I wanted to get the access token through the postman so I can use it on my mobile app to get token.
I can use the same password and username and login through the identity server login screen.
When I used the postman, it said invalid username/password? The configuration in the database is new for the identity server 4, am I missing some configuration in identity server.
I think I missing the service.AddAspIdentity() in the configueServices function
Related
I am working om using Auth0 has authentication for services. I have the following problem. I have created a user but when I try to make a request with that user I get the following error.
Authorization server not configured with default connection
I have researched this and found I need to Configure the tenant
The Resource Owner Password Flow relies on a connection that is capable of authenticating users by username and password, so you must set the default connection for the tenant.
Go to Auth0 Dashboard > Tenant Settings, and scroll down to locate the Default Directory setting.
Enter the name of the connection you would like to use. Make sure it is capable of authenticating users by username and password.
But I have on idea what they mean by Default Directory. Is that the name of the Auth0 application I generated, since that is the service, that is supposed to authenticate users by username and password.
I have generated a SpringBoot app from the auth0 console. is that what they mean by connection.
Follow these steps.
Navigate to your dashboard - manage.auth0.com/dashboard
On the left menu, click on Setting
Scroll down to "API Authorization Settings"
Enter Username-Password-Authentication in the "Default Directory" input
Hit save - It typically takes about 30secs for changes to take effect
In Default Directory put Username-Password-Authentication
My auth0 was configured with a custom database, and when I was trying to get tokens using the Resource Owner Password API, I had the same issue Authorization server not configured with default connection .
The solution to this issue was:
Set the grant_type to http://auth0.com/oauth/grant-type/password-realm
Set the realm to the name of the custom database
For anyone else stumbling upon this question, you can also use the Realm property to define a specific Database connection instead of setting up a default one.
I am only able to fetch salesforce data from username and password as below.
cnxn = pyodbc.connect("DRIVER={CData ODBC Driver for Salesforce};User=myUser;Password=myPassword;Security Token=myToken;")
But If I don't want to give username and password there and want to access data with Accesstoken which is returned from Oauth. How can I do that?
The instructions for connecting to Salesforce using OAuth with the CData ODBC Driver are here: http://cdn.cdata.com/help/RFE/odbc/pg_oauthcustomappcreate.htm (copied below).
In short, you'll use the OAuth Access Token and OAuth Server URL your code will look similar to the following
cnxn = pyodbc.connect("DRIVER={CData ODBC Driver for Salesforce};OAuthAccessToken=OAUTH_ACCESS_TOKEN;OAuthServerUrl=OAUTH_SERVER_URL;")
Authenticate to Salesforce from a Web Application
To obtain the access token, set the following connection properties:
OAuthClientId: Set to the consumer key in your app settings.
OAuthClientSecret: Set to the consumer secret in your app settings.
CallbackURL: Set to the callback URL in your app settings.
When connecting via a web application, or if the driver is not authorized to open a browser window, you need to exchange temporary verification values for the access token:
Call GetOAuthAuthorizationUrl. The stored procedure returns the URL to the OAuth endpoint.
Log in and authorize the application. You are redirected back to the callback URL. If you set the GrantType parameter to Implicit, the callback URL contains the OAuthAccessToken and OAuthServerUrl in a query string parameter. If you set the GrantType parameter to code, the callback URL contains the verifier code in the query string parameter named "code". Extract the verifier code and call GetOAuthAccessToken.
The relevant part:
To connect to data, set the following connection properties:
OAuthAccessToken
OAuthServerUrl
To automatically refresh the access token when it expires, set InitiateOAuth to REFRESH and set OAuthRefreshToken. Alternatively, call the RefreshOAuthAccessToken stored procedure when the access token expires. Given a refresh token as input, the procedure returns a valid OAuth access token.
As an alternative to retrieving the authorization URL and having the user log in to Salesforce, you can set up a password grant type by calling GetOAuthAccessToken, setting GrantType to PASSWORD. Here, you need to ensure that the user name and password are both set in the connection string, in addition to the client ID and secret of your application. Note that InitiateOAuth must be set to OFF for the password grant type to work. You cannot refresh the token obtained this way. This method has the advantage of removing the login step for users that cannot open a web browser, but it has the disadvantage of the user's credentials being exchanged in plain text between the server and Salesforce.
Note: You can configure the session timeout in Salesforce by navigating to Setup > Administration Setup > Security Controls > Session Settings.
I'm running the saml-broker-authentication example. The first thing that I see is in the UI is a user/pass for with an option to use a broker (image below).
Is there a way to skip this form and go straight to the IDP?
After clicking on one of the IDP's, I get a URL of the sort: http://localhost:8080/auth/realms/saml-broker-authentication-realm/broker/sanity-idp/login?client_id=saml-broker-authentication&code=<keycloak generated>
I tried using the following url (without the code) directly but got an error.
(http://localhost:8080/auth/realms/saml-broker-authentication-realm/broker/sanity-idp/login?client_id=saml-broker-authentication)
Any idea how to bypass Keycloak auth and directly go to the IDP through the SP(broker)? Thanks.
UPDATE: My TL found a static solution to put the IDP ID in the browser's authentication flow under the Identity Provider Redirector execution. BUT, We're trying to find a dynamic way to do it. Looked at the kc_idp_hint documentation but couldn't find a way to make the saml-broker-authentication example work with it :(
As you mentioned, you can bypass the Keycloak screen and go directly to the IdP by setting a default identity provider for the whole realm:
It is possible to automatically redirect to a identity provider instead of displaying the login form. To enable this go to the Authentication page in the administration console and select the Browser flow. Then click on config for the Identity Provider Redirector authenticator. Set Default Identity Provider to the alias of the identity provider you want to automatically redirect users to.
(https://www.keycloak.org/docs/latest/server_admin/index.html#default_identity_provider)
Unfortunately, that's for the whole realm and can't be set dynamically or per SP. kc_idp_hint seems to be the solution, but it's only for OIDC:
OIDC applications can bypass the Keycloak login page by specifying a hint on which identity provider they want to use.
This is done by setting the kc_idp_hint query parameter in the Authorization Code Flow authorization endpoint.
(https://www.keycloak.org/docs/latest/server_admin/#_client_suggested_idp)
It looks like there's a feature request to add kc_idp_hint support for SAML but it's still unresolved:
https://issues.jboss.org/browse/KEYCLOAK-4884
As a workaround, you could create a new realm and set the default identity provider for that realm. That way if you had SPs that needed to be brokered to different IdPs, you could set them up in the appropriate realm.
The downside is each realm acts as its own IdP so it has its own entity ID, public key, etc. You'd effectively have to set the SP up again each time to have it default to a different IdP.
It is an old post but maybe still actual for someone.
For static redirect on identity provider login page set in the keycloak admin panel set name from Identity Providers -> name to Authentication -> Identity Provider Redirector -> config -> Default Identity Provider. After that happen request to https://{KK}/realms/{RM}/protocol/openid-connect/auth?... will redirect you to identity provider e.g. facebook
Dynamic choice idp. If you won't go to idp login page you may put additional param kc_idp_hint in KK e.g.
// go to KK login page with username/pass and choice of idp provider
https://{KK}/realms/{RM}/protocol/openid-connect/auth?...&kc_idp_hint
// go to facebook login page if facebook idp is cinfigure
https://{KK}/realms/{RM}/protocol/openid-connect/auth?...&kc_idp_hint=facebook
// go to other login page
https://{KK}/realms/{RM}/protocol/openid-connect/auth?...&kc_idp_hint=other
To set an identity provider as the default one ignoring keycloak login form, just go to the authentication menu > Identity Provider Redirector action link > set the default identity provider to the alias of the provider you want. Once you open from browser localhost:8080/realm[...]/account you will be automatically redirected to your provider login page.
After searching it a lot I managed to do it with this line of code:
keycloakAuth.login({idpHint: 'facebook'});
keycloakAuth being:
keycloakAuth = Keycloak({
url: environment.keycloakRootUrl,
realm: 'realm',
clientId: 'client-id',
'ssl-required': 'external',
'public-client': true
});
No need to set it as a default identity provider
kc_idp_hint will work with SAML by passing the IDP alias instead of the IDP display name.
In keycloak admin console go to "Authentication" menu -> "Flows" panel -> in the drop down select "Browser" -> click on the "copy" button and call it "Browser2"
By selecting "Browser2" you can edit the Auth Type "Identity Provider Redirector" -> "Actions" -> "Config"
Under "Alias" and "Default Identity Provider" enter the alias of your saml-identity-provider, previously created in the "Identity Providers" menu
In the "Clients" menu select your saml-broker-authentication client and expend "Authentication Flow Overrides" and under the "Browser Flow" drop down select "Browser2" and save
Your http://localhost:8080/auth/realms/saml-broker-authentication-realm/broker/sanity-idp/login?client_id=saml-broker-authentication should now directly open the idp and not the keycloak login form.
Then you can create as many Authentication flows as ipd without duplicating the realm.
In order to skip SSO, keycloak init first then pass idp_hint to login.
const options: KeycloakLoginOptions = {
idpHint: ' ',
};
keycloak.init({}).then(() => {
keycloak.login(options).then(() => {
onSuccess();
});
});
you would like config in administrator keycloack:
step 1: config Identity Provider Redirector: Authentication >> Browser >> click "action" in Identity Provider Redirector
step 2: you type Alias of identity provider that you need in "default identity provider", input "Alias" type any name
finally: you need config client to Browser : Clients >> choose clien-id you need config sso >> Authentication Flow Overrides >> in "Browser Flow" select Browser >> save.
i succeed on my system. Good luck ^^
In order to get redirected to the IDP login page through the Keycloak broker you can use the following URL : http://localhost:8080/saml-broker-authentication/
You can also extend and write new authenticator spi on top of the class IdentityProviderAuthenticator in which authenticate performs redirect() based on request url attribute.
Otherwise most of the cases , kc_idp_hint in resource url will help.
E.g https://resourceserver/resourcepath?kc_idp_hint=google
I'm using MVC 5 default template with "Individual Accounts" selected for authentication. it uses ASP .NET Identity with Entity Framework.
Using Chrome I opened the app and Registered a user and then login with the user. I accidentally deleted the database. Now when I open the app again in Chrome it still shows me signed in since auth cookie persists in browser. However the user that is logged in doesn't exists in the database.
Is it the correct behavior?If not then any suggestions on how to prevent it?
That's correct behaviour. As long as the auth cookie is valid and not expired your app assumes the user is authenticated.
When you disable or (soft) delete a user, you should call UserManager.UpdateSecurityStamp(string userId) which causes the auth cookie to be invalid on next check.
I use ldap_bind_s to bind to ldap server.
example:
SEC_WINNT_AUTH_IDENTITY *pSecIdentity;
ldap_bind_s( pLdapConnection, // Session Handle
NULL, // Domain DN
(_TCHAR*)pSecIdentity, // Credential structure
LDAP_AUTH_NEGOTIATE)
pSecIdentity is filled with username and password.
But the problem is i want to do the same with PKI users where i dont have username and password instead a user token.
So how to proceed with this scenario.
Are there any Structure to provide usertoken instead of username/password to authenticate?
Check if this helps
Not very sure but looks promising
https://pkienthusiast.wordpress.com/2011/09/16/apache2-pki-certificate-authentication-and-ldap-authorisation-example-2/