I have an XSJS page served by HANA. When I try to access it from a browser, I need to go through a basic authentication mechanism which is fine.
So far so good. But how can I configure HANA XSEngine so that it times out my web session after I have left it unused for a long time? I have configured xsengine -> httpserver -> sessiontimeout parameter to 30 (I told it is in seconds) but that does not help. So long as the browser remains open, the session remains live.
One trick I have is to close the browser. Another trick is to delete active login sessions in the browser history. Both force me to re-login, very nice. But these are so lame because they rely on a user action. I am sure SAP HANA is wiser than that.
I will greatly appreciate your help. Is there a different parameter to set? I am on SP07. I run xsengine as a separate process.
Thanks a lot.
Firstly, You shouldn't be using Basic Auth at all. Here are some resources regarding that.
You should look at using the other methods of login. I assume you are trying to authenticate yourself as a HANA user. For this, you can use the super simple Form based authentication. To use this, you just have to include the following in your .xsaccess file at the root of the package:
{
"authentication":[
{
"method":"Form"
}
]
}
This would route you to a Login page that comes with HANA where you can login. Post successful login, it will redirect you back to your application.
So the flow would be something like this:
You visit /some/app/index.html for which you need to be authenticated by HANA.
You are redirected to /sap/hana/xs/formLogin/login.html where you will login as a HANA user
You are redirected back to /some/app/index.html now authenticated as the user you logged in as.
When you use something like this, a proper session is maintained. At this point in time, your setting of xsengine > httpserver > sessiontimeout will work.
You can find a lot more information about this in this section SAP Hana Developer Guide.
Hope this helps. Please avoid using basic authentication.
Related
I have made an api in laravel with socialite and github and I need to log out so that the application asks me with which github account I want to log in every time.
What you are asking is how to logout from your registered user (which used Github) and destroy the oAuth session of github?
Maybe have a look at this:
laravel socialite logout issue
OK.
If you are using socialite, do check the documentation of each provider you use. Probably you should make a GET or a POST request to their service in order to log out the user.
For example, Globus.org uses this link (documentation link) in order for you to log out your users:
GET https://auth.globus.org/v2/web/logout
Clicking it will log out your user from your service.
Do note that most provider might use similar techniques.
Use POSTMAN to make such requests and experiment (especially when you are trying to register users, making calls with POSTMAN might seem helpful)
Then you are faced with the following issue:
What type of data did you store on you database? (the next bullet might help you understand what I mean)
Did you store in some way, the provider name the user used to login to your system?
If so, each provider might use a different way to log out / register a user from your Laravel project.
We are currently implementing keycloak and we are facing an issue that we are not sure what’s the best way to solve it.
We have different webapps making use of the sso and that’s working fine. The problem we have is when we make log in using the sso in one webapp and then we do the same in a different webapp.
Initially this second webapp does not know which user is coming (and it’s not necessary to be logged in to make use of it). When clicking on “login”, it automatically logs in the user (by making a redirection to keycloak and automatically logging the already logged user in the other webapp). This second logging happens “transparently” to the user, since the redirection to keycloak is very fast and it’s not noticeable. This behaviour is not very user friendly.
The question is: Taking into account that this second webapp can’t know upfront which user is accessing the site (unless actively redirecting to keycloak), is it possible to force always the users to log in for a specific keycloak client? By this I mean actually ask the visitor for user/pw even if keycloak knows already them from other keycloak clients.
Thanks in advance!
In the mail listing from keycloak, they gave me a good solution but for version 4:
in admin console, go to Authentication
make a copy of Browser flow
in this new flow, disable or delete Cookie
go to Clients -> (your client) -> Authentication Flow Overrides, change Browser Flow to your new flow, click Save."
Use logout endpoint as a default login button action in your app and redirect uri param use for login page, where you use your specific client (of course you need proper URI encoding):
https://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logout?redirect_uri=https://auth-server/auth/realms/{realm-name}/protocol/openid-connect/auth?client_id=client_id&redirect_uri=.....&other_params....
=> user will be logged out and then it will be redirected to the login page
i want an automaticalle login in my services when the user is already logged in into cas.
At the moment i must click the login button in every service manually to login.
My goal is when i'am logged in into cas and i join for example my jenkins service my user logged in automatically without clicking the log in button.
Can someone help me?
If you're using something like Spring Security or similar to manage it, then it can do it automatically for you. But since you seems to be making a Single Page Application(as you've said that you're needing a loggin button), and by going with that assuption, you'd need to have that login anyways. Except of course if you've set a script to check if there's a valid cookie already. More details appreciated(sorry, can't just comment)
We are starting project based on the great jhipster work.
While we would like to keep the option to be session based (with a login page), we also have the need for enalble clients pass user info in the header of each request,
(e.g. Authenticate: username:password) to have it session less like without login, as regular users do.
Do we have this implemented OOTB? If not, what is the best approach for having that?
Thanks ahead for any comment & answer.
JHipster supports both "session-based" (with a login page, and the Spring Security token is stored in the HTTP Session), and OAuth2 (which is stateless, and the token are stored in the database).
The OAuth2 mechanism also uses a login page, but I guess you could make it work without it if needed -> isn't this the best solution for you?
We also have another stateless mecanism in the pipe, see https://github.com/jhipster/generator-jhipster/issues/892
I would like to understand something please.
I have an application based on oAuth2 with Google Accounts.
So, teh first time I connect to this website, I am redirected to the authentication page on Google domain. So I type my email and password and I dont check "trusted computer" (or "remember me", I dont remember the exact term).
The thing is if I reboot my computer or even delete my cookie (but not my history (tested with Chrome on Android phone), I am not prompted again for the authentication and I have directly access to the application.
I would like to understand why ?
If somebody can explain it to me that should be great !
Thank you
You can actually force re-authentication in the Google OAuth api by passing &max_auth_age=0 to the auth URL.
Source:
Use the PAPE extension for further control of user authentication (optional)
Use the max_auth_age parameter in the PAPE extension to ensure that the login session of the user at Google is recent. You may also specify max_auth_age=0 to force a password reprompt.
https://developers.google.com/accounts/docs/OpenID
It's a bit confusing because they talk about OpenID, but I'm doing this successfully with Google's provided OAuth2 libs.
The Google OAuth 2 API really doesn't give you a way to force re-authentication. Lots of people have asked for this capability though, and maybe we should provide it.
It's hard to say, since it depends on what the flow was that as being executed.
Generally (with oauth) you weren't being prompted for authentication. You were being prompted for authorisation. Once you've authorised, you won't be prompted again, provided of course that the browser/google have some sort of session in existence which identifies the user.
When you say "delete my cookie", which cookie?
Yo can try going to this page https://accounts.google.com/b/0/IssuedAuthSubTokens?hl=en_GB and revoke the permission. That should then cause a repeat prompt.