I have an Hapi.JS application that authenticates with a provider via Bell plugin.
Authentication works as expected. I check for an account in our DB associated with the Bell credentials upon successful login. If no user account is associated, I redirect to the registration page.
The problem is I can't pass user's profile data to the registration route. Even if I set a cookie, it is lost when redirected to the registration route.
I know I can use hapi-auth-cookie but I am planning to use JWT authentication and I don't want to add a new plugin just for passing basic user info to a specific route.
Do you have an idea how can I make it work?
Thanks!
Related
I have a service with multiple domains.
And I want to implement Sso in this service.
I tried to implement it using keycloak
I want to create a new login page with react instead of the login page of Key Clock. And I am thinking of implementing a spring security server separately to add an email or sms 2factor function.
In order to do that, I think I should use keycloak rest api.
But the problem is that I don't know how the key clock login page authenticates the user.
Can I know the login flow of the key clock in detail?
For example, if I want to check if Service 1 is logged in, do I need to redirect to the login page of Key Clock to check the cookie or session ID of the login page?
So how do I know if I'm constantly logged in?
Keycloak already provides a way to edit Login flow. You can also add more fields etc. to the Login Form and add 2 factor authentication as well. The only thing is, you will have to use Freemarker for the same.
See, https://www.keycloak.org/docs/latest/server_development/#implementing-an-authenticator and https://www.keycloak.org/docs/latest/server_development/#_themes
We are trying FusionAuth & looking to have a single step flow for Sign up + Sign In.
After user signs up, we want to show/land him directly to our application's dashboard page (without showing him login page in between the flow). The authentication should happen but internally i.e we are expecting OAuth2 standard IdToken in response to "WebApplication" so that web application can use IdToken to allow user to application.
Please note that we don't want to use approaches where we need to pass Username/password to our web application, don't want to handle user credentials. Also that we dont want to use Authentication Tokens returned in Registration flow because AuthenticationTokens are not that secure, looking to use OAuth2 based IdToken instead.
I have came across this post "https://fusionauth.io/community/forum/topic/165/taking-a-user-directly-to-the-registration-page/3" and tried following request, but it is showing Login page instead of registration.
/oauth2/register?client_id=<Configured_client_id>&redirect_uri=<Configured_redirect_uri>&response_type=code
(I have not used CSRF parameter though)
Please can you suggest why its showing Login Page?
You should be able to have a user register and be sent directly to your application, as long as you set the correct redirect_uri and put that on the registration URL:
https://local.fusionauth.io/oauth2/register?client_id=c50329fa-93e5-4618-8d9f-73d0ab069a23&response_type=code&redirect_uri=https%3A%2F%2Fapp.example.com%2F
The application will then receive a code that can be exchanged for an access token. You can call the userinfo endpoint with that token and get user information like email address, etc.
What you won't get that it seems like you might want is an id token. For that you'll have to send the user through the login process with a scope of profile. However, you could mind your own 'id token'-lite using the values from the userinfo endpoint and the JWT vending: https://fusionauth.io/docs/v1/tech/apis/jwt/#vend-a-jwt
Bypassing the login page so that it will directly in otp page Keeping in mind I know the username and password already.
Is there a way to do this in openam
Forgerock allows you to create custom links for custom login pages using service get parameter, soemthing like:
https://yourfqdn/openam/XUI/?realm=/users&service=OTPservice
OTPservice is a authentication chain that containes only otp login page, however from forgerock side, you need to find a way to tell forgerock wich user is trying to connect, since you dont want the username/password login page. It can be done using session upgrade, which means you create a session using a API call to authenticate your user without humain interaction, and then perform a session upgrade (the OTP login page).
Simple problem, I want to login and out of an app with various users to check different app functionality. App is using Auth0 for user management.
I am calling the /v2/logout url as a part of my flow.
But somehow, after logging out, when I login again the seamless SSO behavior runs and I'm immediately logged in again with no prompts -- it's as if the logout URL was never called.
Only way to get a login prompt again, is to clear my browser cache. Is there an auth0 cookie somewhere I need to delete as well? Or am I missing something? I'm reading the seamless SSO docs but don't see anything beyond calling /v2/logout.
Calling the Auth0 /v2/logout API endpoint will log the user out of Auth0 and optionally the IdP (if you specify federated parameter). It will not log out the user from your Application so you will need to implement that in your application.
Here in the Javascript SPA example, in the setSession() we are storing the Access token(along with its expiry) and the ID token in localStorage. In the logout() function we are then removing these entries. This is logging out from the Application user session. You can optionally redirect to /v2/logout to clear the Auth0 and IdP session as well in this function. That way, when you are checking if user is authenticated, the isAuthenticated() returns false and we force the user log in again.
So turns out, the issue is around redirecting the user as opposed to calling the logout url directly. I was using a separate ajax api call to the logout url. However when I use window.location.replace(logoutUrl), the logout actually happens.
From the auth0 docs:
To force a logout, redirect the user to the following URL:
https://YOUR_AUTH0_DOMAIN/v2/logout
Redirecting the user to this URL clears all single sign-on cookies set by Auth0 for the user.
So a separate call doesn't work -- have to redirect. Which I suppose makes sense -- a separate ajax call doesn't have the user session context.
I'm trying to figure out how is best to do authentication and login flow with Ember. I'll also add that this is the first web app I've built so it's all a bit new to me.
I have an Express.js backend with protected endpoints using JWTs (I'm using Passport, express-jwt and jsonwebtoken for that) and that all works.
On the client-side, I'm using Ember
Simple Auth with the JWT authenticator. I have the login flow working (I'm using the login-controller-mixin) and correctly see the isAuthenticated flag in the inspector after a successful login.
The thing I'm struggling with is what to do after login: once a user logs in and gets the token, should I make a subsequent call to get the user details, e.g. GET /me, so that I can then have a representative user model client side? These details would then let me transition to the appropriate route.
See this example in the repo for an example of how to add a property to the session that provides access to the current user.