I'm using Symfony 2.8, auth0/jwt-auth-bundle (version 1.2) and nelmio/cors-bundle (version 1.4.1).
The issue I'm having is when the active user logs out and logs back in, the new token I received from Auth0 is not automatically active; I have to wait up to one minute before making calls using the received JWT. If I used it immediately everything returns 500 error (using postman or my app to test).
After approximately one minute, without doing anything, it becomes active and calls start giving 200 response status.
Why I'm I having this delay? I need the token to be active as soon as the user logs in. Am I missing some configuration?
Here are my settings:
jwt_auth:
domain: "domain.com"
client_id: "%client_id%"
client_secret: "%client_secret%"
secret_base64_encoded: "%secret_base64_encoded%"
nelmio_cors:
defaults:
allow_credentials: false
allow_origin: []
allow_headers: []
allow_methods: []
expose_headers: []
max_age: 0
hosts: []
origin_regex: true
paths:
'^/api':
allow_credentials: true
allow_origin: ['*']
allow_headers: ['*']
allow_methods: ['POST', 'PUT', 'GET', 'DELETE', 'OPTIONS']
expose_headers: []
max_age: 3600
Based on the information you provided the most likely cause of the problem would be a clock skew between the server issuing the JWT (Auth0) and the server validating the JWT (your application).
Check this documentation for more information about clock skew and what to do about it (the documentation page is associated with the Auth0 AD Connector library, but clock skew is a general problem).
This can be fixed by ensuring that the System is properly configured to use to pool a sync server via the NTP (Network Time Protocol).
You can also confirm if this is indeed the problem by decoding the received JWT in [https://jwt.io/] and checking its lifetime related claims exp, nbf and/or iat.
Related
I have an admin dashboard react app that's running on admin.localhost.com:3000. I have an api server that's running on www.localhost.com:1337, and we have one react app for all clients, but each client uses it on a subdomain, for example, abc.localhost.com:4200, bcd.localhost.com:4200.
So from my admin dashboard I'm trying to log into abc as a client. The api server, when requested, verifies the admin, sets the cookie in the response for abc.localhost.com:4200 and responds with link for the client https://abc.localhost.com/home. The browser code passes the link to window.open().
However, if I check the browser tab for https:abc.localhost.com:4200, I don't see the cookie, so obviously the authentication fails.
res.cookie('token', token, {
secure: true,
domain: `abc.localhost.com:4200`,
sameSite: 'Lax',
maxAge: moment()
.add(10, 'minutes')
.valueOf(),
})
withCredentials is enabled for the client side agent, and the api server is configured accordingly.
It can't be done, server running on www.localhost.com:1337 can't set cookies for abc.localhost.com:4200. Allowing that would be apocalyptic.
We are trying to implement OIDC for user onboarding from our main platform to our secondary platform
While calling AutomaticSilentRenew function it leaves the following error:
Is there anything wrong here (PFA)
OIDC config Object:
VUE_APP_OIDC_CONFIG={"authority": "https://auth.mainPlatform.com", "clientId": "<client-id>", "redirectUri": "http://localhost:8080/oidc-callback", "popupRedirectUri": "http://localhost:8080/oidc-popup-callback", "responseType": "id_token token", "scope": "openid email", "automaticSilentRenew": true, "automaticSilentSignin": true, "silentRedirectUri": "http://localhost:8080/silent-renew-oidc.html"}
Error:
{context: "authenticateOidcSilent", error: "login_required"} App.vue?234e:38 I am listening to the oidc error event in vuex-oidc context: "authenticateOidcSilent" error: "login_required"
That's an absolutely standard part of the silent renewal flow and can happen for 2 reasons:
When the Authorization Server Session Cookie expires
If a browser drops the AS session cookie - eg Safari is likely to do this in 2020
The usual action when you get a login_required error code is to redirect the user to sign in again.
TROUBLESHOOTING
If this is happening on every token renewal request, I would debug via a tool such as Fiddler to see if the cookie is being sent. Your problem might be caused by recent browser restrictions on cross domain cookies.
For something to compare against, see my Silent Token Renewal blog post.
I am trying to create a web app whose main task is fixing appointment.
I do not want to access any mail data of the logged in user.
I only want to implicitly login using an outlook account (my account) to which I have admin access. I want to connect with this account, fetch its calendar events and display the events to the logged in user so that the user can select any available spots.
I have registered my app in the azure portal and provided all the application permissions (earlier I tried with Delegated permissions as well; but I guess delegated permissions are not for my use case).
Thereafter, I tried to fetch the token for my profile using:
this.http.post(`https://login.microsoftonline.com/f8cdef31-a31e-4b4a-93e4-5f571e91255a/oauth2/v2.0/token`,
{
client_id: 'my-client-uuid',
scope: 'https://graph.microsoft.com/.default',
grant_type: 'client_credentials',
client_secret: '****myclientsecret****'
},
{
headers: {
Host: 'login.microsoftonline.com',
'Content-type': 'application/x-www-form-urlencoded'
}
}
).subscribe(resp => {
console.log(resp);
});
as suggested in this article.
However, my request fails while doing this and states that the request body must contain 'grant_type' when I am clearly sending that.
Can someone please suggest me how I can implicitly get data from my own outlook account in a web app.
Update: I used the suggestion from this, appears that the request is going through now. However, the browser throws CORS error saying that the server didn't have appropriate headers.
Update 2: Found this link, which seems to address the exact issue I am facing. I however already have the redirect URI for SPA. The issue still persists.
Im using Auth0 for authenticating users for my react application.I have been trying to access resources on server side but I keep getting UnauthorizedError: jwt malformed as an Error.
I’ve followed a the following thread on the community forums: https://community.auth0.com/t/unauthorizederror-jwt-malformed-in-express-js/7352
Many users have suggested that the audience value from the guide is wrong. The audience given in the guide is https:///userinfo but it should be ‘https://.auth0.com/api/v2/’, I’ve made that change and the error is still there.
This has worked for some people but not for me.
This is the guide ive been following: https://auth0.com/blog/react-tutorial-building-and-securing-your-first-app/
const checkJwt = jwt({
secret: jwksRsa.expressJwtSecret({
cache: true,
rateLimit: true,
jwksRequestsPerMinute: 5,
jwksUri: `https://<domain>/.well-known/jwks.json`
}),
// Validate the audience and the issuer.
audience: "https://<something>/api/v2/",
issuer: `https://<something>/`,
algorithms: ["RS256"]
});
this is the code ive written on the express side.
this.auth0 = new auth0.WebAuth({
// the following three lines MUST be updated
domain: "<Domain>",
audience: "https://<Something>/api/v2/",
clientID: "clientID",
redirectUri: "http://localhost:3000/callback",
responseType: "token",
scope: "openid"
});
This is the code written on the frontend of the application.
One of our senior engineers had a good recommendation on this that I will share below:
If you haven't done so already you should perform these steps:
capture the token you receive; for example, using a console.log statement given this is in development.
review the captured token; does it look like a JWT?
if its a JWT and you can parse it at jwt.io then update the API to log the received token before trying to validate it; does the received
token match the one you expect?
In conclusion, try to take steps that allow you to gather a bit more
of information.
It is said that "To define cookie authentication, use API keys instead." in the official documentation
https://swagger.io/docs/specification/describing-parameters/#cookie-parameters
The fact is we tried with
components:
securitySchemes:
cookieAuth:
type: apiKey
in: cookie
name: sessionId
...
security:
- cookieAuth: []
Using the above code, in Swagger UI we are able to click on the padlock to set the value of the sessionId. But when we execute the method, the value of the cookie is NULL and we don't see the cookie sent in the Headers (Chrome Developer tool)
I tried also to put that in cookie parameter like this:
parameters:
- in: cookie
name: sessionId
required: true
schema:
type: string
But there again, same result (arrive null, and nothing in the debugger tool.
We use Swagger with openApi 3.0, other parameters, requestBody is working well, but not this cookie transmission.
Thx for anything that can have an idea.
Swagger UI and Swagger Editor currently do not support sending cookies in "try it out" requests:
https://github.com/swagger-api/swagger-js/issues/1163
As the developers explain, the issue is that it's almost impossible to send arbitrary cookie data to a different origin from within the browser.
SwaggerHub supports cookie auth and cookie parameters though. SwaggerHub sends "try it out" requests from its servers rather than from your browser, which makes it possible to send requests with a user-defined Cookie header.
Disclosure: I work for the company that makes SwaggerHub.