Logout issue with springboot and angularjs - angularjs

I had an issue regarding the logout . Once i am done with my logout and it's not popping me agin to enter the user name and password , why is it so ?
ttps://github.com/spring-guides/tut-spring-security-and-angular-js/tree/master/oauth2-vanilla
https://github.com/sharmaritesh/spring-angularjs-oauth2-sample
is it not the expected behaviour ? If so please suggest me what to do when i want to do the complete logout that means we have to delete refresh tokens as well i guess. the reason of not asking the username and password in my perspective , It's refresh token is valid and once i click teh login button it directly redirects me to the greeting page with generating the new access token with the help of refresh token.
But i would like to do the complete log out i.e, once the use clicks the logout and user should be able to enter his credentials to get the new refresh token and access token irrespective of the old refresh token expiration.
I really appreciate your help..!!!!
Thanks
Prince

I would suggest posting all of the relevant HTTP traffic flow between client (browser) and server, both the redirects and "back end" traffic.
So, basically take the approach of knowing little about the actual implementation of the client and server, and just focus on the OAuth2 authorization code flow, its a protocol after all. Without this we'll be stabbing in the dark.
In terms of an answer, as a guess the client application may be passing a cookie to the authorization server and your just not seeing it. This is exactly what happened to me with Spring Boot and WSO2 IS 5.1.0

Related

I am looking for a way to go to login page when access token timeout in React

I am using React with Django Rest Framework as backend with proper permissions. I am using token authentication and axios to make queries to the django api. Firstly, I can do a login with credentials in my React interface, and I store access token in the local storage. After about 5 minutes, if I make a new query I get an error from django telling me "access deny". I can catch that kind of error and send the user to the login page again. But here I have two questions:
1- What should I do to refresh access token whereas the user is working? I have refresh token but I do not know what to do.
2- If I get rid of the first problem. I want the application goes automatically to login page after 5 minutes without any user activity. I mean, I want to go to login page without the need of an explicit click on all the possible options. Some kind of background query to django to detect expiration, so that I can redirect to login page.
Thank you in advanced.

Authorization request to get access on behalf of a user results in a 'cookiesDisabled' page

I'm trying to do an Authorization request following the documentation about it on Microsoft (Getting access on behalf of a user: https://learn.microsoft.com/en-us/graph/auth-v2-user). I'm making the request using Azure's Logic Apps. I already made an app registration in Azure AD and gave it the following permissions (I used the app for a few different requests before so that's why it contains a lot of unnecessary api permissions). I already succeeded in getting access without a user (https://learn.microsoft.com/en-us/graph/auth-v2-service). Now I really don't know what I'm doing wrong, so if anybody has an idea of what it is, please let me know. I will try to explain as carefully as possible using screenshots so you guys get the idea of what I'm trying to do.
On the first screen below you can see the api permission I added to my app registration. For this request I'm only asking authorization for the one with arrow next to it(as you will see later on).
On the second screen you can see the HTTP post request I'm trying to make to the authorize endpoint. I blurred out the Tenant and Client_id for privacy reasons. I only added the required parameters in the body as described by Microsoft. In the scope parameter you can see the api permission I'm asking permission for.
On the third screenshot you can see the output of the request. Instead of getting an Authorization code as requested, I get an HTML body.
When I paste that HTML body into a browser it gives me the following result:
I have no clue what I'm doing wrong. I tripled checked to make sure cookies are enabled, made sure third-party cookies are not disabled and added login.microsoftonline to my trusted websites.
I'm starting to think I'm doing something very simple wrong, but I can't figure out exactly what. Any help is welcome! :D
Sorry can't add a comment so posting as an answer
What you are trying to implement is the Authorization Code grant flow of OAUTH 2.0. In Authorization code grant flow following steps occur
1) User is presented with the scopes that an application requires when accessing certain resources,
2) The user authorizes this. and the user is redirected to a redirect url
3) The application then exchanges the code sent with the redirect url to get the actual token which in this case will be sent to the Microsoft Graph for validation.
4) User then sees the information pulled.
The major crux of Authorization Code grant flow is that "User Authorization is required" This basically means that this flow is used when the call is invoked from a browser client where the user is actually interacting. This flow should not go through the Azure Logic Apps. If you want a service or a daemon to access the resources in that case you should use Client Credentials Grant flow

auth0 does not require password after logout; logs back in without password

I've been learning Auth0 for a React / React Native project. With two different apps now, including one from their site, I see the following behavior:
clear browser cache
login
enter password, now logged in
select logout
--> now logged out
select login
am NOT prompted for password again, just logged in without interaction.
It seems the session has been kept alive even though I logged out. I would expect that if I manually log out of an application, I must re-authorize with my password on the next login attempt.
As I said I've seen this twice now, once with my own project and once with the tutorial they provide at https://auth0.com/blog/react-tutorial-building-and-securing-your-first-app/ . Doesn't make any sense to me. Am I missing something?
Thanks ~~
This is the Seamless SSO behaviour explained here. This is now enabled by default on all tenants and it "seamlessly" logs the user in without showing any prompts if a session exists for the user in the Authorization server (Auth0 in this case). Previously you would get a prompt that said "Last time you logged in with ..." Clicking it would login you in without requiring a password.
If you are "Logging out" and yet you can log back in again without needing to enter credentials, the most likely explanation is that you are actually not calling the https://YOUR_AUTH0_DOMAIN/v2/logout endpoint which logs out the user by clearing their SSO cookie in Auth0. You can confirm this endpoint is called from Network tab in your browser when you click to logout.
The Auth0 React quickstart by default does not call the logout endpoint, it only removes the tokens from browser storage. To clear the SSO cookie and logout from IdP using Auth0.js you need to call the logout function as well. Refer to the Auth0.js logout function here.
Hope that helps.

Adding authentication middleware to redux api

So I created a react-redux webapp, in which the login/signup is done using JWT authentication. This app uses a lot of server api, and due to security reasons each api request needs to accept a valid token, only then it sends back a valid response, else, it simply sends an error object back saying the token is not valid.
Now the problem arises when suppose I open my account in one browser, lets say chrome, and then I also open the same account in Firefox, now, obviously the token has expired in chrome, so when I make requests from chrome I simply get the error object returned, what would be good that I have a middleware before each server request which would check the validy of the token and then redirect to login if the token is invalid.
I am quite new to redux and was wondering if something like that is possible, any kind of help is appreciated, Thank you.

angularjs client and spring backend user login and session management

I have a mobile website written in angularjs, with my backend in Spring Boot. Right now, I have my own login page and can login a user without any trouble. However, if the user ever clicks "back", "refresh", etc., the client loses the user's id and login info (obtained from server on login). I need to make sure that this info is maintained and clicking "back" or "refresh" doesn't break everything.
Secondly, a user that knows the url's after login can type those url's in the browser and access them without logging in. I can stop them accessing anything on the server, but not sure what I can do on the client to redirect them to a login page in this case.
Any help would be greatly appreciated!
You should keep in mind that everything running in browser is stateless, there's no way to keep trace of the previous state.
Right now, if the user performs a refresh (or another similar action), Angular loses everything (AuthData included).
You have many way to work around that limit:
Perform an http request after the application bootstrap (have a look at the angular.module().run method
Save a cookie and use the server to print initial data layer directly on the dom via json
Save on local/session storage
Personally, I prefer cookies because that lets the server to work decoupled from the client.
In reference to your comment..."if the user ever clicks "back", "refresh", etc., the client loses the user's id and login info (obtained from server on login)."
Is there any reason you need to maintain the user id or login info after a successful authentication?
If Spring Security is setup for basic authentication, after a successful login, a Session Cookie will be sent back on the response to the client. On all subsequent requests to the server, the same Session Cookie will be sent on the request and the previously authenticated session will be re-established. You just need to ensure that your Angular client is passing cookies when issuing requests.
Take a look at this sample on how this is done.

Resources