Works find when accessed directly and fails with
Not found. Authentication passthru.
when behind a reverse proxy
proxy was adding additional backslash:
Started GET "//users/auth/google_oauth2" for 127.0.0.1 at 2015-04-28 12:13:34
which was not recognized; normal query was
Started GET "/users/auth/google_oauth2" for 10.113.163.121 at 2015-04-28 12:26:26 +0000
after correcting proxy configuration oauth process still fails unfortunately as client is not correctly redirected + redirection url passed to google is wrong - probably some oauth proxy is needed :(
EDIT: no proxy is needed when it is client who is engaging google first - using so called hybrid/server side flow:
https://developers.google.com/+/web/signin/server-side-flow
...but it has its own bottlenecks as discussed below:
https://github.com/zquestz/omniauth-google-oauth2/issues/122
and
https://github.com/zquestz/omniauth-google-oauth2/issues/174
Related
I have two cloud services up and running.
frontend (URL: https://frontend-abc-ez.a.run.app/)
backend (URL: http://backend-abc-ez.a.run.app/)
Frontend is calling the backend through a nuxt.js server middleware proxy to dodge the CORS problematics.
The call is coming through - I can see that in the backend log files. However the response is not really coming back through because of CORS. I see this error in the console:
Mixed Content: The page at 'https://frontend-abc-ez.a.run.app/' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://backend-abc-ez.a.run.app/login'. This request has been blocked; the content must be served over HTTPS.
What I find weird is that I configured the backend url with https but it is enforced as http - at least that is what the error is telling me. Also I see a /login path segment in the unsecure URL. Why is that? I never explicitly defined that endpoint. Is it the security layer proxy of the run service itself?
Anyway - I need to get through this properly and am having a hard time to understand the source of the problem.
For some reason as I rechecked the applications today in the morning everything went fine. I have really no idea why it is working now. I did not change a thing - I waited for the answers here before I'd continue.
Very weird. But the solution so far seems to be waiting. Maybe Cloud Run had some troubles.
I'm attempting to use Keycloak for some future projects and it's still very new to me so I'm plugging away reading through the docs and searching for issues online but I'm currently stumped on one thing - I have a vuejs app I’ve added as a client (127.0.0.1:3001), I have a reverse proxy setup in IIS (idp.mc.local) and then a docker container on Windows with keycloak running (127.0.0.1:8080), when I attempt to login, instead of being redirected back to the vuejs client I am just getting redirected to the root of the reverse proxy with the state value in the url, as in the network logs in the screenshot below:
Network logs showing incorrected 'Location' redirect
If I don’t set a front end url for the realm and bypass the proxy / hook my vuejs client to login via Keycloak directly on 127.0.0.1:8080, it redirects to 127.0.0.1:3001/#state… correctly, as below:
Network logs showing correct 'Location' redirect
I can't spot any way to sort this issue, I thought the front end url for the realm should state the proxy address? I can't see why Keycloak would redirect to it at the end of the login process rather than to my client app url, the redirect_uri is being ignored by keycloak and for some reason taking me back to the root of my proxy domain. If I actually manually visit 127.0.0.1:3001/#state… with the state value copied in from the incorrect redirect, I log in successfully.
It's baffling me and any help would be appreciated!
The answer did turn out to be an IIS related issue with the setup of Application Request Routing / ARR being the problem. What was needed was to edit the settings for IIS Application Request Routing and uncheck the option:
Reverse rewrite host in response headers as can be seen in the image below:
IIS ARR Checkbox to untick
Hopefully this will be helpful for someone else who might have the same issue at some point!
My client is use other type
I have no idea why i get redirect_uri_mismatch error. It work on localhost but not on domain.
Client type other is for installed applications it should not have a redirect uri the way it works is it returns the authorization code directly back where it came from that being
localhost
127.0.0.1
urn:ietf:wg:oauth:2.0:oob
For some reason your code is sending a https redirect uri which is in correct it should not be doing this. It looks like you are using the code for a web browser application with a native application client.
Please forgive me if this question is poorly asked. I will delete it if it's a waste of everyone's time. I didn't implement this so I'm walking blind. The person who implemented this left and I need to get something to work.
So we are running our website from the play framework version 2.1.2 on a Centos server. When I execute "ps", I can see play is listening on port 9005 for http and 9004 for https.
The website requires authentication from Okta (I can probably post snippets of Java code showing this if needed) so users must authenticate from Okta via SAML before they can use our site.
Inside Okta, under SAML settings, there are 4 URLS:
SSO URL
Recipient URL
Destination URL
Audience URI (SP Entity ID)
If I set all urls to be http://mysite.mydomain.com:9005/login?client_name=Saml2Client, it works fine. The site works fine.
If I change all the urls to use https and port 9004 ( https://mysite.mydomain.com:9004/login?client_name=Saml2Client), it doesn't work. I get a HTTP 500 error.
Even weirder is if authenticate thru Okta and in another tab type in the host server instead of the FQDN, it works. https://servername.mydomain.com:9004 works fine. It's just when I log on thru Okta and click on the icon (or type the FQDN) that it gives me a HTTP 500 error.
What is Okta looking at when looking at each of the URLs. What do I need to look for to compare the difference between port 9004 and 9005 to get port 9004 to work thru Okta?
So summary:
http://mysite.domain.com:9005/login.... - works thru Okta
https://mysite.domain.com:9004/login... - doesn't work thru Okta
https://servername.domain.com:9004 - typed in URI bar, works fine
If more information is required to answer my question, let me know and I'll update the question.
Does your okta configuration looks like this?
While your app has that end point properly configured.
Attaching scala snippet of a controller end point for example:
def oktaLogin = Secure("SAML2Client") { profiles =>
Action.async { implicit request =>
val email = profiles.head.getId
login(email)
}
}
So our situation is this. We were using the Play framework ver 2.1.2. We are also using the play-pac4j library ver 1.1.4. for SAML support. Apparently, in the pac4j lib, there's a file called JavaWebContext.java. Inside, it hardcodes the scheme to be http. This messes us up, and not Okta.
Starting in version 1.4.x of this library, we see it check which scheme we need (http or https).
I'm not sure if we can use play 2.1.2 with version 1.4.x of the pac4j library or not. I'll update this answer when/if we find out.
We recently installed a web application under Tomcat 6 which is connected over the isapi redirector interface (see http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html) to an IIS 7 server. The connector works properly in every case, except for some pages in the web application that return a status 302, with a new location to redirect for.
The browser gets the 302 back and requests the new location, but the IIS web server does not forward the request to the Tomcat server and returns a 404 error instead, even though the uri worker map looks correct for me.
The corresponding uri worker rule is:
/WebClientServlet/*=worker1
and the location url of the new location looks like the following:
http://localhost/WebClientServlet/SBS/cmd:editContent2/workflow:false/articleSearch:false/confirmed:false/objectID:131294/---/fpse/db:test/objectID:131294/Copy+of+0001-Intranet+Home-main-ip+%28DE%29
I could solve the problem. The HTTP status code was actually a 404.11, which means (under IIS 7) that double escaped sequences are not allowed. There is a new feature introduced in IIS 7 called double escaped URL filtering. It is a default security filter, which denies to load any URL that contain double escaped sequences. In order to solve the problem, switch the feature off for the web site which is used to access the tomcat application over isapi-redirector. See more under http://www.iis.net/ConfigReference/system.webServer/security/requestFiltering.
Ditch the ISAPI redirector. Up until today it is what I have been using. Check out the Application Request Routing for IIS7. Here is a walk through on how to set it up. If you want to use host headers look here.