How can i access http session and request/response from openam custom authentication module? Any one has idea?
I am trying openam sample auth module, but no where i found a way to access httpservletrequest etc.
I have a requirement to access httpsession as i am working on challenge/signature authentication. I store the challenge in session on Login.jsp and client signs it. Now inside custom auth module, i need access to that challenge in session to verify.
Is it passed somewhere in init
public void init(Subject subject, Map sharedState, Map options)
Every custom auth module extends from AMLoginModule which has HttpServletReequest :)
Related
I need to connect to an external API to validate user credentials and get claims for user from within my custom UserService in IdSrvr, but using Client Credentials as if IdentityServer were a client to connect to another service.
What should be the approach?
First thing to come to my mind was to just make an HttpClient instance within UserService to connect to IdentityServer itself and make the request... But I don't know if there's a better/cleaner way.
The OwinEnviroment extensionmethods let you issue tokens.
public MyCustomUserService(OwinEnvironmentService owin)
{
_owin = owin;
}
public async Task AuthenticateLocalAsync(LocalAuthenticationContext context)
{
var token = await _owin.Environment.IssueClientToken(
clientId: "Banana",
scope: "resource1",
lifetime: 3600);
// call protected API with token
}
Link to GitHub issue with same question
There is a grant for this called the ResourceOwner Grant. Please read the spec accordingly.
The credentials should only be used when there is a high degree of
trust between the resource owner and the client (e.g., the client
is part of the device operating system or a highly privileged
application)
Most people would highly recommend that you do not use this grant as its an antipattern that requires the application to pass out user credentials which goes against the whole idea of OIDC. This grant is mostly here and used for legacy purposes.
I started using Alfresck SDK (All in one) the latest version. I am trying customise authentication in Alfresco. I configured a new authentication using documentation: authentication but I want to provide JWT Token base authentication.
When I try to pass through a http header: Authorization: Bearer mytoken - it is cought by BasicHttpAuthenticatorFactory from child class RemoteUserAuthenticatorFactory and it says that it is not supported.
How to pass my own bearer token and then invoke: public Authentication authenticate(Authentication authentication) throws AuthenticationException method? I does not see documentation for adding new own servlet filters.
Assuming you are running a 5.x version (4.something may also work) of Alfresco and your Servlet container supports the Servlet 3 spec (Tomcat 7 shipping with Alfresco 5.x is fine), then you can add a Servlet filter by following the spec - annotation or web-fragment based.
Not quite sure about your scenario, but I added OAuth authentication to Share w/o leveraging the Servlet API. Wired a custom Authentication Component into the chain and added a bunch of tweaks (LoginController etc.) to Share
I'm aware of how AEM creates cookie called "login-token" after successful authentication .
My question is how AEM validates this cookie in each request? Is there any filter available to intercept the request and then validate cookie? if not then how AEM invokes sling authentication handler again?
I could not find here http://host:port/system/console/status-slingfilter
Please help me to clarify this
authentication is not done via a filter. authentication is done before filter processing.
as soon as request arrives OSGi HttpService calls handleSecurity of the HttpContext associated with the servlet/resource. In case of Sling this calls into SlingMainServlet.handleSecurity which calls SlingAuthenticator.authentication.
SlingAuthenticator selects an authenticationHandler for the request and forwards the authenticate call.
authentication handler implements extractCredentials method that (based on the auth scheme e.g. Authorization header based authentication, session based authentication or cookie based authentication) is responsible for reading credentials from cookies (or header or session).
It would return AuthenticationInfo after successful authentication, if authentication fails either an anonymous session is acquired (if anonymous is allowed per configuration) or requestCredentials method is called, which would render(or redirect to) a login form.
after handleSecurity execution is done, HttpService would either terminate the request (if handleSecurity returned false) or call SlingMainServlet.service which would be the entry point for Sling Request Processing.
Request level filters would be processed after that. see https://sling.apache.org/documentation/the-sling-engine/filters.html
I am following the below sample to enable authentication using Azure AD:
https://github.com/AzureADSamples/WebApp-WebAPI-OpenIDConnect-DotNet
This example provides a signin option, when clicked does the authentication and recognizes the user.
Required behavior - What I am looking for is the user is automatically authenticated on entering the base Url.
Could someone help me on how to achieve this?
The usual rules for ASP.NET authentication apply. For example, you can decorate your controller classes with [Authorize] - the first unauthenticated request will trigger the sign in flow.
I am using WebApi and token based authentication for my api controllers.(Authorization :bearer xyzabc..) I now have a signalR hub and would like to authenticate clients by the same token they have on the client side.
How would i do that ? This link shows how to send token through url parameter, but i am not sure how i can use that token and authenticate the user on server side.
I solved this by passing the token as a parameter of my Hub method instead of header. but i imagine it is possible to do it using headers too (just extracting the token from Context.Headers or something).
Either way, after getting the token in your hub method, just use this code.
public Task SendMessage(string message, string token)
{
var ticket = Startup.OAuthOptions.AccessTokenFormat.Unprotect(token);
bool isAuth = ticket.Identity.IsAuthenticated;
//You can retrieve other details like username and userid from ticket
...rest of your code..
}
I wouldn't send the token every time. I'd establish your context user principal on the OnConnected virtual method and read from a query string passed from a token.
In my case. I just created an abstract class that inherited from the Hub class and then stuffed my oauth claims generation logic there. Then my regular concrete hubs just inherited from my base custom hub class.
Another option would be to use either a custom authorize attribute or another hub pipeline module.
I think these tactics might keep your code DRY and extendable.
I've discovered that when you call the default /Token handler from Web API from something like JQuery, the browser is also sent a cookie which is used to authenticate you with SignalR.
You ought to be able to use the [Authorize] attribute as well as "Context.User.Identity" in your SignalR hub methods to get the current user as long as you've called /Token with valid credentials from the browser before connecting to the hub.