The problem is that we made that application long time ago and we don't know which account we used to create it. Now we need to update some configuration and all FB accounts I've tried are not managing that application.
Is there any way to find out the FB account name by FB applications key and secret, which we have stored in our ini file.
I know it's a weird situation, but I'll be really grateful for your help!!!
Thanks!
Sure you can. Create an access_token using the applications key and secret:
applicationKey|applicationSecret
Then use it to query the GraphAPI about itself:
https://graph.facebook.com/{appId}?access_token={appId}|{appSecret}&fields=contact_email,creator_uid
Fill the URL with your values.
You can use the key and secret to generate the access token. with the access token, user the facebook api to get the account information.
http://developers.facebook.com/docs/reference/api/user/
Or you can also check the test user to change anything.
https://developers.facebook.com/docs/test_users/
Related
I need to get access/refresh pair (or at least access) tokens from a custom REST endpoint.
So in general I need programmatically create a user session from SPI by user ID(without a user password)
Could you please suggest a better way or any examples, I'm not experienced in keycloak and I feel like missing something.
my keycloak version: 15.0.2
I think about using token_exchange and:
http://{ip}:{port}/auth/realms/{realm}/protocol/openid-connect/token
But not sure if it's will work as I expect, and if it's the best way.
If I understood correclty, you want to do user impersonation. Ie: create a token on behalf of user, without his consent.
To do that, externally to Keyckoak, you can use token exchange feature. This doc will help you: https://www.keycloak.org/docs/latest/securing_apps/#_token-exchange
Basically, the idea is that you'll give to a client permission to create tokens for any user you want.
But your question is how to do that from inside a Service Provider Interface loaded by Keycloak.
To programmatically impersonate a user, you can actually just do as the token exchange code do.
Take a look at https://github.com/keycloak/keycloak/blob/a912558d29c685ef912baa04b8cc823a70c6fd2d/services/src/main/java/org/keycloak/protocol/oidc/DefaultTokenExchangeProvider.java#L131
You'll have to create a session for the desired user and build her token.
The crux it's here https://github.com/keycloak/keycloak/blob/a912558d29c685ef912baa04b8cc823a70c6fd2d/services/src/main/java/org/keycloak/protocol/oidc/DefaultTokenExchangeProvider.java#L227
I'm working on a web app where all users sign in using their Google account, using Google's OAuth2 API. I'm using ScribeJava to take care of the OAuth details.
I'm currently using the "sub" field of the user's ID token as their primary key in my database. When a new user logs in for the first time, their "sub" is stored for future logins.
I'm looking for a way for an administrator to add a user before they first log in - however, since I don't have the new user's "sub", I can't just add them to the database. Is there a way to use Google's API to look up another user's ID token (or at least the "sub" field) using their email address? Is there a better primary key that makes this easier?
Let me start by saying using the Sub id is probably a really good idea. However there is no way for you to get a users sub id from their email address. That information just isn't available until a user logs in as its part of the authentication Open Id connect claims.
Sorry but what you want to do isnt possible.
I have set up authentication for my application using the Azure Rest API / OAuth 2 flow, following the steps outlined here:
https://ahmetalpbalkan.com/blog/azure-rest-api-with-oauth2/
I have created an ActiveDirectory application within Azure which is linked to an ActiveDirectory instance.
Inside my own application I have configured it to post to the following Azure OAuth endpoint:
https://login.windows.net/<<MY-AD-TENANT-ID>>/oauth2/authorize?client_id=<<GUID>>&response_type=code
This all works fine. I can authenticate against my ActiveDirectory using emails of the form
someuser#<myDomain>.com
However, I have realised that I can also authenticate using any valid microsoft email address, which obviously means that anyone with a valid microsoft email can get an access token for my application e.g.
randomUser#hotmail.com
Can anyone tell me how I can restrict the authentication to just allow users who are in my Active directory? Users with emails of the form
someuser#<myDomain>.com
I have looked through the documentation but have had no luck so far.
Mechanics of Token Validation
What does that really mean: to validate a token? It boils down to three things, really:
Verify that it is well-formed
Verify that it is coming from the intended authority
Verify that it is meant for the current application
Your problem is that you are not doing the number 3 validation.
You probably are missing something like this in your application where you are validating the token:
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Audience = ConfigurationManager.AppSettings["ida:Audience"],
Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
});
Currently I have the same problem and trying to figure out a solution.
That's what I found out:
After authentication you get back a JSON Web Token (see this page https://msdn.microsoft.com/en-us/library/azure/dn645542.aspx). After decoding this, there are several information available. But I am not sure which of those could possibly make sure to only allow login of the specified Active Directory.
#Aram refers to the values audience (aud) and tenant (tid). Unfortunately audience is always set to the app_id given with the request and tenant is always set to the tenant-id of the Azure tenant, although you are using a live.com account, for example.
Finally, I came up with the idea of checking for the existence of oid (»Object identifier (ID) of the user object in Azure AD.«, https://msdn.microsoft.com/en-us/library/azure/dn645542.aspx). I hope that this one will only be set if the user is part of the Active Directory that is issuing the authorization.
As a result, I set my app up to do the following: If in the decoded version of the id_token of the Access token response there is no oid property set – the login-request will be rejected.
Problem is: I can't confirm that my approach works, because I don't have a second Azure AD and can't check if only live/hotmail/... users will not be given a oid, but also users from different ADs. Maybe #bobbyr you could try that out and report?
Thanks to Thomas Ebert's prompt I've figured out a way to solve my problem. I don't know if it will help anyone else, but...
Basically when my app gets the token from Azure, before passing it on to the client, I can decode the JWT and just look at the email field.
In my case if the email address isn't one that belongs to my domain I can just send a 401 unauthorized back to the client.
It feels weird that Azure doesn't offer some way of doing this via config, maybe it does, but noone has answered this for me, and I've read enough of their docs now to want to pull my own eyes out so I never see the word Azure again...
So I am updating an older desktop app (written in VB, .net 4.0) with facebook integration and followed the guide found here, and have been able to successfully get a token (by parsing the uri of the embedded webview if it contains "token="). Now my problem is if I try to login with a facebook account that has already approved the app in a prior session, the webview just gets redirected to https://www.facebook.com/connect/login_success.html without any token information.
Do I HAVE to log all of the tokens I generate manually (ie on successful token generation, I can call their profile info, use their FB ID as key and save the token)? Even if I do, since the email and password is input directly into the facebook login window, how do I check if the user already has a token?
Thanks in advance
The access token can change any time, you need to get it everytime. After getting the token, I immediately get the user information https://graph.facebook.com/me?access_token=??? and use that ID to find their database information.
I couldn't quickly find facebook information but on google's oauth information it says "The access token is also associated with a limited scope that define the kind of data the your client application has access to (for example "Manage your tasks"). An important goal for OAuth 2.0 is to provide secure and convenient access to the protected data, while minimizing the potential impact if an access token is stolen."
https://code.google.com/p/google-api-php-client/wiki/OAuth2
Ok so I finally figured it out myself. My mistake was apparently requesting the access_token directly (ie https://www.facebook.com/dialog/oauth?response_type=token...) to try and save time.
I fixed it by making a request for a 'code' instead (ie https://www.facebook.com/dialog/oauth?response_type=code), which I then use to make a second request to retrieve an access token as documented here: https://developers.facebook.com/docs/facebook-login/login-flow-for-web-no-jssdk/, "Exchanging code for an access token" section a bit lower on the page.
Hope this helps someone in the future, this was very frustrating on my part.
Regards,
Prince
I have a native (FBML) Facebook Application. I do not want to push the application visitors through the authorization process, however I do want to know their Facebook ID.
Is it possible to find the visiting users Facebook ID without requiring them to "Authorize" my Application?
Before, I said it couldn't be done - but it can.
http://developers.facebook.com/docs/authentication/canvas
Read that, it's excellent. You need to decode the Base64 string and check the signature is correct, but other than that it gets you the user id among other stuff (like a temporary access token for graph.facebook.com)
REMEMBER : You need to change the settings in the Migrations tab for the information to come through! It's a vital step, but can be overlooked...
Hope this helps :)
Stuart