currently my sso server is identityserver. I need to make the third failed attempt to enter a captcha is displayed and be validated by entering username and password. Is this possible? How?
It is possible, Check out the CustomViewService. All you need to do is add the client side code for captcha and youre good to go
Related
I need to give Google SSO a flag that force the user to reauthenticate when signing in and not to sign in automatically, I have read about the scopes/flags that could be sent with the request and didn't find relative answer, there is a flag called 'prompt' that could be set to 'consent' which ask the user to confirm they want to login but not to renter their Google password.
This option is exists in other sources that called Force Authentication but not with google.
Please confirm if there is option or not right now to make that and if not please let me know if this is something that you are working on. Thanks
I have tried searching for flags to force authentication when using Google SSO to let the user re enter their Google password
The OIDC specification has a value login for the prompt parameter. If you send prompt=login with your authorization request, then the user will be re-authenticated. However, even though Google claims to use OIDC, they seem not to support that value for the prompt parameter. The values that they support don't actually have the function you need, so I don't think it's currently possible to force that on Google auth.
I have a service with multiple domains.
And I want to implement Sso in this service.
I tried to implement it using keycloak
I want to create a new login page with react instead of the login page of Key Clock. And I am thinking of implementing a spring security server separately to add an email or sms 2factor function.
In order to do that, I think I should use keycloak rest api.
But the problem is that I don't know how the key clock login page authenticates the user.
Can I know the login flow of the key clock in detail?
For example, if I want to check if Service 1 is logged in, do I need to redirect to the login page of Key Clock to check the cookie or session ID of the login page?
So how do I know if I'm constantly logged in?
Keycloak already provides a way to edit Login flow. You can also add more fields etc. to the Login Form and add 2 factor authentication as well. The only thing is, you will have to use Freemarker for the same.
See, https://www.keycloak.org/docs/latest/server_development/#implementing-an-authenticator and https://www.keycloak.org/docs/latest/server_development/#_themes
i want an automaticalle login in my services when the user is already logged in into cas.
At the moment i must click the login button in every service manually to login.
My goal is when i'am logged in into cas and i join for example my jenkins service my user logged in automatically without clicking the log in button.
Can someone help me?
If you're using something like Spring Security or similar to manage it, then it can do it automatically for you. But since you seems to be making a Single Page Application(as you've said that you're needing a loggin button), and by going with that assuption, you'd need to have that login anyways. Except of course if you've set a script to check if there's a valid cookie already. More details appreciated(sorry, can't just comment)
I would like to understand something please.
I have an application based on oAuth2 with Google Accounts.
So, teh first time I connect to this website, I am redirected to the authentication page on Google domain. So I type my email and password and I dont check "trusted computer" (or "remember me", I dont remember the exact term).
The thing is if I reboot my computer or even delete my cookie (but not my history (tested with Chrome on Android phone), I am not prompted again for the authentication and I have directly access to the application.
I would like to understand why ?
If somebody can explain it to me that should be great !
Thank you
You can actually force re-authentication in the Google OAuth api by passing &max_auth_age=0 to the auth URL.
Source:
Use the PAPE extension for further control of user authentication (optional)
Use the max_auth_age parameter in the PAPE extension to ensure that the login session of the user at Google is recent. You may also specify max_auth_age=0 to force a password reprompt.
https://developers.google.com/accounts/docs/OpenID
It's a bit confusing because they talk about OpenID, but I'm doing this successfully with Google's provided OAuth2 libs.
The Google OAuth 2 API really doesn't give you a way to force re-authentication. Lots of people have asked for this capability though, and maybe we should provide it.
It's hard to say, since it depends on what the flow was that as being executed.
Generally (with oauth) you weren't being prompted for authentication. You were being prompted for authorisation. Once you've authorised, you won't be prompted again, provided of course that the browser/google have some sort of session in existence which identifies the user.
When you say "delete my cookie", which cookie?
Yo can try going to this page https://accounts.google.com/b/0/IssuedAuthSubTokens?hl=en_GB and revoke the permission. That should then cause a repeat prompt.
Background
We are integrating third party email solution into our site. When a user goes to the Mail page it must be automatically authenticated at the Mail site.
For now, the Mail link points to our page which automatically submits a form with the user's login and password. After clicking submit the user is redirected to the Mail site with authentication cookie.
The problem with this approach is that we do not want the user to see his Mail password, because we generate it automatically for him and there are some sane reasons not to show it.
Question
Is there any way to receive mail authentication cookies without sending the login information to the client and performing form.submit operation from the client's browser? Is there a better way to do what I'm trying to do?
Edit
Of course "I am trying to do it programatically". Looks like that there are no sane solution except pass these login/password to the client. Looks like we must accept that user can see his mail password and somehow make sure he cannot use this information to change password to some other value we will not know.
Edit: I didn't read the post correctly, I thought he was trying to login to a remote mail application, not one hosted on his own server. Ignore this answer.
When you login to the remote third party mail website, they will create a cookie (since HTTP is stateless, it's the only way it knows the user is authenticated unless they store some kind of session ID in the url). When you send the user to that site, the site needs to know how to authenticate the user. Even if you logged in from your application and grabbed the cookie, you can set a cookie on the users browser for another website. The only way for this to work is if there is some kind of development API on the third parties website you can hook into, or they allow you to use session id's in the URL.
Possible solution but has a security risk
If they allow you to set a session_id in the URL (for instance, PHPSESSID in PHP) then you could grab the session ID and append it to the URL when sending it to the user. I don't really like this idea since if the user clicks on a link in an e-mail, the new page will be able to check the referrer and see their session ID in the URL. This can become a huge security risk.
Lookup topics related to your mail vendor and "Pass-through Authentication." You did not mention what vendor/software you are using for your web mail solution, so I can't help you very much there. Other than forwarding the user's information (in a post request) to the login handler.
Generate unique IDs before sending an email and put them as hidden instead of username/password into form. Make them disposable (usable only once or usable once before successful entering the site)