One link I saw said that if you login with HTTP Basic Authentication (Rack:Auth:Basic) then you can't really log out without killing cookies in your browser. So there's no good way to log out.
Another link said to use Rack::Session::Pool and then do a session.clear to logout.
What's the correct approach?
Related
We are currently implementing keycloak and we are facing an issue that we are not sure what’s the best way to solve it.
We have different webapps making use of the sso and that’s working fine. The problem we have is when we make log in using the sso in one webapp and then we do the same in a different webapp.
Initially this second webapp does not know which user is coming (and it’s not necessary to be logged in to make use of it). When clicking on “login”, it automatically logs in the user (by making a redirection to keycloak and automatically logging the already logged user in the other webapp). This second logging happens “transparently” to the user, since the redirection to keycloak is very fast and it’s not noticeable. This behaviour is not very user friendly.
The question is: Taking into account that this second webapp can’t know upfront which user is accessing the site (unless actively redirecting to keycloak), is it possible to force always the users to log in for a specific keycloak client? By this I mean actually ask the visitor for user/pw even if keycloak knows already them from other keycloak clients.
Thanks in advance!
In the mail listing from keycloak, they gave me a good solution but for version 4:
in admin console, go to Authentication
make a copy of Browser flow
in this new flow, disable or delete Cookie
go to Clients -> (your client) -> Authentication Flow Overrides, change Browser Flow to your new flow, click Save."
Use logout endpoint as a default login button action in your app and redirect uri param use for login page, where you use your specific client (of course you need proper URI encoding):
https://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logout?redirect_uri=https://auth-server/auth/realms/{realm-name}/protocol/openid-connect/auth?client_id=client_id&redirect_uri=.....&other_params....
=> user will be logged out and then it will be redirected to the login page
i want an automaticalle login in my services when the user is already logged in into cas.
At the moment i must click the login button in every service manually to login.
My goal is when i'am logged in into cas and i join for example my jenkins service my user logged in automatically without clicking the log in button.
Can someone help me?
If you're using something like Spring Security or similar to manage it, then it can do it automatically for you. But since you seems to be making a Single Page Application(as you've said that you're needing a loggin button), and by going with that assuption, you'd need to have that login anyways. Except of course if you've set a script to check if there's a valid cookie already. More details appreciated(sorry, can't just comment)
I'm trying to access Activiti Explorer from my Liferay portlet. My idea would be to bypass the Activiti login by adding username and password to the URL.
Something like:
Vedi Grafico
Disabling the login function would be good too, but I don't think it can be done. Does anyone have any ideas on how to best proceed?
Thank you!
It is not a good idea put the user and the password in a hiperlink. But if you have clear ideas, the best way for do this is ParameterAutologin.
Ensure that you have active this hook in your portal-ext.properties, if that is not the case you should add the ParameterAutoLogin and reboot the portal:
auto.login.hooks=com.liferay.portal.security.auth.ParameterAutoLogin
then if your portal login is by screenname you put this url:
http://localhost:8082/path¶meterAutoLoginLogin=test¶meterAutoLoginPassword=test
If your portal login is by email you put this url:
http://localhost:8082/path¶meterAutoLoginLogin=test#domain.com¶meterAutoLoginPassword=test
This works with all the urls of your portal. No matters the path.
I would like to understand something please.
I have an application based on oAuth2 with Google Accounts.
So, teh first time I connect to this website, I am redirected to the authentication page on Google domain. So I type my email and password and I dont check "trusted computer" (or "remember me", I dont remember the exact term).
The thing is if I reboot my computer or even delete my cookie (but not my history (tested with Chrome on Android phone), I am not prompted again for the authentication and I have directly access to the application.
I would like to understand why ?
If somebody can explain it to me that should be great !
Thank you
You can actually force re-authentication in the Google OAuth api by passing &max_auth_age=0 to the auth URL.
Source:
Use the PAPE extension for further control of user authentication (optional)
Use the max_auth_age parameter in the PAPE extension to ensure that the login session of the user at Google is recent. You may also specify max_auth_age=0 to force a password reprompt.
https://developers.google.com/accounts/docs/OpenID
It's a bit confusing because they talk about OpenID, but I'm doing this successfully with Google's provided OAuth2 libs.
The Google OAuth 2 API really doesn't give you a way to force re-authentication. Lots of people have asked for this capability though, and maybe we should provide it.
It's hard to say, since it depends on what the flow was that as being executed.
Generally (with oauth) you weren't being prompted for authentication. You were being prompted for authorisation. Once you've authorised, you won't be prompted again, provided of course that the browser/google have some sort of session in existence which identifies the user.
When you say "delete my cookie", which cookie?
Yo can try going to this page https://accounts.google.com/b/0/IssuedAuthSubTokens?hl=en_GB and revoke the permission. That should then cause a repeat prompt.
I want to intergrate alfresco with web application. i.e i have created a login page for my application.Now i want to use the same username and password to login to alfresco so that i dont have to login again using alfresco login page. Can anyone help me out in this?
Thanks and regards,
than1234
Please refer to login in http://wiki.alfresco.com/wiki/Repository_RESTful_API_Reference
Also look for SSO (Single-Sign On)... it would not only avoid your users to re-login to Alfresco, but to other applications. There is information in the manual, the wiki.alfresco.com site, and just by Googling. There are multiple ways to doing it, and choosing will depend on the protocols that you are using. Happy SSO'ing!
Look at this: http://wiki.alfresco.com/wiki/Repository_RESTful_API_Reference#Login
When you make a HTTP GET request to "/alfresco/service/api/login?u={username}&pw={password?}" you get alf_ticket back which you then use in following request instead of loging in each time.
You just append "&alf_ticket=YOUR_TICKET" in your requests... :)