I want to edit the reply URL in my user flow. How can I do this? This is a reset password user-flow. Is this even possible or do I have to create a new user flow from scratch?
You can't edit it.
But what you can do is have lots of reply URL in the app. and then pick from the dropdown.
Those URLs are tied to the Application Registrations, each app registration can have multiple return URLs (as you're showing in your screenshot).
If you want to add another URL to that list you need to add it to the app registration for your LoginAppAndWeb application. The Microsoft Docs explain how to add an app registration, you likely just need to find the existing one for your app and update it.
It's down to the relying party (your actual LoginAppAndWeb app) to pass up the correct return URL as part of it's /authorize request, B2C will then redirect to that URL at the end of the journey provided it's in the list you've set up in the app registration.
Often, relying parties will have a single return URL so there's a single point B2C redirects to that processes the B2C tokens, then they'll have a separate way of redirecting the user on to another internal URL afterwards. That could be something that's passed as part of the state parameter or it could be something that's stored by the browser (e.g. in a cookie), the client library you're using to interact with B2C will likely have a standard way of doing this.
Related
I have an Azure policy which works well for authentication users of different roles. I now need to add a SignUp component to this but there are some requirements that I'm not sure are possible.
I need the policy to return back to a different application than what called it. Say App A has the signup link on it's login page which will invoke the
policy's SignUp userjourney. However, I need it to not return back
to that same App, instead redirect to App B along with those claims
it's gathered. Is this even possible?
If it were possible (above), how can this be set up under the relyingparty
section? I would need to keep what is already there for the
userjourney that authentications users, but now also somehow provide
what's needed for this SignUp flow.
I am sorry if this is vague. I am just looking to get unstuck. If anyone could provide any sort of nudge in the right direction, I'd be very grateful.
This idea will not work. This is because, for at least the MSAL authentication library, it will reject a token response if MSAL was not the one who initiated the request. That is built in protection to most libraries, and uses the state parameter in the authentication request to apply this protection. Only responses that come back with the same state parameter will be accepted by the app.
You need to create a link from App 1 to App 2, and have App 2 initiate the Sign Up B2C policy.
The token response URL is controlled by the redirect_uri parameter in the authentication request. Your app will always require this to be configured within it. Both apps should provide a redirect_uri to send the token back to the respective App.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/openid-connect#send-authentication-requests
I want to set up oAuth for a NON-google account using Chrome Identity API in my extension. I need to register my extension to get a oAuth client Id for which I need a redirected URI of the form https://<extension-id>.chromiumapp.org/<anything-here>. I am not sure what should go in the <anything-here> part of the redirected URI. The extension needs to get authentication from several websites which use their own SSO.
Turns out, the /<anything-here> part of the url doesn't even need to be there for oAuth to resolve. It can be left blank and the oAuth will still be fine.
My best guess about its usage is that, it can be used to add further information about where the request is coming from.
https://<extension-id>.chromiumapp.org/SSOMethod1
https://<extension-id>.chromiumapp.org/authfromgoogleaccount
https://<extension-id>.chromiumapp.org/id=1234556
We can now choose to handle them differently if we want to.
Basic scenario: Azure AD is used as just an authentication provider a web app, the identity retrieved from azure is matched by email to a local identity and a forms auth cookie is issued for api authorization against the app's webapi.
Problem: If a user has multiple azure accounts, they may be pre-authenticated when they come to my app. In this case, when the redirect back to my app occurs there may be no matching user and login cannot complete.
Desired Solution: If the cached azure account is invalid for my app, I would like to direct the user back to the microsoft login page with a chance to manually type in their credentials
How do I achieve this, and is there something wrong with this flow? It seems currently the only way for the user to get into my app is to go to azure and log out of the bad account. What other methods could achieve a better user experience? Should I use the auth token from azure and log the user out programatically and then back to azure for another go around? Can I hint for azure to prompt the user even if they are logged in already?
I discovered that I really wanted the prompt=select_account flag on the redirect to azure, but the library I was using made it difficult to determine how to set this. I am using the ms-adal-angular6 library, which is a wrapper for azure-activedirectory-library-for-js.
After digging through the code I found a config property that was not documented called extraQueryParameter which when I set to "prompt=select_account" got the behavior close enough to what is needed.
Ultimately the user must select their account every time, instead of just when the account is wrong. I could most likely get tricky with the error response and redirect back a second time with prompt=select_account to get the behavior I was looking for, although the library doesn't make it easy to change this on the fly either so I may stick with it always on.
I am working on a website that will allow multiple tenants using subdomains.
Accounts will be able to add their own subdomains, as long as they don't already exist; eg:
http://tenant1domain1.mywebsite.com
http://tenant1domain2.mywebsite.com
http://tenant2domain1.mywebsite.com
http://tenant2domain2.mywebsite.com
I am also adding in the ability to sign in using a number of oauth providers (google, microsoft, azure ad etc) using passport.js.
All these services will all callback to the main domain (mywebsite.com/login/google/callback) and I need to identify the subdomain of the login request to redirect the user.
As a single user can have multiple subdomains, I can't easily store this against their user record.
I'm running into a problem at the moment where I can't find a way to persist the tenant information past the passport authenticate stage.
I tried using session variables but the session is reset at the callback stage and loses any information I've stored there.
I did think about adding the subdomains as allowed callback urls against each service then just setting the callback to the subdomain but this quickly becomes unmanageable.
Is there any way to make passport.js keep existing session variables intact or to use another method to transfer the tenant information?
Not a complete answer, but there's a design pattern that keeps &redirect=/url-after-login as a URL query parameter when moving to a login page. After successful login, the login handler then redirects back to this url. The url can be chosen based on the user or the originating page.
Could this work in your situation? Obviously this needs some research on how to implement it in passport.js. Sorry, I can't offer working code.
I've scoured the api docs, as well as StackOverflow, and I've yet to find the answer to my question. And it is possible I'm misunderstanding how the system works.
Here's the scenario our client wants:
User logs into our website
At which point we authenticate the user in our system, and One Login via the api.
After the user logs into our dashboard, they can click an link and be redirected to their third party analytics app due to the fact that I've created a new session with One Login.
Here are the steps I've completed.
I've successfully received an access token via --> https://developers.onelogin.com/api-docs/1/oauth20-tokens/generate-tokens
I've successfully used the access token to generate a session login token via --> https://developers.onelogin.com/api-docs/1/users/create-session-login-token
I've successfully used the session login token to create a new session.
I'm receiving the proper cookies from One Login after making the create new session request, and - at that point - if I enter the URL onelogin.com/login, I am taken directly to the dashboard.
At this point I know I'm properly authenticated with One Login. However, I'm not sure how to directly access a third party app from a link on our website.
Thanks.
Two ways:
If the app supports SP-initiated SAML, just navigate the user to the application and it'll do the whole SAML flow- App redirects to OneLogin - OL authenticates user (because you have a session) --- redirects SAML to app
Use the launch endpoint - You can create a URL to an app by using this format: https://app.onelogin.com/launch/{app-id}. For example, you can provide a link to an app like this:
Time Reporting
Details on that endpoint can be found here: https://developers.onelogin.com/api-docs/1/embed-apps/get-apps-to-embed-for-a-user
Take note that you're probably going to want to use the optional flag that makes sure to redirect to your login page, not OL's if you've built a login facade.