whenever I send a request to the server I send the token with it, and have the Server check to see if the token matches the User token - if it does, I grab the User Profile data and assign it to req.user; which then seems to make the back-end operate properly.
Any major security concerns?
I'm using phonegap and I want to set up google oauth for mobile and web (e.g. desktop chrome) with the same code. The end result should be an app engine cookie on the client side (whether it is the inapp browser or a desktop browser).
Since I don't want my users to do the consent screen more than once, I need a refresh_token and not just an access_token. (also I've noticed that the cordova webview doesn't have access to cookies like the regular browser)
As I understand, a refresh_token can only be received if you're doing the protocol recommended for web servers, meaning first obtaining the code, then using it to obtain the access_token and refresh_token.
When I'm authenticating in this way, the protocol requires that I send the received code to google to receive the access token, but this is a cross domain request and is blocked on desktop browsers.
How can this be conveniently solved? What is the correct way to achieve the end result?
I crudely solved my problem using my server as a mediator for the cross-domain post requests.
So the flow works like this: I get an authentication code using a pop up window. Then the user enters the code and my javascript sends it to my server. Then the server sends a request for access_token and refresh_token to google, and sends it back to the user.
Seems to work well for now, and not very complicated.
I'm plan on deploy a Java application to Google AppEngine and use federated login (still experimental according to Google). The application is pretty simple Java EE application which expose RESTful interface for simple CRUD operations.
I then want to be able to authenticate to this application using Windows Client Application written in C#.
I think the application should be able to open a window with a browser in ti which will present the login page of my web application and after successful authentication I should be able to get the login token or a cookie to use in the rest of my HTTP requests.
Is it possible to do such thing using federated login? I've found a post explain how to do it using google proprietary login.
Thank you,
Ido.
I've manage to make this work much easier then I thought it would be.
When I send HTTP request to my web service I get 302 Found response with response header name Location which point to the login page.
I use WebBrowser control, register to it Navigated even and navigate to the URL in the Location header.
When the Navigated even fire I use the code from this answer to get the cookies container.
I check each cookie until I find one with the name ACSID and store it.
For every web request to my service I add cookie name ACSID with the value saved at step 4.
This is not the most secure way of doing this. I will add check for the domain of the cookie but this looks good.