I have an Azure AD Application that is written in Angular 2. The application is working fine as I can login against AD and get access tokens back. However the issue is that I am getting a consent request every time I login. Here is what the request looks like
"https://login.microsoftonline.com/" + this.tenantId + "/oauth2/authorize?" +
"response_type=id_token+token&" +
"response_mode=fragment&" +
"client_id=" + this.clientId + "&" +
"redirect_uri=" + encodeURIComponent(window.location.href) + "/&" +
"scope=openid&" +
"state=" + this.state + "&" +
"resource=" + encodeURIComponent(this.appuri) + "&" +
"nonce=" + this.nonce;
This send me to the Azure Login Screen with the consent dialoag like so
I click accept and am directed back to where I want to go and everything is great. If I login again, I get the same prompt. What step do I need to take on the Azure AD side to store the consent of the user?
Is it something in the manifest?
The consent screen you are seeing is the "admin consent screen" which should only appear if you pass "prompt=admin_consent" as a query string for the login url.
At the same time, if you pass this query string, you will be prompted to consent to the application each time. Instead, you want to make sure that you only pass this query string one time (the first time a user uses the app) and once it has been consented, make sure you are not passing any "prompt" query strings.
I hope this solves your problem!
Related
I'm using Next js to create my project, and I have created a custom signup form in it. In here I'm getting email and password of the user and them I'm sending an otp on user's email. after varifieng user I want to store his data.
I want to use session for this, but I'm not getting any good way to create session in Next js
How can I do that?
What I have done to solve this is used browser cookie to store the token, as cookies allows expiry option.
let today = new Date();
today.setHours(today.getHours() + 1);
document.cookie = "User_Token=" + userTokenValue + ";expires=" + today +
";domain=https://www.example.com";
When I use graph API withinh POSTMAN in order to add a guest user to a group I process as follow :
Add the /invitations endpoint to add my user ( I do not use email invitation)
Then I can see from my AD users that it has been added properly
Next I user the /groups/{Group ID}/members/$ref to add the created users in step 1
Then I can see from my AD that users has been added to group right a way
Then this exact steps, I add it in a script that is executed at a dedicated time as follow: 1. use the /invitations endpoint to add my user and Send an invitation by email 2. The return userID by first call is then used to add right away the user to the group by using the /groups/{Group ID}/members/$ref endpoint with body set as
{ "#odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/{userID}" }
Then response to add user to group is successfull
Then what is strange is that when I check in my AD , I can see the user which has been created BUT I do not see that user as a member of the group it has been added. It is not displayed while no error was return during the API call
Does it means it takes some time to get it visible ? Does it means that user need to validate the invitation before it is added to the group ?
Thanks for your help
regards
That was my mistake,
I get a scrip flag error which prevent the api to complete
I'm trying to authenticate with spotipy using Authorization Code Flow like this:
token = util.prompt_for_user_token(username, scope, client_id=client_id,
client_secret=client_secret,redirect_uri=redirect_url)
When I assign any string to "username", I'm asked to authenticate the request in a browser which is popping up; everything works fine.
When I set a different string to "username" before running my code a second time, the authentication is done against the previously authenticated username (which is still authenticated in the browser session); just as if the value of "username" is not taken into account at all.
Also, I seem to be able to set any arbitrary value to "username" like "pipapo"; when I login to my Spotify account (which isn't "pipapo", obviously) this one is authenticated and methods like current_user_saved_tracks() do get the resources of the account authenticated instead of "pipapo".
Anyways: The access_token and refresh_token are saved to the cachefile .cache-pipapo; thus saving the credentials of the "who-ever-logged-into-the-browser" to the file named after the "wrong" account.
So: What is this parameter good for then, if ultimately the user's interactive selections are responsible for what the code is doing? And why is this even a required parameter if more or less not utilized in the auth process?
I just had a look at spotipy/util.py myself, how def prompt_for_user_token(...) is designed and what parameter "username" is used for; indeed, it is used for defining the caching file name only to hand it over to oauth2.SpotifyOAuth() like so:
cache_path=".cache-" + username
So, you can use any value here; it does not need to be the correct username, necessarily.
I have security working fine in an application, except when a user tries to login with a '+' in their email.
The access token looks fine (when the email contains a + it looks like this):
Bearer 8BGpt_KkEp-_6U5tUdKqK1xLCQBaWzHcxDT9RRKkbzoF2fHCUNhRL3U-fpLdQIuSXm8RcTOH4ZY3a0UZH6-6IgXxx_ojgyL26179JovRm5xQSZD7ANxLvvdU3ubfcpzSr4tw-sza37UaJh7xDFB8eH0NA9Djt7Ik8Ebxdin7u-n76InCulRAV6xMWgXfF9bwoU8MsV3lrh_zhnxYGnx3O7QUNQ740NUJLHJYH12rBth16CA1AXSF86rA5rUB7vJ7yK09k_FJTifyuldTeFHJHsyscnEIQxGozbf3x1cmZowkiK4Q1r8W0M8uz25m8j_tuMrWawTqYJNZiTuI9afW38WWQ4BRLkQF7TwoMOgZQ-f1K_3W8Zy3x-OsKdQS4i9CapvKe1utCscZVroByvyD9SvpILGiZGTjGD_zCAm8KerMPT5GNOb07kPGV_167PHEXm0TGaJbCelb5gLgXbMXv3GxBQLnYIfPUXCBaKx4UFkY8kFMPs9MxFcGY81p67rfnjeswBZ3PW6fDFTf9U_I8g
However, when I try to send a secure request with this access token, I get the response:
status: 401
"{"Message":"Authorization has been denied for this request."}"
As said above, it works without any issue if I remove the plus. This seems to be a Wep API issue rather than an Angular issue.
I found that the methods encodeUrl and decodeUrl to not stop the space from being change to a plus. I have tried the following in the c# code to switch the space to a plus:
var registerEmail = model.email.Replace(' ', '+');
This is used in both the login and register actions.
Perhaps it is not possible to use a + in an email in OAuth in Web API 2?
It seems to be a bug in asp.net roles. I am not sure of a clear solution. However, for the time being, encoding the username as follows before storing it on register and when logging in:
public static class UsernameEncodingService
{
public static string returnEncodedUsername(string email)
{
var emailAsLower = email.ToLowerInvariant();
var encodedEmail = Base64Encode(emailAsLower);
var encodedEmailWithoutEquals = encodedEmail.Replace("=", "213");
var encodedEmailWithoutPlus = encodedEmailWithoutEquals.Replace("+", "214");
return encodedEmailWithoutEquals;
}
private static string Base64Encode(string plainText)
{
var plainTextBytes = System.Text.Encoding.UTF8.GetBytes(plainText);
return System.Convert.ToBase64String(plainTextBytes);
}
}
I'm creating an authentication system for a group of websites. The problem is that I have to use a pre-existing Database, which has a users table already full of entries, and that one user can have several accounts. Basically, a user has one account per website he has access to (it's not the best way to do this, but I can't change it). Each account is represented by an entry in the users table, with login, password, name... and the important field: website_id. This field tells the system what website that account has access to.
The big problem is that some users with more than one account have the exact same login/password information for all of them. For example, one user has 3 accounts:
account1: login = charly / pwd = 1234 / name = Charles ... website_id = 1
account2: login = charly / pwd = 1234 / name = Charles ... website_id = 2
account3: login = charly / pwd = 1234 / name = Charles ... website_id = 3
So if he goes to the website that has id = 2 and uses those credentials, he's granted access. If he goes to the website that has id = 4, he's denied access.
My problem is that since CakePHP does the login automatically, when a user tries to login, CakePHP checks only the first entry in the Database that matches the login/password submited in the form. So if a user is currently in the website with website_id = 3 and tries to login, Cake finds the first entry (account1), compares its website_id (1 in this case) to the current website's id (3), and since they're different, the access is not granted, but it should. _Please note that the comparison of the website_id vs the account's website_id is already being made manually in the login() function_.
This how the login() function looks like now:
function login() {
$userInfo = $this->Auth->user();
if ( isset($userInfo) ) {
if ($userInfo['User']['website_id'] == $this->website_id) {
//Users gets access to a website that he has an account for
}
else {
//User is denied access because his account is not registered for the current website
$this->Session->destroy();
$this->Session->setFlash(__('You don't have access to this website', true));
$this->redirect($this->Auth->logout());
}
}
}
What I would like is to be able to manually authorize the access to the current website by using the login/password submitted by the user to manually search in the users table, and if I find a match in one of the user accounts, grant the access, or otherwise deny access. To sum up, avoid all the automagic of Auth's component.
If the Auth component's login method fails, control is transferred back to the custom login action (e.g. UsersController::login()). I've used this to authenticate using either username or email address, but it could be easily adapted for this purpose. Same idea, different criteria. I offered what I think is a reasonably thorough response (with code) to a similar question. It may help you as well.