I am using Auth0 to implement social login with Google in my Ionic application.
I had set redirect option equal to false as per the documentation and this opens up a new tab.
Now when I set redirect equal to true (default) then as per the documentation it should display the login window in a popup, but I am getting the following error:
Refused to display 'https://accounts.google.com/AccountChooser?continue=https://accounts.google….com%26from_login%3D1%26as%3D-13354ff19852788a&btmpl=authsub&scc=1&oauth=1' in a frame because it set 'X-Frame-Options' to 'DENY'
I know because I am trying to open this inside localhost, that is why I am getting this error. But how can I test this feature in my local environment?
Per the documentation on Auth0 Lock settings if you set the redirect option to false (overriding the default of true) will trigger the use of popup mode.
redirect - Defaults to true. When set to true, redirect mode will be used. If set to false, popup mode is chosen.
Use of the popup mode can result in a new tab or window to be opened while using the default redirect mode uses the current window to redirect to the identity provider.
The error you obtain when using redirect=true seems to indicate that you use iframes within your application and you're trying to perform the authentication from inside of an iframe. This is not supported by the Google identity provider as implied by the use of X-Frame-Options: DENY in the response from Google. (this header requests that the browser fails the navigation if it's within an iframe)
In conclusion, the error is not directly caused by Lock.
Related
I tried to sign in to Auth0 with the new package (https://github.com/auth0/auth0-spa-js).
Attempt 1: I did try a best practice that uses cy.request() but seem like new the auth0-spa-js package now requires a random state string (which I don't have and it was generated from loginWithRedirect function) in the request URL. So I can not call sign in API of Auth0
Attempt 2: I set "chromeWebSecurity": false, I click sign in button -> my web is redirected to Auth0 page, the URL is load correctly but Auth0 refused to display 'auth0 url' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".
Does you guy have any solution for this situation?
For now, this is the workaround solution of me.
Disable chrome security in Cypress config.
Login through the auth0 page (we will redirect to log-in page and log out due to the fact that I cannot generate the random state in the new auth0 package: auth0-spa-js)
Note: If you’re not custom login page in auth0, use the classic page in Universal Login. I found that the new UI of Auth0 login page has a lot of security enhance that prevents us render auth0 in an iframe. (like image below)
Auth0 seting
Then, Go to Auth0 -> Tenant Setting -> Advanced -> Enable Clickjacking Protection to allow auth0 load in an iframe.
Enalbe Clickjacking
Ok, that all the step that I did to make it work. Hope this help you
I made a site and set "Execute the app as" to "Me" and "Who has access to the app" to "Anyone, even anonymous" but it still requires authentication sometimes. I don't want it to ever require authentication. How can I fix that?
I'm testing this with Google Chrome in Incognito mode and Safari on an iPhone.
It is forwarded by Godaddy with a 302.
The problem occurs when I pass a parameter in the url. The only effect of that is to have the page scroll to a certain position and show the appropriate hidden content using this code which really has nothing to do with authentication to Google:
if(e.parameter.objection) {
var id = e.parameter.objection;
s += '<script type="text/javascript">'
+ 'goTo(' + id + ');'
+ '</script>';
}
Try the following links by right-clicking them and choosing "Open Link in Incognito Mode"
Requires authentication:
www.bernierebuttals.org?objection=85
www.bernierebuttals.org/?objection=85
Does not require authentication:
http://bernierebuttals.org
www.bernierebuttals.org
https://script.google.com/macros/s/AKfycbxXNKxLpyh_9H6Xo1-qzSxkVMtmBaAni4L7TrDAiU7xvLRHQ-W7/exec
https://script.google.com/macros/s/AKfycbxXNKxLpyh_9H6Xo1-qzSxkVMtmBaAni4L7TrDAiU7xvLRHQ-W7/exec?objection=85
UPDATE: I just discovered that the behavior has changed since I asked this question. Now when you redirect and pass in a parameter, rather than requiring you to authenticate, the page just doesn't work at all and gives you the error
Doesn't require authentication for me. You may have some problem with browser cookies, etc.
it works the way it is described, no gotcha with/without parameters.
I am using NTLM authentication with ldap.
When i click 'cancel' in the above popup, it gives 'Authorization required' message as below
I want it to redirect on a custom url on 'Cancel' click. How can i achieve it?
Cancel has the same effect as no authentication, so you're going to get a 401 error code for both Cancel and bad authorizations. In that case, you can set up custom URLs for error codes as described here. The custom error is virtual-host scoped if I recall correctly, so this will be shown for all authentication errors for that particular domain.
If you want to get more control of it, you have to prevent the authentication challenge from happening via http at the server level. This means bringing it down to the web application level where you need to make your pages check that authentication has properly occurred. If you're serving static web pages, this obviously won't work.
I'm trying to make a Facebook page tab where people can vote for their favorite video or music track from a bunch of embedded files. I need to get a unique ID from each user to make sure that they can only vote once. The signed_request only contains the user's id if they have authorized my app.
I have tried to have users authorize my app using the FB.login() javascript api, but I get the error:
An error occurred with Remix // Rework Vote. Please try later
API Error Code: 191
API Error Description: The specified URL is not owned by the application
Error Message: Invalid redirect_uri: Given URL is not permitted by the application configuration.
As far as I know, I have not set any redirect URL. Do I need to set this somewhere, or is this the not right approach to get a user to authenticate my page tab?
You must specify both "Site URL" (or "Mobile Web URL") and "App Domain" to use OAuth flow...
See where to fill the details on https://developers.facebook.com/docs/authentication/#redirect-uris
So I managed to get this to work by ticking "App on Facebook" in the app settings, and setting the Canvas URL and Secure Canvas URLs to be the same as the Page Tab URL equivalents.
This worked even though this isn't a full app, it's only a page tab, and it won't function as an app unless it's in a container page.
I'm guessing this is a bug in Facebook - the UI implies that you can have a page tab only app. The documentation doesn't say you can't, and I can't think of a good technical reason for it not to condsider a page tab URL as a valid URL.
Thanks to #julio-santos for pointing me at Facebook - Error Message: redirect_uri is not owned by the application, which seems to be the same problem in a slightly different context.
Is there a way using Java to over-ride the browser authentication dialog box when a 401 message is received from the web server? I want to know when this dialog is being displayed, and instead of it being given to the user, I fill in the credentials for them.
Overview of application:
i wrote the web server, so essentially i want to stop someone from opening an external browser and putting in the localhost and port to gain access to the data being displayed. my app has an embedded web browser linked to my written server. the browser displays decrypted content, so if i force the auth (even for my embedded browser), an external browser would need credentials. if my embedded browser is trying to access the files, i supply the credentials for the user and display the content
If you don't care about the password showing you can construct the URL so it passes the credentials ex. http://username:password#www.example.com This will by pass the authentication box but will show the user the credentials so also might not be what you are looking for.
SWT 3.5M6 has a new listener within it call AuthenticationListener. It simply listens for authentication event passed from the server and is fired. The code below is what performs the behavior I wanted. It waits for the auth, and if the host is my application, it passes back the credentials. Of course fill in the USER_NAME, PASSWORD and HOST_NAME with appropriate variables. Otherwise it lets the browser auth dialog pop up and makes the user enter the credentials. This code can also be found in the Eclipse SWT snippets page:
webBrowser.addAuthenticationListener(new AuthenticationListener()
{
public void authenticate(AuthenticationEvent event) {
try {
URL url = new URL(event.location);
if (url.getHost().equals(HOST_NAME))
{
event.user = USER_NAME;
event.password = PASSWORD;
}
else
{
/* do nothing, let default prompter run */
}
} catch (MalformedURLException e) {
/* should not happen, let default prompter run */
}
}
});
your question is a bit unclear. The whole basic authentication is based on HTTP Headers.
If the browser gets an authorization header than it displays the dialog. The content from the dialog is then send back to the server. There is nothing special about it. It iser username:password in base64 encoded. Have a look at
wikipedia
The problem is how you want to interfere. You would have to capture the authorization header and then for the next request you have to alter the HTTP header to include the credentials.
hope that helps
I think this is mostly browser-dependent behavior and what the server reports to the browser.
For example, Internet Explorer, being a Microsoft product, directly supports automatic sending of Windows credentials (you can modify this behavior in your Internet Settings) after an anonymous request fails in a 401.
Firefox, for example, does not and will always prompt the user even if it was set to remember the id and password via the password manager. IE will also prompt if auto-login fails (such as your Windows credentials still result in a 401 because you're id isn't allowed).
I don't think, as a web developer, you have much control over this besides setting up your server and app to work in the most expected and harmonious way... if you could, this might get into black hat territory.
If you want to control what is displayed to the user for authentication, you can change the auth-method in the login-config section of the web.xml from BASIC to FORM.
Then you can specify what page should be displayed when the user is authenticating, and, I suppose, pre-fill the credentials for them...but doesn't this defeat the whole purpose of security?
Setting up Authentication for Web Applications
Edit after further details:
My only suggestion would be to change the auth-method to CLIENT-CERT and require two-way SSL, where the client is also required to present a certificate to the server. If you install the certificate into your embedded browser (and make sure external browsers can't get the certificate) then you should be OK. And actually this should stop any authentication dialog from being displayed.