My stack: oidc-react, Amazon Cognito
When I log out on the site and call auth.signOut();, the userManager signs out the user and redirects to the login page, but when you log in again by calling auth.signIn(); makes a request to Cognito with the token it has, but won't ask for credentials and logs the user in, I guess because the user still has a running session with the same token, if I am right. It only asks for login credentials after an hour because the session expires after 60minutes.
I want Congito to ask for credentials after signing out. I've tried passing the config these options after some research, but doesn't seem to be working:
revokeTokenTypes: (["access_token", "refresh_token"]),
revokeTokensOnSignout: true,
automaticSilentRenew: false,
monitorSession: true
This is the OIDC setup I pass to the provider:
const oidcConfig: AuthProviderProps = {
onSignIn: (user: User | null) => {
console.log("onSignIn");
},
onSignOut: (options: AuthProviderSignOutProps | undefined) => {
console.log('onSignOut');
},
autoSignIn: false,
loadUserInfo: true,
postLogoutRedirectUri: "localhost:3000/",
automaticSilentRenew: false,
authority: "https://" + process.env.REACT_APP_AWS_COGNITO_DOMAIN,
clientId: process.env.REACT_APP_AWS_COGNITO_CLIENT_ID,
redirectUri: window.location.origin,
responseType: 'code',
userManager: new UserManager({
authority: "https://" + process.env.REACT_APP_AWS_COGNITO_DOMAIN,
client_id: process.env.REACT_APP_AWS_COGNITO_CLIENT_ID!,
redirect_uri: window.location.origin,
revokeTokenTypes: (["access_token", "refresh_token"]),
revokeTokensOnSignout: true,
automaticSilentRenew: false,
monitorSession: true
})
};
AWS Cognito does not yet implement the RP Initiated Logout specification or return an end_session_endpoint from its OpenID Connect discovery endpoint. I expect this is your problem, since the library is probably implemented in terms of these standards.
Instead, AWS Cognito uses these parameters and a /logout endpoint. In my apps I have implemented Cognito logout by forming a URL like this, then redirecting to it by setting location.href to the URL value:
public buildLogoutUrl(): string {
const logoutReturnUri = encodeURIComponent(this._configuration.postLogoutRedirectUri);
const clientId = encodeURIComponent(this._configuration.clientId);
return `${this._configuration.logoutEndpoint}?client_id=${clientId}&logout_uri=${logoutReturnUri}`;
}
This will enable you to end the Cognito session and force the user to sign in again. It will also enable you to return to a specific location within your app, such as a /loggedout view.
Related
I've added a custom domain to Auth0: auth.mydomain.com and verified it. In the Universal Login config I enabled the Customize Login Page option and I added my domain to the issuer config there:
var lock = new Auth0Lock(config.clientID, config.auth0Domain, {
auth: {
redirectUrl: config.callbackURL,
responseType: (config.internalOptions || {}).response_type ||
(config.callbackOnLocationHash ? 'token' : 'code'),
params: config.internalOptions
},
configurationBaseUrl: config.clientConfigurationBaseUrl,
overrides: {
__tenant: config.auth0Tenant,
// __token_issuer: config.authorizationServer.issuer
__token_issuer: 'auth.mydomain.com'
},
...
});
I'm not sure what else I need to change to make it working with my application so users will be redirected to auth.mydomain.com for login instead of using the Auth0 tenant domain.
I create an application that client (vue) runs on localhost:3000 and server (express) on localhost: 8080.
I use passport-google-oauth20 strategy to log in using google and only JWT token.
My Question is:
How do I redirect to a client in a callback strategy so that the receives information about the logged-in user on client side? I'm using in passport jwt, which i send on local-login strategy and there everything works.
At the moment, it looks like this to me:
this.router.get('/v1/auth/google',
passport.authenticate('google', { session: false, scope: ['email', 'profile']})
);
this.router.get('/v1/auth/google/callback',
passport.authenticate('google', { session: false }), (req, res) => {
// let token = sign(req.user);
res.redirect(`http://localhost:3000`);
// how to redirect to the CLIENT,
// who will receive data about the logged-in user?
// how get user data, catch this situation?
});
I've successfully used the oidc-client-js library by Brock Allen to authenticate my SPA app with Auth0 acting as my Identity Provider. However, when I try to use the library to sign the user out mgr.signoutRedirect({state: "my test"}), I receive an error: no end session endpoint.
A look at the metadata endpoint shows that there is a revocation endpoint.
I've configured the oidc-client-js library like so:
var settings = {
authority: 'https://susqsofttest.auth0.com/.well-known/openid-configuration',
client_id: 'my client id',
redirect_uri: 'http://localhost:8080/signin-oidc',
post_logout_redirect_uri: 'http://localhost:8080/logout',
response_type: 'id_token token',
scope: 'openid profile email',
revokeAccessTokenOnSignout: true,
automaticSilentRenew: true,
filterProtocolClaims: true,
loadUserInfo: true
};
var mgr = new UserManager(settings);
Any ideas of what I'm missing?
You can give metadata for oidc client by adding metadata section to user manager settings.
var settings = {
authority: 'https://susqsofttest.auth0.com/.well-known/openid-configuration',
client_id: 'my client id',
redirect_uri: 'http://localhost:8080/signin-oidc',
post_logout_redirect_uri: 'http://localhost:8080/logout',
response_type: 'id_token token',
scope: 'openid profile email',
revokeAccessTokenOnSignout: true,
automaticSilentRenew: true,
filterProtocolClaims: true,
loadUserInfo: true,
metadata: {
issuer: `https://sts.windows.net/${tenant}/`,
authorization_endpoint: `https://login.microsoftonline.com/${tenant}/oauth2/authorize`,
token_endpoint: `https://login.microsoftonline.com/${tenant}/oauth2/token`,
jwks_uri: 'https://login.microsoftonline.com/common/discovery/keys',
end_session_endpoint: `https://login.microsoftonline.com/${tenant}/oauth2/logout`
}
};
This example is when using AzureAD. end_session_endpoint can be also your SPA route address like ${window.location.origin}/logout but then azure ad session won't end.
You can also set metadataUrl instead of metadata. 'https://login.microsoftonline.com/YOUR_TENANT_NAME.onmicrosoft.com/.well-known/openid-configuration',
signout redirect explicitly looking at the Json property "end_session_endpoint" in your idp configuration, I do not see that endpoint in your idp configuration, and I guess, this is not something that you can override with oidc-client.js package.
Check this out on how they are retrieving the endpoint url from metadata.
https://github.com/IdentityModel/oidc-client-js/blob/dev/src/OidcClient.js#L124
I'm setting up cypress.io to test a react app. I'm trying to programmatically authenticate with Auth0 Lock so I don't have to test their UI. Here are the steps:
POST to https://[auth0-domain].com/usernamepassword/login
client_id: "",
client_secret: "",
audience: "audience",
redirectUri: "http://[auth0-domain].com:8383/callback",
scope: "openid email crud:all",
protocol: "oauth2",
sso: true,
username: "",
password: "",
connection: "conn",
tenant: "tenant",
popup: false,
Collect returned form data
POST to https://[auth0-domain].com/login/callback
wa=wsignin1.0&wresult=token&wctx=metastuff
The first steps works but in the third step I'm able to post to login/callback but I get an HTML page with this error message:
Looks like something went wrong! There could be a misconfiguration in the system or a service outage. We track these errors automatically, but if the problem persists feel free to contact us with this tracking id: <b>e88e08e43b7cdee78458</b>.<br/>Please try again.
I'm wondering if there is something with Auth0 blocking me from doing this or if I'm not sending the correct data/header.
I ended up using the auth0-js module which calls the auth0 callback. Then I use 'should' to wait for the localStorage to be set:
import auth0 from 'auth0-js';
import url from 'url';
Cypress.Commands.add('login', () => {
const auth = new auth0.WebAuth({
audience: 'http://audience',
domain: 'domain.auth0.com',
clientID: 'qqqqqqqqqqqq',
redirectUri: 'http://localhost/callback',
responseType: 'token id_token',
scope: 'openid email profile name username groups roles',
sso: true
});
auth.login({username: 'username', password: 'pass'});
cy.window().its('localStorage.user_profile').should('exist')
});
I am building a cordova mobile app and trying to use the auth0 lock API. I am having trouble with the refresh token. I can retreive the refresh token in the authResult but cannot figure out how to actually refresh the id_token ( I suppose i could write the REST calsl myself )
In the v9 docs, it seems there used to be a method: https://auth0.com/docs/libraries/lock/v9/using-a-refresh-token
lock.getClient().refreshToken(refresh_token, function (err, delegationResult) {
// Get here the new JWT via delegationResult.id_token
});
However in lock v10 it seems this method doesn't exist any more: https://auth0.com/docs/libraries/lock/v10/api
Can anyone advise if there is a way to refresh the token using the lock API?
First, you need to either have included Auth0's script tag in your HTML:
<script src="https://cdn.auth0.com/js/lock/10.8/lock.min.js"></script>
Or, if you've installed from npm, you can require Auth0:
var Auth0 = require("auth0-js");
In V10, you create an instance of the Auth0 client (separate from the Auth0Lock instance) which has a function refreshToken():
var auth0 = new Auth0({clientID: YOUR_CLIENT_ID, domain: YOUR_AUTH0_DOMAIN});
...
auth0.refreshToken(refresh_token_here, (err, resp) => {
// resp: {expires_in: 36000, id_token: "id_token here", token_type: "Bearer"}
}
The same can also be achieved by using the getDelegationToken() function:
auth0.getDelegationToken({
client_id: YOUR_CLIENT_ID,
grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
refresh_token: refresh_token_here,
scope: "openid",
api_type: "auth0"
}, (err, resp) => {
// resp: {expires_in: 36000, id_token: "id_token here", token_type: "Bearer"}
});