I have updated the access permission for a page to be "Authenticated" and set the FrontEndLoginPageId and FrontEndLoginPageUrl in Default settings and Also enabled "AuthenticateOnFrontendLoginPage" in Advanced setting security section but still getting redirected to Backend login, any idea what I am doing wrong here?
Related
I have a pretty straightforward ASP .NET Core web site that uses Azure AD + OpenID for user authentication. Inside Azure I've added "https://my-site/signin-oidc" as a Redirect URI and inside my app settings I've set my CallbackPath to "/signin-oidc".
The problem is after authentication the browser always redirects to the home page.
For example the user will enter the following url into their address bar:
https://my-site/#/foo
They'll then be redirected to the azure sign-in page which has a uri like so:
https://login.microsoftonline.com/.../oauth2/v2.0/authorize?client_id=...&redirect_uri=https%3A%2F%2Fmy-site%3A64199%2Fsignin-oidc&[...]&sso_reload=true#/foo=
(Note where the '#/foo' fragment is placed)
After authentication succeeds they end up at the home page (https://my-site/).
Is there anyway for me to preserve the original URI and redirect the user to it after auth succeeds?
Try using the post_login_redirect_url query parameter for this.
If you want to automatically navigate the user to #/foo' after logging in, you can set your login redirect to ~/.../authorize?post_login_redirect_url=/#/foo.
I am using Keycloak and I want to enable Forgot password flow. I have enabled Forgot password in login and configured SMTP to send email.
What I get out of the box from keycloak is the following
-> Click on Forgot password link -> Enter username or email -> User receives an Email with reset link -> Click on the link -> Reset password, then submit -> User is logged in then The user is redirected to account page.
What I want to acheive is the following
-> Click on Forgot password link -> Enter username or email -> User receives an Email with reset link -> Click on the link -> Reset password, then submit -> Display a message saying "Your password has been updated." and do not login the user. stay on that page.
The reason for this is, for my use-case, the user shouldn't access the account page on Keycloak.
In the authentication flow of reset credentials, I can only configure up to reset credentials.
Is there any way I can disable this action of logging in the user automatically after password reset, then redirecting to account page?
I have looked into several questions, but I cannot find an answer on how this can be achieved.
PS: I am using Keycloak docker image with a custom theme. If this can be configured using custom theme options, I have the chance to do it.
Thank you in advance.
Go to your keaycloak admin console, Authentication and desable "Update Profile"
Hopo it helps :)
We faced similar issue during keycloak usage and solved it via implementing custom Action Token and Action token handler (docs). Also check out original keycloak reset credentials action token sources:
ActionToken
ActionTokenHandler
Try to play around AbstractActionTokenHander.startFreshAuthenticationSession() there several attributes that define Keycloak behaviour during reset flow like:
authSession.setRedirectUri(token.getNote(OIDCLoginProtocol.REDIRECT_URI_PARAM));
authSession.setAuthNote(AuthenticationManager.END_AFTER_REQUIRED_ACTIONS, "true");
authSession.setAuthNote(AuthenticationManager.SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS, "true");
authSession.setAuthNote(AuthenticationManager.END_AFTER_REQUIRED_ACTIONS, "true");
If you're using your own client for the login page, the specified redirect, or the client default (Base URL) will direct where the user is sent after the password reset.
We did see that when using an admin-directed password reset, this behavior would occur (user sent to Keycloak account page). So, we simply adjusted the Base URL value for the account client so that it points to the home page of our primarily application.
Then, after the account client is used to reset the password, the default redirect is to our home page.
Anyone tell me why I am getting this error in Joomla after successful login from front end:
You are not authorized to view this page
You are probably redirecting to a page that your user (that you're logging in with) doesn't have privileges to view. Check the access level set for that page, and check whether that user has enough privileges to view that page.
Experts,
I have to implement authentication mechanism same as how author instance works. For example, if any user request for any page http:somehost:someport/content/geometrixx/en.html then system should open the page http:somehost:someport/content/geometrixx/en/toolbar/account/login.html and only after successful login sling should redirect to required page.
I looked into Login Selector Authentication Handler and Sling Authentication Service but it seems there is no configuration here. Could you please let me know your thoughts on how to proceed on this? How it will be possible without CUG and how similer mechanism works in Author instance?
Goto http:somehost:someport/useradmin search for anonymous user. click on the anonymous user -> click on permission tab -> remove the read permission on the path that shouldn't be accessible to anonymous users.
If you just want to redirect to the login page if the user is unauthenticated then you will have to do 2 things.
1. Go to /system/console and navigate to the Configuration. Select "Apache Sling Authentication Service". Disable Anonymous access.
2. Go to /libs/cq/security/config.publish/LoginSelectorHandler - Change the login page to the page you want.
Apache tomcat version: 6.0.20
If user is already logged, and he tries to login again from login page, the j_security_check is not available error is encountered. Is it normal behaviour or I have to do something?
Actually I have different user roles for accessing different pages, and when access to a page is denied to a particular user, I want to redirect him to login page, where he can login with corresponding credentials.
This behavior is normal: the servlet spec only lays-out the procedure for container-managed authentication (i.e. login) when the user requests a protected resource and the user has not already provided credentials. All other scenarios are left undefined, including yours.
If you want to capture "forbidden" conditions, you can use <error-page> mappings in your WEB-INF/web.xml to send the user anywhere you want, including a login page. Just remember that the container will only accept a login after the above conditions are true, so you may have to log the user out first (by terminating the user's session).
What I might recommend is a "forbidden" page that says "You don't have access to this resource. If you'd like to log-in as a different user to access it, please click [HERE]" where [HERE] is a link to a servlet that terminates the user's session and then redirects to the resource the user was trying to access. This will cause the container to request authentication (i.e. present the login form), verify the credentials, and send the user to the desired resource.
If you are using a container (and webapp) along with version 3.0 of the servlet specification, there is a new HttpServletRequest.login() method that can be used to programmatically log a user into your webapp. You might be able to use that instead of terminating the session and doing all those redirects... instead, you could collect the username and password yourself and then ask the container to do the login for you.