Auth0 Test Connection tries to log into wrong database - auth0

I have created a client and database and associated the two. When I create a user in this database, I am unable to log in using the test connection button.
When I check my logs, I don't see any attempt to log into this connection, rather I see a failed login for the connection Username-Password-Authentication. The connection I am testing is named bens-connection, this is just a standard auth0 database.

Can you confirm which Test Connection button you are pressing. Is this Connections -> Database -> bens-connection then the Try connection tab?
Is your Client definitely associated with the bens-connection database?
Is your User definitely associated with the bens-connection database?
If so, then suggest you just copy out the URL when you hit the Try connection button and manually edit the connection name. Paste that into a URL and see if you can successfully login.
You should have a URL something like:
https://{{TENANT}}.auth0.com/login?client={{YOUR_CLIENT_ID}}&protocol=oauth2&redirect_uri=https://manage.auth0.com/tester/callback?connection=bens-connection&prompt=consent&response_type=code&connection=bens-connectionstate=sDZ8vs4tb2FqR3xnLpUnxIPhO7CiA5O4
You could also try the authorize endpoint using:
https://{{TENANT}}.auth0.com/authorize?client_id={{YOUR_CLIENT_ID}}&protocol=oauth2&connection=bens-connection&redirect_uri=https://jwt.io&response_type=token id_token&scope=openid email&nonce=123&state=xyz
Let me know how you get on, and I can update this answer based on further info.

Related

Is there a way to know that Keycloak's user account management page was opened from the client?

I am using Keycloak to secure my application but I am using an extra database too. I am holding my users in both of them. Thus whevener a change is made to a user, the user needs to be updated in both the Keycloak db and my db. Thus whenever the application's main page loads, I update the user (everytime). Because maybe the user was changed from the Keycloak User Account Management service. And I need to put the change in the db.
But I don't want to do this everytime the app loads. I would like to know if there's a way to know Keycloak acocunt page was opened by the user. (So that I can update the users only then) Maybe Keycloak returns a parameter or smt? I don't know.
If anyone can help, I would be grateful.

Active Directory SSO Authentican leads to new tab open for every single request

We are using Snowflake with Active Directory authentication. When we add the registry entry of authenticator: externalbrowser for ODBC to work, every query/fetch leads to a new browser tab window to be opened for SAML token. So if the Excel sheet we are working with has 10 queries, 10 new chrome tab windows open up.
The same applies when we run Python scripts. We add authenticator='externalbrowser' to the connect command and then each and every query in the script leads to the opening of a new browser tab to get the SAML token. This of course is quite annoying since we end up with 100's of browser window
tabs being opened.
Thanks.
This is by design since you are specifying the authentication method as 'externalbrowser', however it only opens a new browser for each connection that is made. Check to see if each of your queries establishes a new connection object.
What you want is to open a connection object once, then use a cursor object from the connection each time you need to execute a query.

Authenticating Cloudant one db per user

I apologies in advance - for this question needs a bit of background, which is likely to be long winded:
I'm trying to build an app which works offline with PouchDb. PouchDb will sync with Cloudant.
Technologies used:
Hapi, SQL, Vue, Cloudant, PouchDb
I have built a little hapi.js service to sign up / authenticate users. When an "account owner" signs up - they are added as a new user to a SQL database.
Using Cloudants API, I provision a new database (with a random name), and set security on the database so the new user has access.
I save the security (DB name, User name, and password) as metadata back to the user in the SQL database.
A very similar approach to here: https://www.bennadel.com/blog/3208-provisioning-cloudant-couchdb-databases-from-auth0-for-a-database-per-user-architecture-in-angular-2-4-1.htm (indeed, I based the above on this).
When the "account owner" logs in, the SQL DB is queried - the MetaData retrieved and sent down to the client side vue app. The PouchDB remote string is then populated with the Cloudant DB name, User name, and password.
eg:
const remoteDB = new PouchDB(`https://${name}:${pass}#0000-0000-bluemix.cloudant.com/${DBname}`);
This all works: PouchDB can talk to Cloudant - and data is going to and from without issue.
The "Account owner" is able to give read/write access to other people ("Staff") to their cloudantDB. When they add a new Staff Member, the Staff Member is added to the SQL DB. Using cloudants API, I create new security credentials for this user so that they can access the DB- (I do NOT create a new DB) and save them to the Staff Member in the SQL db as metadata...
The new staff member is sent an email - they set their username and password on the SQL db, and can log in. The Cloudant meta stuff is picked up... etc etc... PouchDB / Couchdb talks to each other - this also works.
Initially I was a bit concerned about sending this meta / credentials down to the client - I wanted to use a JWT or something... But then I saw this answer to another question:
https://stackoverflow.com/a/30417620/714950
So passing credentials down seems to be how its done in Pouch/Couch/Cloudant etc. I've got to be honest - I find the whole thing works like 'magic' - like its too good to be true, and that worries me a bit as I don't really understand it. I might be doing something terribly wrong.
Now for my question(s):
I'm passing these credentials down - is this safe? How would I reset / time out the username and password.
When they log out, I wipe the data from Pouch?
Can a user be 'logged in' and lose connection? Will pouch sync when they reconnect?
If pouch has NOT synced - and they log out (and I wipe Pouch) that would mean they would lose their data? so I guess I would need to persist the data in Pouch for when they log in again?
But what if they are using a shared computer? This data would be sat in Pouch DB waiting for someone to log in?
I'm also unsure how I validate the data... making sure that which gets saved to the DB is valid etc...
I suppose I'm just trying to get my head around this - I've been googling and reading everything I can, but it doesn't quite answer my questions.
Thanks
[** Just had a thought...
Thinking about it, I don't actually need to create the staff user within the SQL DB.
The Account Owner is set up - the DB is created in Cloudant, and credentials applied.
Not just had a thought: Theoretically, when a staff member is added - I only need to set them up inside Cloudant, and write their ID to the "Account Owner" as meta data so that they can be removed etc.
This way, a staff member could log in directly to the Cloudant DB.
However, I generate the security credentials using Cloudants API - so the staff member won't know what their username and password is. I don't want to send the username and password in an email.
Is there a way I can handle this? Am I able to specify a username and password when creating the security credentials? How do I handle things like password resets on cloudant?]
Thanks
I'm passing these credentials down - is this safe?
If your site is served out over HTTPS, then a bad actor would find it difficult to glean the Cloudant username & password in flight. Your client-side app needs to retain the credentials for your app to be "logged in" (for it to retain the right to sync with the server). I like to retain the data in a PouchDB document (e.g. _local/auth - local documents are not replicated so reside only on the device you create them on). You are right to be concerned, however, about having database credentials floating about on a client-side computer. Some folks decide that that is not acceptable and implement their own middle layer. If you don't need sync (that is data can be altered at both client and server side), you might use PouchDB as a buffer for unsynced data and push it to your own API when you're online. You can then control authentication, timeout and access to the database from your own server-side code.
How would I reset / time out the username and password.
You can "log out" by:
deleting your client-side state e.g. deleting the _local/auth document.
making the key/password have no permissions on the client side. Without _reader/_writer/_replicator rights, a Cloudant api key and password is useless
Alternatively you could transmit the username & password to the client which could use them against the Cloudant POST /_session endpoint which gives the web browser a time-limited cookie. Your app could then "forget" the credentials until it needs them again.
When they log out, I wipe the data from Pouch?
Yes.
Can a user be 'logged in' and lose connection? Will pouch sync when they reconnect?
If you write your client side app correctly, it could function perfectly well with its local PouchDB data, whether it has an internet connection or not. This is known as an Offline First approach. As long as your credentials are still valid, your app can sync when a connection is re-established.
If pouch has NOT synced - and they log out (and I wipe Pouch) that would mean they would lose their data?
Correct. If you have only one copy of some data and delete it, you lose data :)
But what if they are using a shared computer? This data would be sat in Pouch DB waiting for someone to log in?
Correct. On a shared computer, another user's data may be visible to the second user. Just as if I left my Facebook session logged in on a shared computer.

IBM Domino: Error When Submit Document

I create a new database, and when I create a document and submit to this database from the web, I got an error in the console:
HTTP Web Server: IBM Notes Exception - The certificate table does not contain enough valid certificates to verify the public key of its owner.
But if I submit a document to another database in this server, I can save successfully. Where can I setup or need do some other step? When I open a form in this new database, I also got this error in a message box. I tried to change ACL for the new database but it did not work.
If you're getting this error while attempting HTTP access to a specific database, it probably means that there is something odd about the signature on one or more design elements in the database. I.e., the signature on the form, the query save agent, or some other design element was done with an id that doesn't share a common root certificate with the server.
Try using the Domino Administrator client to sign the database, either with the server id or with another id in the same organization.

Authenticating a Chrome extension with a remote server?

(noob alert) Problem Statement: I have a chrome extension that takes that allows a user to bookmark a page by sending the details of bookmark to a server and storing the data under that user's profile.
This means I need to authenticate the user and then send the userID to the server every time
I send back bookmark.
Issues:
1)The bookmark is shown in the popup and then sent to the server, however if the user is not logged in(authenticated) the pop up should only show an interface that allows for user name pass not the book mark data, my issue, how would I achieve this? i know I have to use one pop file, but how would I have to separate interfaces?
2)What is the best method to authenticate the extention? and ensure that data are being sent from the extension only, i.e prevent attacks on the web service.
Can anyone help?
1) You can set popup page at any time with chrome.browserAction.setPopup.
So, the extension starts with the login form as the default popup under 'manifest.json'. After user login, set the browserAction popup to your main extension page.
2) Since the and user can edit anything on your extension code, you should prevent attacks or whatever from server-side i.e request tokens, request quota for ip and/or elapsed-time. And a simple authentication via POST under a SSL connection should be enough.