My main domain is example.com and it's develop using drupal 7. Now my second domain is sub.example.com and it's non drupal site.
sub.example.com developed with angularjs and html,css.
Now I want to use drupal users authentication to my all subdomain apps.
For Information-
I am using jdrupal, then I can collect all non authenticate data like - node information, taxonomy information. But, I can't collect current logged in user information.
I googling lots, but everybody say "Although I have never tried either in a subdomain, but I know others have done it."
Nobody can't help clearly. so, I asked here for get actual solution to solve my problem.
Thanx.
Waiting for answers.
This is what I would do:
Create a module with a route that receives 2 parameters: username & password, and return if login was correct. See user_authenticate https://api.drupal.org/api/drupal/modules!user!user.module/function/user_authenticate/7.x
Send the login information (server side) with something like CURL and get the login result.
And that's it :)
PD: Tell me if you need more detail.
Related
I have a little bit of problem with the authentication on Sitecore website. Basically there is a button on the navbar, and when user clicks on the button, it redirects the same user to Salesforce to log in (Implementation of SSO). Basically I am using Salesforce as a identity provider and Sitecore Website as a service provider. Now I have a question? When user is logged, how can I get the ID of that user.
Do users in Sitecore User Manager have the same ID as the users in Salesforce, or I can just get a email to identify the user?
P.S: Sorry if this is a really stupid question, but I am a begineer when it comes to making Sitecore websites and the SAML SSO. Thank you in advance
Stop with the Sitecore and Salesforce for a second, you'll need to cover some basics and click through the login process manually before you automate it.
You probably are using a "connected app" in Salesforce that includes OAuth2 config (consumer key also known as client id; a secret; a list of scopes telling what this app is allowed to do on behalf of this SF user; a list of allowed urls that can login using this consumer key and secret. Etc.) It might even have something about Canvas Apps at bottom of the page.
Next would be - who's logging in. A core Salesforce user or do you have Partner Community, Customer Community (recently rebranded to "Digital Experiences").
Open incognito window and go to https://openidconnect.herokuapp.com/
For login host leave as is if you have production user or test.salesforce.com if you go from sandbox (you can also use branded urls, mycompany--dev.my.salesforce.com etc). If you have a community user you'll have to change the url to whatever is the community base url, like https://dev-mycompany.cs123.force.com/mycommunity
Don't change anything else, click next, next, next. This will take you through OAuth2 "web server flow" (one of many ways to log in). You type the username/password to SF screen and go back to that herokuapp with "authorisation code". The app has few minutes to swap that code for actual final "access token" and couple other pieces of info. Final step in this wizard calls OpenId "userinfo" - returning some info about the user that logged in. That's where you could pull the email if needed (and if there are extra fields you'd like SF to return in this process that's configurable too)
Close that browser window. Check the "connected app" in SF. Open new incognito window, do same thing but this time put your url, consumer key and secret (you might have to edit the app in SF first to allow callbacks to https://openidconnect.herokuapp.com/callback).
So now you should have rough idea about whole login process. Your sitecore app probably does same thing, receives authorisation code and exchanges it for final token. At that point you have valid SF session ID you could use to call that "userinfo", run queries (if the app allowes API access, check the "scopes") etc.
I doubt the Sitecore developer created it all by hand, you probably have some Spring stuff like spring.security.oauth2.client... My Java days are long gone but if you get better at manual click-click-click through the flow you should be able to follow existing code?
It's a big topic and there are other ways to do it (other OAuth flows, sending info about the current user when you have external page embedded in SF as iframe, you'd need to read about "canvas apps")... but that's best guess based on info you provided. You might want to check some trailhead courses too like https://trailhead.salesforce.com/content/learn/projects/build-a-connected-app-for-api-integration/implement-the-oauth-20-web-server-authentication-flow
https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/intro_oauth_and_connected_apps.htm
https://developer.salesforce.com/docs/atlas.en-us.api_streaming.meta/api_streaming/code_sample_auth_oauth.htm (Java but very hand-crafted raw HTTP, probably that Spring security is better)
I want the navigate back to an Angular application after logging in through Azure AD. The reply url i want is:
http://localhost:4200/#/authcallback
I tried escaping the #:
http://localhost:4200/%23/authcallback
Is there anyway to make Azure AD to redirect an url with hash?
For anyone else looking for the answer this appears to be a known bug: https://github.com/AzureAD/azure-activedirectory-library-for-js/issues/100
Thomas has created a feature request for this in User Voice and I have created a work item for the product team to confirm whether or not there is a workaround for this. (I will update the thread if the answer changes.)
I'm seeing something weird that I've not run across before. I've got a web app and I redirect in that web app to Azure AD to get a code that I can exchange for an access token. I've done this many times before so I'm just reusing the same code. I've created my app registration in Azure, just as I've done many times before. The problem is this - normally I can just put a host name for a Reply Url in the app configuration and then Azure AD is fine redirecting anywhere to that host.
For example, if I want to redirect to https://foo/users/processcode, I can normally just put a ReplyUrl of https://foo and it all works fine. In this one case, it says "'https://foo/users/processcode' does not match the reply addresses configured for the application blah". If I put in the fully qualified path for the ReplyUrl then it works, but for a variety of reasons that are beyond the scope here I don't want to do that.
So I'm not following why it might have a problem in this case. Wondering if anyone has seen or knows why this might be an issue all of the sudden.
Thanks.
The Redirect URL/ Reply URL has to match the exact page you want to be redirected to. You can add multiple redirect URLs to your application registration information if you want to redirect to different pages in your web site - or your web page could make the redirection for you.
Another option is to add a * in a redirect url as well (https://mywebsite.com/*) - but this only works with non-converged applications.
I have identity server 4 setup and my asp net core app working with it. If you hit a secure endpoint it redirects to Identity Server and you can login. Once you login it then redirects back to the url you were originally trying to access. What I would like to do is check that you have registered in my database before you get redirected. I thought that I could change 'RedirectUris' to a url of my choice but when I do that it has no effect. A breakpoint on that end point is never hit. What do I need to do in order to setup a post identity server login registration screen?
Is this the right way of doing it?
Thanks
Michael
If I understand your problem correctly, you want to get the user details in your application.
IdentityToken contains user name if you include Name scope.
If it is a web application then you may find the name on ((System.Security.Claims.ClaimsIdentity)User.Identity)
You can also add claims as you need, like userid, role etc
Comment
should each client have to 'register' a user with my api specifically?
What's the norm?
Depends on your requirements and what you are requesting for. On my case user must have allowed scope to access the api
I'm playing with the oauth2client.appengine Oauth2Decorator and it interjects it's own screen asking for an email address:
The URL is http://127.0.0.1:8080/_ah/login?continue=http%3A//127.0.0.1%3A8080/mypage
I'm guessing that its intention is to mock being different users during development? But that leaves some questions:
Does it only appear on the dev server?
Do I have to do anything to make it go away when deploying to production, or is that magic?
How do I turn it off for development?
What does it actually do?
if the user is being redirected to an oauth consent page nonetheless what's the point of this?
As you can see I just don't get it. I do see that it gives my get_current_user() a result - a user instance with the email address that I submit.
I recognise that this is effectively the same question as
"How to Bypass Local Login Screen with Oauth2 and GAE", which seems to conclude that the whole oauth2client library is fairly useless and it is best that we all go off and write own authentication flows? Seriously?
If that's the state of things alternative suggestions are welcome (in the comments). My workflow is to send the user off to be granted permissions via Google's Oauth so my webapp can proceed to do stuff on their behalf.
If you want to use the get_current_user() that is provided by Google you can't really avoid it and it is actually something very useful. If you want to do your own authentication stuff then just don't use it and you won't be redirected to /_ah/login.
In short this is just to simulate locally the actual Google Login. It would be a huge mess to login to your actual account while on development mode and it will be really hard to simulate multiple users. That code is not executed online and instead you are being redirected to Google for approval.