I am using TYPO3 4.5 and have to authenticate fe_users and be_users from an external source.
In my extension I have subclassed tx_sv_authbase and implemented the getUser() and authUser() functions.
For fe_users everything works fine! Depending on what I return in authUser() the login happens or not.
But I can't get it to work for be_users. Shouldn't it work exactly the same? No matter if I return 200 or true, I can't login with my extension. What could be the reason for this? Any hints?
Yes, it should be exactly the same for be_users as for fe_users.
Please check ext_localconf.php, if both authUserFE and authUserBE are used as subtypes (seperated by comma).
I have created an Yubikey OTP auth service for TYPO3, which authenticates local TYPO3 users with an Yubikey OTP. My extension does not use getUser(), but authentication works both for fe_users and be_users. Maybe this helps you debugging and fixing your problem.
I got it to work now! Also the RSA encryption system which is default in TYPO3 6.2 is awesome! :)
The problem was in my getUser() function. There you have to map to existing users (if your user names from the external source aren't also contained in the TYPO3 database) and I forgot that my backend user name is different to my frontend user name.
The other confusing thing was that for some changes to take effect you always have to delete the cache files in typo3conf. This costed me some time. :)
Related
I have made an api in laravel with socialite and github and I need to log out so that the application asks me with which github account I want to log in every time.
What you are asking is how to logout from your registered user (which used Github) and destroy the oAuth session of github?
Maybe have a look at this:
laravel socialite logout issue
OK.
If you are using socialite, do check the documentation of each provider you use. Probably you should make a GET or a POST request to their service in order to log out the user.
For example, Globus.org uses this link (documentation link) in order for you to log out your users:
GET https://auth.globus.org/v2/web/logout
Clicking it will log out your user from your service.
Do note that most provider might use similar techniques.
Use POSTMAN to make such requests and experiment (especially when you are trying to register users, making calls with POSTMAN might seem helpful)
Then you are faced with the following issue:
What type of data did you store on you database? (the next bullet might help you understand what I mean)
Did you store in some way, the provider name the user used to login to your system?
If so, each provider might use a different way to log out / register a user from your Laravel project.
I have an XSJS page served by HANA. When I try to access it from a browser, I need to go through a basic authentication mechanism which is fine.
So far so good. But how can I configure HANA XSEngine so that it times out my web session after I have left it unused for a long time? I have configured xsengine -> httpserver -> sessiontimeout parameter to 30 (I told it is in seconds) but that does not help. So long as the browser remains open, the session remains live.
One trick I have is to close the browser. Another trick is to delete active login sessions in the browser history. Both force me to re-login, very nice. But these are so lame because they rely on a user action. I am sure SAP HANA is wiser than that.
I will greatly appreciate your help. Is there a different parameter to set? I am on SP07. I run xsengine as a separate process.
Thanks a lot.
Firstly, You shouldn't be using Basic Auth at all. Here are some resources regarding that.
You should look at using the other methods of login. I assume you are trying to authenticate yourself as a HANA user. For this, you can use the super simple Form based authentication. To use this, you just have to include the following in your .xsaccess file at the root of the package:
{
"authentication":[
{
"method":"Form"
}
]
}
This would route you to a Login page that comes with HANA where you can login. Post successful login, it will redirect you back to your application.
So the flow would be something like this:
You visit /some/app/index.html for which you need to be authenticated by HANA.
You are redirected to /sap/hana/xs/formLogin/login.html where you will login as a HANA user
You are redirected back to /some/app/index.html now authenticated as the user you logged in as.
When you use something like this, a proper session is maintained. At this point in time, your setting of xsengine > httpserver > sessiontimeout will work.
You can find a lot more information about this in this section SAP Hana Developer Guide.
Hope this helps. Please avoid using basic authentication.
I need to develop a bunch of my own web hooks (or services maybe) for auto deploy, report into project management systems, etc.
But data posted to web hook don't have much information to fill my needs.
For example, I've received simple push event, how can I know is it force push or not? Okay, I have 2 treeishes, let's look at repository and check this push — oops, need user token to do it. Sad.
What is the right method to access gitlab api from web hooks? Probably I've missed something important? I'm really confused.
Upd1:
Let's try to find a solution. Possibilities
Imagine we can have a user who can read all projects in gitlab. But
that user should be connected to each project to have an access. Ok
;-(
What about to read repo by pusher? We can't because we need to use his private token to do this.
Maybe some internal functionality to read all repos or something? Sure not.
So. Maybe database? Nope. Because we need to clone repo at first and can't save data in DB anyway with refreshing caches.
I think we need a security token and maybe many checkboxes with access permissions for each joined web hook or an app (service).
Please feel free to share your ideas.
I've remembered partial solution. So scenario will be like that:
Create web service with your web hook.
Create a ssh key on the same host for some special (usually owner of web hook service) user to have an access to repos.
Add ssh key created at previous step as deploy key.
Finally: Register your webhook and add your deploy key for that hook to project — repeat it for each project what need this hook.
You have event listener (your web hook service), and you have access to that repository (ssh/git).
But still that solution doesn't have access to API itself.
Probably, there is also an another solution.
Create custom admin user with a big random password and some synthetic name like HookBot or something, remember private_token of that user;
Register your web hook;
Use api access to add your deploy key with HookBot (untested);
Use sudo api to get sources or something else. Just mimicry to pusher's account (sudo -u {author_id}) and go on, read repo, work with it, etc.
Maybe some another solutions? More legit?
I would like to understand something please.
I have an application based on oAuth2 with Google Accounts.
So, teh first time I connect to this website, I am redirected to the authentication page on Google domain. So I type my email and password and I dont check "trusted computer" (or "remember me", I dont remember the exact term).
The thing is if I reboot my computer or even delete my cookie (but not my history (tested with Chrome on Android phone), I am not prompted again for the authentication and I have directly access to the application.
I would like to understand why ?
If somebody can explain it to me that should be great !
Thank you
You can actually force re-authentication in the Google OAuth api by passing &max_auth_age=0 to the auth URL.
Source:
Use the PAPE extension for further control of user authentication (optional)
Use the max_auth_age parameter in the PAPE extension to ensure that the login session of the user at Google is recent. You may also specify max_auth_age=0 to force a password reprompt.
https://developers.google.com/accounts/docs/OpenID
It's a bit confusing because they talk about OpenID, but I'm doing this successfully with Google's provided OAuth2 libs.
The Google OAuth 2 API really doesn't give you a way to force re-authentication. Lots of people have asked for this capability though, and maybe we should provide it.
It's hard to say, since it depends on what the flow was that as being executed.
Generally (with oauth) you weren't being prompted for authentication. You were being prompted for authorisation. Once you've authorised, you won't be prompted again, provided of course that the browser/google have some sort of session in existence which identifies the user.
When you say "delete my cookie", which cookie?
Yo can try going to this page https://accounts.google.com/b/0/IssuedAuthSubTokens?hl=en_GB and revoke the permission. That should then cause a repeat prompt.
Using a provided username, password, and domain name, how can I retrieve a boolean value indicating if a user has successfully authenticated with a primary domain controller? Authentication should be performed using the Kerberos protocol for windows domain controllers. Thanks in advance, Dan
There's a free implementation of a windows-only JAAS login module and of an SSO Negotiate (Kerberos/NTLM) authenticator: Waffle.
You need to either write your own or use third party Authentication Module for that. When I was doing this, there was nothing available from JDK, so I used this tool. Note that it's GPL, but you can learn from there. You will have to create conf. file describing your authentication module and feed it into your JVM with java.security.auth.login.config property (e.g. using -D, or either way). In case of Tagish it looks something like this:
NTLogin
{
com.tagish.auth.win32.NTSystemLogin required returnNames=true returnSIDs=false defaultDomain="domain";
};
Another thing you will need is to specify kerberos configuration file via java.security.krb5.conf property. I don't have the details of this file handy, but you can easily find it on the net -- google about for krb5.conf. Settings in this file will have to match your windows domain and other windows specific settings.
It's a bit tricky to configure, but for me it worked very well, pretty robust.