I have two instancies of OpanAM. One works as OAuth2 provider, the second works as OAuth2 client.
When I enable option "Map to anonymous user" on service instance, all flow works fine - client redirects me to provider, where I enter my username and password, then it redirects me back to client where I can see my new anonimous profile.
But in my case I need to map user from provider to client when user logins to my system.
When i enable function "Create account if it does not exist" when I apply consent screen it redirects me back to client and I see this error message: "Unknown error. Please contact your Administrator".
I have enabled logs and in logs I see this error:
org.json.JSONException: JSONObject["sub"] not found.
org.json.JSONException: JSONObject["name"] not found.
org.json.JSONException: JSONObject["given_name"] not found.
org.json.JSONException: JSONObject["family_name"] not found.
ERROR: unknown callback null
When I perform REST-request to provider on userinfo endpoint with Postman it returns me this JSON:
{
"sub": "user123",
"name": "name",
"given_name": "gn",
"family_name": "fn"
}
Based on this response, I configure mapping in OAuth2 module on client OpenAM this way:
Account Mapper Configuration:
sub=sub
name=name
given_name=given_name
family_name=family_name
Attribute Mapper Configuration:
sub=sub
name=name
given_name=given_name
family_name=family_name
Thanks!
Related
I added and configured an OpenID Connect Identity Provider.
I set the return URL in the provider correctly.
I'm using the "Sign up and Sign in" user flow -- not a custom policy.
Running through the user flow, I ultimately get redirected to my application .../MicrosoftIdentity/Account/Error (or if I set return url to jwt.ms, I get the same error) with the page indicating the error
AADB2C90238: The provided token does not contain a valid issuer
How can I even see the issuer in the token? (It's all handled inside AD B2C service).
I can see what's listed in the provider's .../.well-known/openid-configuration endpoint. I guess that's what's not matching in the token. I've seen suggestions of using Application Insights Logs to view the token -- but, apparently, that can only be done with custom policies.
Is there another way to tell AD B2C not to validate the issuer? Or is another way to handle this issue?
I tried to reproduce the same in my environment.
Open Id configuration is like below:
Where the metadata url is https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration
Authorization request looks like below:
https://kavyasarabojub2c.b2clogin.com/kavyasarabojub2c.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_newSignupSignin&client_id=xxxxx5&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms&scope=openid&response_type=id_token&prompt=login
I received the same error :
With redirect uri: https://jwt.ms
Error: invalid_request
AADB2C90238: The provided token does not contain a valid issuer. Please provide another token and try again.
With redirect uri: https://kavyasarabojub2c.b2clogin.com/kavyasarabojub2c.onmicrosoft.com/oauth2/authresp
So here the redirect Uris are correct and need to correct the metadata url :
Created an OpenId provider with meta data url having tenantId instead of organizations .
https://login.microsoftonline.com/<tenantId>/v2.0/.well-known/openid-configuration
Run the user flow with this Identity provider
Could login successfully and get the access token with endpoint
Note: make sure it has the policy included:
I have p=B2C_1_newSignupSignin
https://kavyasarabojub2c.b2clogin.com/kavyasarabojub2c.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_newSignupSignin&client_id=1xxxxe2a5&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms&scope=openid&response_type=id_token&prompt=login
Here the issuer is of V2 endpoint "iss": "https://kavyasarabojub2c.b2clogin.com/<tenantId>/v2.0/"
Reference : Web sign in with OpenID Connect - Azure Active Directory B2C | Microsoft Learn
Edit:
I'm using Azure AD as my Identity Provider (IdP) and trying to connect Auth0 to it as a client. I've followed all the steps mentioned in
https://auth0.com/docs/connections/enterprise/azure-active-directory/v2
Redirection from Auth0 to Azure AD is working as expected. Login on Azure AD side is also showing a success in its log, however I'm getting and error at Auth0 side which says,
"Invalid client secret is provided"
I've double checked the client secret. Freshly generated it to eliminate possiblity of its expiry but still gettting this error.
Below is an error message payload.
"error": {
"message": "failed to obtain access token",
"oauthError": "invalid_request",
"type": "request-error",
"payload": "{
"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret is provided.
Trace ID: 52ea6301-3da2-46c7-b355-865dfff34c01
Correlation ID: 69415f95-1430-45eb-b653-3c76f934ccc0
Timestamp: 2021-11-29 05:11:57Z",
"error_codes":[7000215],
"timestamp":"2021-11-29 05:11:57Z",
"trace_id":"52ea6301-3da2-46c7-b355-865dfff34c01",
"correlation_id":"69415f95-1430-45eb-b653-3c76f934ccc0",
"error_uri":"https://login.microsoftonline.com/error?code=7000215"}"
},
Make sure you have copied client secret value and not the client secret ID.
Gave wrong value of client secret getting the same error as you.
Would Suggest you try with following parameter as I have set for authorization type OAuth2.0.
URL : https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/token
Given the correct value of Client Secret and getting the access token.
Also, check that the Azure AD Client secret is not expired. Otherwise, generate a new one, then update it in the enterprise connection configured with Auth0.
I have Java application which provides some reports in plain HTML.
I want to secure these reports with Microsoft SSO (OAuth).
I was able to do this in browser - I created new "AppRegistration" in Azure AD, get client_id, client_secret, Oauth 2 authentication_url, configured correct redirect_uri in this application and implemented Oauth flow in browser - it works as expected.
But users don't want to check reports in browser, they want to process them in Excel 2019.
It has "Organizational account" authentication.
I believe, that it uses the same OAuth 2 flow.
So, I added WWW-Authenticate: Bearer authorization_url="https://login.microsoftonline.com/256be541-f611-4412-975e-cb56ee6fb03b/oauth2/v2.0/authorize"
I'm trying to access URL like: https://localhost:8443/report/1
Now Excel asks me to enter login and password, but after successfull authentication the error is shown:
invalid_resource: AADSTS500011: The resource principal named https://localhost:8443 was not found in the tenant named 256be541-f611-4412-975e-cb56ee6fb03b. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.
Trace ID: 57324bfe-ab46-4c2e-9128-a336aa287e00
Correlation ID: d9c4c732-76cc-4659-9d8a-d27abec617d3
Timestamp: 2021-02-02 16:50:13Z.
https://localhost:8443 - is address of my application and this address is included to redirect_uri in App registration.
But I don't think that mentioned "resource principal" is about redirect_uri.
So, how can I create "resource" principal in Azure AD and give it name "https://localhost:8443" ?
In fact, this is the case. According to your error message, it says that the resource body of https://localhost:8443 cannot be found, which means that you set the scope to: https://localhost:8443 when requesting an access token.
However, you only set it to redirect_uri at the beginning, and did not set the Application ID URI to: https://localhost:8443 in the Expose API tab, so when you request the resource, the error message will report that it cannot be found the resource.
By the way, scope is different from redirect_uri. The scope puts the resource you want to access, while redirect_uri is just the callback url that is not the resource you want to access. This is why you still get an error when setting the url in redirect_uri.
I was following the Pyrebase tutorial and I got it up and running for one user account. I added another user account to the code and now I'm getting an error saying email address isn't found. The user account has been added to the Firebase User, and given the same access as the first account.
I've confirmed that the account has been added to Firebase with the correct email and password.
user = auth.sign_in_with_email_and_password("someEmailAddress#gmail.com", "Secret Password")
I'm expecting a return code of 0, stating it's connected successfully. However, I'm getting the error below:
raise HTTPError(e, request_object.text)
requests.exceptions.HTTPError: [Errno 400 Client Error: Bad Request for url: https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyPassword?key=AIzaSyDgn6aURRvEDP-M738sy7oo0ubbNqqLXzY] {
"error": {
"code": 400,
"message": "EMAIL_NOT_FOUND",
"errors": [
{
"message": "EMAIL_NOT_FOUND",
"domain": "global",
"reason": "invalid"
I have found my error. After adding the account under the Project Overview -> Project settings -> Users and Permissions tab, I forgot to add the account under the Authentication tab on the left hand side. Once that's added, the code works as expected.
When obtaining the Endpoint from Firebase Auth REST API, pick the Endpoint for signup with email/password.
The error arises because the Endpoint is for sign in with email/password.
You will be performing a sign in operation instead of sign up hence the error email not found.
I keep getting a AuthenticationFailed error with a InvalidAuthenticationTokenAudience inner error when attempting to query the /environments endpoint.
I have already created an app in the Azure Active Directory, given it access in the time series insights management portal and I can already get an Oauth 2.0 Access token from the auth URL.
I have tried giving the token url the 'https://api.timeseries.azure.com/' resource/audience/scope but the API keeps returning the same error message:
{
"error": {
"code": "AuthenticationFailed",
"message": "Server failed to authenticate the request. The token has been obtained from wrong audience or resource.",
"innerError": {
"code": "InvalidAuthenticationTokenAudience",
"message": "The access token has been obtained from wrong audience or resource '00000002-0000-0000-c000-000000000000'. It should
exactly match (including forward slash) with one of the allowed
audiences 'https://api.timeseries.azure.com/'."
}
} }
I'm using Postman with the Oauth 2.0 authentication type, the client credentials Grant Type and send as basic Auth Header option for the token request.
Has anyone tried this with success?
Update 01:
The decoded (using JWT as suggested in comments) payload portion of one of the tokens shows the that the aud field is 00000002-0000-0000-c000-000000000000. Which is definitely wrong.
Based on the exception, it indicates that the resource is not matching https://api.timeseries.azure.com/ when acquire the access token.
So please make sure that the resource is https://api.timeseries.azure.com/, for more information please refer to the screenshot.
Get access token
I test Get environments API, it works correctly for me.
GET https://api.timeseries.azure.com/environments?api-version=2016-12-12