I'm using FOSUserBundle to manage users in my application.
But finding a problem after login, and after registration.
After registration, a confirmation email is sent successfully, but the redirect page at myapp.com/register/check-email generates the following error:
Impossible to access an attribute ("username") on a NULL variable ("") in FOSUserBundle :: layout.html.twig at line 9
If I click on the link in the email sent to me it seems that the user is successfully activated even if the url myapp.com/register/confirmed returns:
This user does not have access to this section.
If I try to log in, instead of the profiler Symfony signals that are not authenticated in the system.
Related
I am new to Google Actions. I am building action to access my smart home device from google home/assistance. I have already filled the Account Linking details from my auth server on action console.
I have provided the Fulfillment URL on Actions tab.
When I try to link the account from Google App (i.e. Home > + > Set up device > Works with Google > [test] My_Action , it redirect to my server's Authorization, there I submit my server's username and password and it redirect back to google home page and my account is successfully linked and my devices are showing in the Google Home.
But, When I try to link my account using OAuth 2.0 (https://developers.home.google.com/cloud-to-cloud/project/authorization) it doesn't link the account.
Here are the steps I follow.
Open the URL in the browser.
https://auth-dev.iotondemand.com/oauth/authorize?client_id=client&redirect_uri=https://oauth-redirect-sandbox.googleusercontent.com/r/MY_PROJECT_ID&state=somerandomstring&scope=read+write&response_type=code&user_locale=en
It opens the login screen of my server, when I submit my credentials it redirect to the following url along with authorization code which is generated by my auth server and the state parameter.
https://oauth-redirect-sandbox.googleusercontent.com/r/MY_PROJECT_ID?code=VGdKtk&state=somerandomstring
And
'Invalid State Parameter. The Link can not be completed.'
this is written on browser.
Invalid State Parameter. The Link can not be completed.
What's wrong am I doing? I am passing some random string to my authorization url and it gives back the same string and redirect it to oauth-redirect-sandbox.googleusercontent.
My action is still in development mode. I haven't deployed it yet.
If you are able to complete account linking using the Google Home App, you are good to go with your implementation. This flow is also using OAuth2.0, where the user is sent to your authorization url to fill in credentials, then Google servers will use the authorization code you provided in this flow to retrieve access and refresh tokens from your token url. (The fulfillment url you provided is not used throughout the Account Linking process)
I am building 2 MVC applications and will be using IdentityServer as a single sign-on authentication provider. By following the sample code from IdentityServer web site, I can get the authentication working. But now I am confused about how to register new users in the MVC applications.
For example in MVC 1, I have a secured controller action. Now accessing this action will be redirected to IdentityServer login page. If user selected an external login provider and login successfully, then the user will be redirected to the "Register" page of IdentityServer to ask whether the user wants to register. If user clicks "Register", then redirected to the secured action successfully. So far the sample code has done all these. But my question is that MVC1 & MVC2 need some more information about the user for registration. How can I prompt user to input these additional information? It is not feasible to have these information inputted in the IdentityServer register page because MVC 1 & 2 need different information. But if I have a register page in MVC1 & MVC2, then how can I force user to complete the registration? After user is authenticated from IdentityServer, he is returned directly to the originally requested Url. I just can't have code in every controller action to verify whether an authenticated user have completed the detailed registration.
An ideal way is that once a user is authenticated from IdentityServer, I can check whether this user has been registered in the local MVC user database. If not, then redirect the user to the local MVC register page and then back to the originally requested Url. How this can be done or is there a more appropriate way for doing this?
But my question is that MVC1 & MVC2 need some more information about
the user for registration.
To retrieve additional user info, you could depend on user claims for the additional user information. Otherwise, there is an endpoint called UserInfo Endpoint
But if I have a register page in MVC1 & MVC2, then how can I force
user to complete the registration?
Based on client_id you could change the registration view
I just can't have code in every controller action to verify whether an
authenticated user have completed the detailed registration.
You could create a customize filter to validate that. But, I would say try to keep the user related details on IdS4 project
I can check whether this user has been registered in the local MVC
user database. If not, then redirect the user to the local MVC
register page and then back to the originally requested Url. How this
can be done or is there a more appropriate way for doing this?
If you think, these user information will only be used for this client then you could take this approach.
However, if possible you asked for all the required details on the user registration page, no harms keeping the information for mvc1 users. But sometimes it is not possible (e.g. internal vs external users). If it is for internal users, then I guess it would be better to have a seperate Admin UI where user can add extra information.
Anyway, if you want to keep everything in one user registration page on Id server, i would add an extra flag on Client table which will indicate to show extra fileds. Hope this may help you.
I have an application that uses OAuth 2 to access Gmail. This is working fine for most users. For some users, however, my application fails at the point of trying to read the Gmail labels, with http error 403 (forbidden). Keep in mind that previous to this API call, I have accessed the user profile successfully. Here is the call that fails:
GET /gmail/v1/users/user.name#domain.com/labels?access_token=ya29.fwI_zL1rF3xOIQcHNzpBhmjVlJhRpofkh4a9mVvwhYRo6H09qX5RNKv76zKT7e6-sEZr
I am requesting the following scopes when getting the access token, and the user has logged in to Google and accepted the request for access (and I can see this when we look at his security dashboard):
https://www.googleapis.com/auth/calendar
https://www.googleapis.com/auth/userinfo.profile
https://www.google.com/m8/feeds
https://www.googleapis.com/auth/tasks
https://www.googleapis.com/auth/gmail.labels
https://mail.google.com/
Note that I just added the gmail.labels scope in at attempt to fix this.
Again, this code is working fine for most users - why do some users fail the label request?
Use the shorthand value me instead of user.name#domain.com and the user who the access token belongs to will be used automatically.
We are trying to build OAuth2 Authorization with IdentityServer3.
So we downloaded the Bytes from nuget and connected it with our database.
The database was initialized with the default scopes and the sample clients from Thinktecture self.
Then we connected AD FS as IDP via OWIN and made an simple ExternalUserService.
So far everything worked fine and the permissions page of the IdSrv could be opened, showing the username and that no application has consent up to now.
Then we tried to connect Xamarin.Auth to that and got an error Cannot determine application to sign in to and in the logs an error Signin Id not present (after logon at the ADFS IDP).
To reduce complexity, we decided to go back to the InMemoryUserService and created one InMemoryUser. This worked for the permissions page (at least for a short period of time - time is over now), but it did not allow OAuth2 Authorization Code Flow, which ended up in showing the login page again and again and again. And there is no evidence of any error in the logs.
How can we debug, what is happening? Is there any way to see, why a user gets redirected to the login page again despite being logged in?
--
We reduced the complexity even further by creating a new empty MVC application, which just uses a simple InMemoryUserFactory.
Now it's getting a little bit confusing: one user was able to logon from his machine - other machines (same user - since we created only one) are not able to login and get prompted with the login over and over again.
If using IdentityServer3 and you use own external login methods you should really pay close attention to the API of the IdSrv3.
We tried to create a login resutl with just the subject - this is made for local login on the server. If this is switched off at the same time, you will end up having problems.
So if you use an own external login provider and switch off local login, make sure to call the right overload for the authenticate method (3 Parameters in our case).
Apache tomcat version: 6.0.20
If user is already logged, and he tries to login again from login page, the j_security_check is not available error is encountered. Is it normal behaviour or I have to do something?
Actually I have different user roles for accessing different pages, and when access to a page is denied to a particular user, I want to redirect him to login page, where he can login with corresponding credentials.
This behavior is normal: the servlet spec only lays-out the procedure for container-managed authentication (i.e. login) when the user requests a protected resource and the user has not already provided credentials. All other scenarios are left undefined, including yours.
If you want to capture "forbidden" conditions, you can use <error-page> mappings in your WEB-INF/web.xml to send the user anywhere you want, including a login page. Just remember that the container will only accept a login after the above conditions are true, so you may have to log the user out first (by terminating the user's session).
What I might recommend is a "forbidden" page that says "You don't have access to this resource. If you'd like to log-in as a different user to access it, please click [HERE]" where [HERE] is a link to a servlet that terminates the user's session and then redirects to the resource the user was trying to access. This will cause the container to request authentication (i.e. present the login form), verify the credentials, and send the user to the desired resource.
If you are using a container (and webapp) along with version 3.0 of the servlet specification, there is a new HttpServletRequest.login() method that can be used to programmatically log a user into your webapp. You might be able to use that instead of terminating the session and doing all those redirects... instead, you could collect the username and password yourself and then ask the container to do the login for you.