I have application which renders auth0 login in an iframe using classic universal page.
However, I want to switch to new universal login page but want to disable clicjacking feature.
Is there any way to disable clickjacking in new universal login page?
Thanks.
as per Auth0 documentation
in the classic flow:
set the following HTTP headers
X-Frame-Options: deny Content-Security-Policy: frame-ancestors 'none'
in the new universal flow:
The following action is not required if you are using the New Universal Login Experience because those headers are always set in that case
Related
I have a pretty straightforward ASP .NET Core web site that uses Azure AD + OpenID for user authentication. Inside Azure I've added "https://my-site/signin-oidc" as a Redirect URI and inside my app settings I've set my CallbackPath to "/signin-oidc".
The problem is after authentication the browser always redirects to the home page.
For example the user will enter the following url into their address bar:
https://my-site/#/foo
They'll then be redirected to the azure sign-in page which has a uri like so:
https://login.microsoftonline.com/.../oauth2/v2.0/authorize?client_id=...&redirect_uri=https%3A%2F%2Fmy-site%3A64199%2Fsignin-oidc&[...]&sso_reload=true#/foo=
(Note where the '#/foo' fragment is placed)
After authentication succeeds they end up at the home page (https://my-site/).
Is there anyway for me to preserve the original URI and redirect the user to it after auth succeeds?
Try using the post_login_redirect_url query parameter for this.
If you want to automatically navigate the user to #/foo' after logging in, you can set your login redirect to ~/.../authorize?post_login_redirect_url=/#/foo.
I am new to Blazor and trying to authenticate using oidc. I am trying to use the instructions from Secure an ASP.NET Core Blazor WebAssembly standalone app to set it up.
Here is what I want the app to do (this, I think is a 'normal' app flow):
Start app
Be redirected to a login page (this login page is not within my app)
After login redirect back to app
I must be missing something simple. When I try to run the app I see this error in the Browser Console errors:
Refused to display 'https://xxxx.yyyy.com/' in a frame because it set 'X-Frame-Options' to 'deny'.
In the response headers, I see this:
X-Frame-Options: DENY
X-MS-Forwarded-Status-Code: 500
And in the request headers:
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
I am trying to emulate an existing, working Angular app and in that app headers, I see this in the header
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
I'm not sure if that difference in the header is the difference or not but it's the only thing I see. Looking for advice on how to get this login flow working?
It turns out my scenario - Blazor Webassembly to ADFS is not supported. After days of banging my head, I found this: BLAZOR WASM - ADFS - OIDC - Documentation indicating this is not a supported scenario.
I then found article which pointed me in the correct direction Configure Blazor WASM with ADFS
Turns out the MSAL provider seems to work fine for this scenario:
builder.Services.AddMsalAuthentication(options => {
// Configure your authentication provider options here.
options.ProviderOptions.Authentication.Authority = "https://xxx.yyyy.com/adfs";
options.ProviderOptions.Authentication.ClientId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx";
options.ProviderOptions.Authentication.NavigateToLoginRequestUrl = true;
options.ProviderOptions.LoginMode = "redirect";
});
I tried to sign in to Auth0 with the new package (https://github.com/auth0/auth0-spa-js).
Attempt 1: I did try a best practice that uses cy.request() but seem like new the auth0-spa-js package now requires a random state string (which I don't have and it was generated from loginWithRedirect function) in the request URL. So I can not call sign in API of Auth0
Attempt 2: I set "chromeWebSecurity": false, I click sign in button -> my web is redirected to Auth0 page, the URL is load correctly but Auth0 refused to display 'auth0 url' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".
Does you guy have any solution for this situation?
For now, this is the workaround solution of me.
Disable chrome security in Cypress config.
Login through the auth0 page (we will redirect to log-in page and log out due to the fact that I cannot generate the random state in the new auth0 package: auth0-spa-js)
Note: If you’re not custom login page in auth0, use the classic page in Universal Login. I found that the new UI of Auth0 login page has a lot of security enhance that prevents us render auth0 in an iframe. (like image below)
Auth0 seting
Then, Go to Auth0 -> Tenant Setting -> Advanced -> Enable Clickjacking Protection to allow auth0 load in an iframe.
Enalbe Clickjacking
Ok, that all the step that I did to make it work. Hope this help you
I'm developing Custom SSO for login into jasper reports and chose token based authentication.I placed "applicationContext-externalauth-preauth.xml" to web-inf/ folder.But my jasper is loading the login.html page even after that. So please help me how to disable login page and enable the token based authentication for successful implementation of SSO in jasper.
In token based authentication , jasper server don't show any login screen.
Your url should be like :
http://localhost:8080/jasperserver-pro?pp=u%3DSven|r%3DManager|o%3DEMEA,Sales|pa1%3DSweden
I've set basic spring authentication. When user comes to page and enters secured URL, login form is rendered, but I want to show error 403 page (or any other page i choose).
If I understand correctly I can't use access-denied-handler because user is not authenticated at all.
How do I show any other page than login form page to non-authenticated user, when he accesses secured URL?
When you are using form-login the default AuthenticationEntryPoint redirects to the login page.
You can override this by injecting a custom entry point using the entry-point-ref attribute.
You can use the code for Http403ForbiddenEntryPoint as a guideline (or use that directly if all you want is a response code sent to the client).
Add the below tag in your security context file.
access-denied-page="<name of the page>"
add this in http tag like below:
<http auto-config="true" access-denied-page="/authenticationfailed.jsp">