I would like a webbrowser user to be forwarded to the Keycloak account console via a specific IDP login, not showing the login browser page.
The keycloak url is https://id.spreitzer.ch
For example logging in via google:
https://google.id.spreitzer.ch -> general form https://<idp>.id.spreitzer.ch
What url should I forward browser users to?
I tried configuring the kc_idp_hint parameter, which did not work. For example:
htttps://id.spreitzer.ch/auth/realms/master/protocol/openid-connect/auth?client_id=xxx&redirect_uri=https://xxx&response_type=code&scope=openid&kc_idp_hint=google
Related
I have an existing Azure Function App configured with App Service Auth using AAD.
By directly accessing the App Service website xxx.azurewebsites.net/xxx I am prompted to login, and on logging in redirect back the xxx.azurewebsites.net page.
However, with the same function app accessed via an APIM endpoint, I load the site xxx.azure-api.net/xxx, get prompted to login, and then get redirected back to the azurewebsites.net page rather than the azure-api.net one.
Is there any way to configure this redirection? I have set the Redirect URIs in the App Registrations 'Authentication' blade, however this has made no difference.
Additional information:
In the initial 401 response I can see the original URL in the headers
WWW-Authenticate Bearer realm="xxx.azurewebsites.net/xxx" ...
No, we can't set the request to redirect to azure-api.net after login.
What we need to know is if we use AD to protect the function app, it will redirect to login page when we request the function url. And after login, it will redirect back to function url and continue to do the request.
When you use APIM to access the function, the APIM is just as an interface. So it's same with the steps above after you request the APIM api to access the function. So it will not redirect to azure-api.net, it is by design.
I have setup following as redirect URI's under registered app:
https://localhost:44332
https://myserver.com/v1/myapp
When I run the app locally and using localhost redirect URI, click on "signin/signup" its redirecting to b2c login page and successfully redirects to localhost.
But if I run app where its deployed "https://myserver.com/v1/myapp" and uses https://myserver.com/v1/myapp as redirect URI, and click on "signin/signup" it just reloads same page and not redirects to b2c login page.
I have tried to debugged same scenario and if uses https://myserver.com/v1/myapp my breakpoint doesnt hit "OnAuthorizationCodeReceived" but works as expected when uses localhost as redirect uri.
Basically I want user to browse app as https://myserver.com/v1/myapp, click on "Signin/Signup", provide b2c credentials and rediects back to https://myserver.com/v1/myapp as a logged in user.
what I missing here if redirecting users to server address instead localhost?
I have found the issue, it was due to mismatch reply uri (under app registration) and RedirectUri setup in web.config. These uri should match exactly once I have modified its able to redirect to b2c login page.
Trying to allow my application to read my gmail.
Created OAuth 2.0 client, set up redirect urls for it.
Started service and got prompt
Please visit this URL to authorize this application:
But this url has incorrect redirect_url param (it sets localhost:xxxxx where port is always a random number). This URL is not what I set up creating OAuth client (my redirect uris are on the same host as my application). So I can't authenticate my service to my gmail. Why?
Should the redirect uri return smth? I've read all the related questions, but can't find an answer.
I am trying to build an app in node.js that connects to Pinterest via its API. I can get an access token via Postman and test my app in single-user mode, but I am unable to incorporate OAuth2 to test my app for a second user. Every configuration of my code and settings at developer.pinterest.com yields the error "The provided redirect_uri ... does not match any of my registered redirect URIs."
I registered what I believe are correct callback URLs at developers.pinterest.com--many variants, with and without trailing slashes. My callback is hosted via https.
I tried calling Pinterest's auth URLs OAuth2 in my server code (node.js), and via browser address bar.
https://api.pinterest.com/oauth/?response_type=code&redirect_uri=https://www.outfinterest.com/auth/pinterest/callback/&client_id=5042375080944909391&scope=read_public&state=true
I attempted the auth from a browser logged into Pinterest as me, and from a browser logged in as a registered tester of my app.
What must I do to get Pinterest to accept my callback URL?
Do I need to submit my app for approval before I can authorize via OAuth2?
I resolved the problem by reducing the set URLs registered at developer.pinterest.com to just the one I need, then reloaded the page with the app settings.
I am using the following method to implement logout functionality for Azure Web App.
I am using the url https://login.microsoftonline.com/{0}/oauth2/logout?post_logout_redirect_uri={1} where {0} is the Azure AD url and {1} is the web app url.
Sample url: https://login.microsoftonline.com/myazuread.onmicrosoft.com/oauth2/logout?post_logout_redirect_uri=http://myazurewebapp.azurewebsites.net
This gives me the output stating
You signed out of your account
It's a good idea to close all browser windows."
But when I put the site url on the browser the user goes through without going through authentication. I have also added code for expiring the cookies, but it's not helping. After signout I want the user to be redirected to the login page and also the user should have to go through authentication for logging in.
According to your description, I have created a new ASP.NET Web Application that doesn't require any user authentication, then I followed this tutorial for configuring my web app to use AAD login.
To restrict access to your site to only users authenticated by Azure Active Directory, set Action to take when request is not authenticated to Log in with Azure Active Directory.
When a user has logged in, you could find a cookie named AppServiceAuthSession as follows:
For a simple way to log out, you could just call https://{your-webapp-name}.azurewebsites.net/.auth/logout, this in-build endpoint would clear your browser cookies first, then redirect you to process the log out at Azure AD end as follows:
When the log out operation is finished at Azure AD side, the browser would redirect you to the post_logout_redirect_uri(/.auth/logout/complete by default) as follows:
In summary, please leverage fiddler to capture the requests when performing log out in your web app, and try to see whether the cookie AppServiceAuthSession has been removed after you logged out.
#Bruce . No i am not using any URL authentication rules . let me tell you whats happening step by step .
1)I have used the same url u have provieded as log out url .
2) Page is redirecting to the https://login.microsoftonline.com/myazuread.onmicrosoft.com/oauth2/logout?post_logout_redirect_uri=https://mywebapp.azurewebsites.net/.auth/login/aad/callback . Its not getting redirected to the default logout page.
Image of cookies on the page after redirecting to logout url
3)If i navigate to the default logout page (/.auth/logout/complete) and click on "Return to website" for a brief moment it redirects to the azure ad login page //login.microsoftonline.com/dcc17943-54b6-4bc7-b284-71d39f03aeb0/oauth2/authorize?response_type=id_token&redirect_uri=https%3A%2F%2Fmywebapp.azurewebsites.net%2F.auth%2Flogin%2Faad%2Fcallback&client_id=1ab2f820-2ca0-4a78-bfea-c849b91d339d&scope=openid+profile+email&response_mode=form_post&state=redir%3D%252F%26b2cPolicy%3D&nonce=d74940629d5e434eb6454648d33f371d_20170215104002 . Seems like it gets authenticated there automatically . And then redirects to the home page . I have deleted cookies manually too . Still the same result .
#Bruce I found something . If i manually delete all the cookies from chrome://settings/cookies and then redirect the page then it works . Can i do it programatically ? using javascript or C#
One reason that your post logout redirection is not working might be beacuse of this Azure AD behavior that caused issues in my case:
It doens't work for root accounts of the tenant, that is my personal
account, which created Azure subscription.
But it works for new accounts I created inside of my subscription.