SSO federated logout on Auth0 not working as expected - gmail

I have an app where I need to be able to log a user out so that they can log back in.
To log the user out, I am making a call to:
https://<domain>/v2/logout?client_id=<clientId>&returnTo=<redirectUri>&federated
The issue is that instead of getting a 302 as expected and having the user logged out of their SSO, sometimes the call returns an OK with a 200 status and signs the user back in.
I am aware of this issue with Auth0, as per this Auth0 community post but passing the client_id and the returnTo parameters was supposed to handle it.
This happens with a Google account and it seems that the user is indeed logged out of Auth0 but not actually from the SSO provider.
Any ideas on how to fix this? Thank you

In case anyone comes across this again, I believe the answer is actually pretty simple.
The behavior described above happens when someone tries to perform a logout using the v2/logout url, while not having an active Auth0 session.
The end-point will not flag this but instead will respond with either a 200 or a 302 without additional actions.

Related

React app using msal-react, how to automatically authenticate user

I'm working on a react app where the pages can be used both by authenticated and anonymous users. The pages show more features for the authenticated users.
If a user previously has signed in and revists the website, I want the user to be automatically authenticated, and am struggling to achieve this.
I'm using redirect methods because I don't believe popup is working well on phones (is that assumption correct?).
I have tried storing the homeAccountId in local storage and use that to get the account used and then calling login in the msal instance. I also set up a addEventCallback and listen for EventType.LOGIN_SUCCESS which I use to set some internal state about the logged in user.
I have tried using MsalAuthenticationTemplate but strangely this doesn't invoke a login. I have also tried to detect if this is a "first run" and then invoking the login, but that doesn't work all the time. Sometime I get a SSO error indicating I should provide a login_hint or sid which is not possible because I use B2C.
If I don't do anything the user can click the login button and if the user has a valid cookie with B2C the user is logged in without providing credentials which is a strange behavior for the user because my website indicate the user is not authenticated (and show no logout button).
So I can't really get this to work and are wondering if somebody has a concept for achieving this?
Please checkout the msal-react samples which all demonstrate the behavior you're looking for. The MsalAuthenticationTemplate would be the recommended way to do this and if you're still having issues getting this to work after reviewing the samples I would recommend opening an issue on our repo with code snippets so we can take a closer look at what's going on.
Also using localStorage, if you're not already, would help to maintain application state between browser sessions. sessionStorage is the default.
As for B2C not asking for credentials; server state is separate from client state. You can be signed in on the server without the application knowing about it. Until your application makes a request to the B2C server your application will show that a user is not signed in. If a session already exists on the server when you make a login request, the server may redirect you back to your application without asking for credentials again.

How to get online status of facebook user?

I wanna to understand how I can retrieve the online status of a Facebook user. For example, I'm logged in my application through JWT auth, and then in my settings page, I wanna to see my facebook online status.
Do I need to log in through OAuth, or just I can put on the field my facebook userID and then make a request to facebook API?
Also if it's possible to have socket connection with that online status to know in real time my status?
Maybe do you know cases with node.js and socket.io with it?
Thx
There is no way to get a user’s “online status”.
Do I need to log in through OAuth, or just I can put on the field my facebook userID and then make a request to facebook API?
Even if you did make an API request with a valid user token, that says little about the user’s online status.
The token stays valid for two hours (for a short-lived one), but the user isn’t necessarily online “on Facebook” for the whole time. Only if they logged out of your app explicitly, thereby invalidating the token, you could take the error message you would then get on the next attempt to make an API request using that expired token as an indicator. But then they would also have to login to your app again, before you could recognize them as “online” again.

ERR_TOO_MANY_REDIRECTS error in response of Azure AD v2.0 authentication

I'm using Microsoft Graph to access a user’s Microsoft account data from within a Node.js web application, to call rest APIs. But once authentication done, instead of return to ReturnURL, I'm getting ERR_TOO_MANY_REDIRECTS in the browser.
Below is the Node application, I'm using:
https://github.com/microsoftgraph/msgraph-sdk-javascript
As I see, it seems like some how access token is conflicts and due to that passport is not able to authenticate my requests.
Can someone please help me out here, where I'm missing here. I didn't make any major changes in the app.
Please let me know if someone need more info.
Thanks.
I've seen a couple of examples of this occurring. It's hard to tell exactly what is happening from the limited information you've provided but here are some examples of what I've seen in the past:
redirect_uri pointing to an endpoint that automatically redirects the user back to https://login.microsoftonline.com/common/oauth2/v2.0/authorize?. This results in an infinite loop.
redirect_uri is returning a HTTP 3xx status indicating a redirect (301, 302, 303, 307, 308).
redirect_uri is pointing to a page that checks for an authenticated user. Since the user hasn't authenticated yet (you've got an authorization_code but not an access_token yet) it triggers the authentication workflow again.

SAML2.0 Authentication with Node.js and SPA

I've been scratching my head for about 2 days on how to solve what seemed to be a simple task, but it's starting to drive me crazy.
I have an application where users will use SAML 2.0 to authenticate.
I have a react-application set up for the front-end, and was thinking I was gonna use JWT to secure the rest-api communication between front-end and backend.
When a user signs in, the flow is the following:
User accesses www.server.com/ and gets served the static HTML with react-application
User clicks 'Sign in' and accesses www.server.com/login
passport-saml redirects user to saml identity provider. User logs in.
User calls back to www.server.com/callback with a SamlResponse in the req.body which is decoded by passport-saml and put into req.user.
If the user doesn't already exist, I create the user in the database.
I create a JWT.
What should I do next? The problem is that the user is not in the react-application when calling back from the identity provider, so I've lost all state in the application, so whatever I reply with will get sent to the browser.
Is there any way I could force the browser to give me the SamlResponse which the identityprovider is calling back with? Then I could send it to the server as a http-request from the react-application.
After some thinking, I came up with the following solution which worked quite nicely for me.
SAML has something called RelayState which is a property that the Service Provider has to respond with. So now the process looks like this:
User accesses http://frontendserver.com and gets server the static page with the React application (not signed in.).
User clicks 'Login' and gets redirected to http://backendserver.com/login/?RelayState=http://frontendserver.com which authenticates via passport-saml and redirects user to SP. So I pass the origin of the request in RelayState.
User calls back to http://backendserver.com/callback with the SamlResponse, which includes the RelayState.
I create a token, and redirect the user to RelayState/#token.
I can then parse the url in the React application, and add the token as a header for any further requests.
This might've seemed like the obvious way to do it, but it took me quite a while to figure out that this would work.
I know this question is for Node backend, but I found an article of the implementation for a PHP/Apache webserver backend here and I think it can help someone trying to understand the flow of the process of how this type of thing works.

Google Oauth2 Contacts API returns Invalid token: Stateless token expired after an hour

What's wrong with my setup?
I am using django-allauth for social signup and recently i added contacts to it's scope. Things are working fine. It now asks for permission to manage contacts and I am able to get contact details of users through the API.
But once i make a request to get contacts of a user(I am not saving any refresh token or accss token at that time), after an hour when i make the request again with same token, It shows this error "Invalid token: Stateless token expired".
However I can still login into the website and the token does not change. However when I logout and login again the token changes and i can again get the contacts using that token for one hour.
What's the issue? What am I missing?
See, when you are logging into the website, you are probably using cookies. So basically you might be using the same session and actually the api is not called.
The time when you are logging in incognito mode or in a diffrent browser, that cookie cannot be used, so this time api is called. For this reason, the token is getting changed.
For example, if after few users have signed up with google, you change the scope of the app, what happens is, if the user has enabled cookies and it has not expired, when he visits your site, it simply logs him in. It does not asks for permissions (that you added recently to scope). But when he logs out and logs in again, then it asks for the additional permission and th token also gets changed.
What you should do is, you should go through th codes of django-allauth and clear it out how they are using the token. You must also know that for getting refresh token, you must have offline access enabled in your configuration.

Resources