I have a site that when the user signs in; it opens a new window to github login to use it’s oauth flow. The user signs in, grants access, and is redirect back to the site. https://www.example.com?code=“code”. My site then attempts to parse the code out of window.location.search. However, when this occurs I am getting the following error:
DOMException: Permission denied to get property “href” on cross-origin object.
I am not sure what to do in this case? Any thoughts would be appreciated.
If you're trying to retrieve the value of window.location.search that appears in the new window from the original window, you need to make sure that both windows have the same origin (scheme, port and host, see more here: Same-origin Policy).
This is a security measure, otherwise a malicious site could initiate an OAuth flow and retrieve the authorization code in the popup window without controlling the redirect site.
Alternatively, you can just retrieve the code in the new window.
Related
I'm working on a react app where the pages can be used both by authenticated and anonymous users. The pages show more features for the authenticated users.
If a user previously has signed in and revists the website, I want the user to be automatically authenticated, and am struggling to achieve this.
I'm using redirect methods because I don't believe popup is working well on phones (is that assumption correct?).
I have tried storing the homeAccountId in local storage and use that to get the account used and then calling login in the msal instance. I also set up a addEventCallback and listen for EventType.LOGIN_SUCCESS which I use to set some internal state about the logged in user.
I have tried using MsalAuthenticationTemplate but strangely this doesn't invoke a login. I have also tried to detect if this is a "first run" and then invoking the login, but that doesn't work all the time. Sometime I get a SSO error indicating I should provide a login_hint or sid which is not possible because I use B2C.
If I don't do anything the user can click the login button and if the user has a valid cookie with B2C the user is logged in without providing credentials which is a strange behavior for the user because my website indicate the user is not authenticated (and show no logout button).
So I can't really get this to work and are wondering if somebody has a concept for achieving this?
Please checkout the msal-react samples which all demonstrate the behavior you're looking for. The MsalAuthenticationTemplate would be the recommended way to do this and if you're still having issues getting this to work after reviewing the samples I would recommend opening an issue on our repo with code snippets so we can take a closer look at what's going on.
Also using localStorage, if you're not already, would help to maintain application state between browser sessions. sessionStorage is the default.
As for B2C not asking for credentials; server state is separate from client state. You can be signed in on the server without the application knowing about it. Until your application makes a request to the B2C server your application will show that a user is not signed in. If a session already exists on the server when you make a login request, the server may redirect you back to your application without asking for credentials again.
Background:- I'm trying to implement the Implicit Grant REST API of DocuSign.
According to the documentation provided by DocuSign:-
After consent has been granted, the Authentication Service verifies that the client application is valid and has access to the requested scope. If so, it redirects the access token to the provided callback URI in a hash fragment.
The response contains the following hash fragment parameters:
http://localhost/#access_token=eyJ0eXAi.....9LyiFrUqvdw&expires_in=28800&token_type
Problem statement:-
After redirection we are trying to read the access token from the hash fragment of url section, but we are facing below issue:-
We are trying to open docusign window through iframe, we are getting the below error
Refused to display
https://account-d.docusign.com/oauth/auth?response_type=token&scope=signature&client_id=cab75309-6eb3-4969-a15d-fff35513e179&redirect_uri=https://www.sirionlabs.com/
in a frame because it set 'X-Frame-Options' to 'sameorigin'
So we tried to login to docusign app in another browser tab and then we are not able to read access token from the user, though we are getting the token printed on browser console.
How can we read the token received after login-in to Docusign service, so we can redirect that token to our app for further processing?
You cannot use an iframe for DocuSign authentication.
This is a security concern.
Users must see the URL at the top to know it's DocuSign and secure etc.
Please use a different window or redirect.
I'm using Python and trying to login to basecamp to consume their API but i'm having some trouble with OAuth2 authentication...
How do I login without interacting with browser? I'm making a post request but it returns a 422 message...
I checked out the headers and they seem ok. I'm confused and dont know where the mistake is.
OAuth2 requires that the user authorizes the integration to access her/his account. This is done through a web page in which basecamp.com will display some HTML including a button. For this to work, the user must be logged in using the web form at https://launchpad.37signals.com/signin.
I've implemented that in Javascript: https://gitlab.petton.fr/basecampel/libbasecampel/blob/v0.2.0/proxy/src/oauth.js. The function at line 20 opens the system's default web browser in which the user is supposed to login if he/she is not logged in already.
I make users login to my chrome extension through my own OAuth2 API which uses google signin, through chrome.identity.launchWebAuthFlow with interactive set to true, and it works fine, user is prompted to sign in with google account, I get redirect url in my extension's background script, parse access token from it and everything is fine until I need to logout this user and make it possible to sign with other account.
When I try running chrome.identity.launchWebAuthFlow with interactive set to true again, nothing pops up, but redirect url is returned in background and access token is picked up for previously logged in user, so I'm unable to make my users switch account.
Is there any solution for this?
I haven't used chrome.identity.launchWebAuthFlow, but I think your question is similar to "How do I log out of a chrome.identity oauth provider".
Among the answers:
use launchWebAuthFlow with the logout url https://accounts.google.com/logout
revoking the token with https://accounts.google.com/o/oauth2/revoke?token=TOKEN
Adding &prompt=select_account into the url
As I said, I haven't used launchWebAuthFlow yet, but I wanted to help by showing you an already answered question
Scenario:
I built a Facebook tab application that requires authorization.
The application is installed on a Facebook page.
When an unauthorized user accesses the application I redirect to the OAuth dialog:
http://www.facebook.com/dialog/oauth?client_id=appid&redirect_uri=http://www.facebook.com/pages/page name/pageid?sk=app_appid&scope=user_birthday,user_location&display=page
Note the "redirect_uri" is the Application on the installed Facebook page.
So, if the user allows we redirect to the tab application - This works fine!
But, if the user denies access (clicks Cancel button - using new OAuth dialog).
The user is again redirected to the tab application and again redirected to the OAuth dialog.
I have noted from the documentation that when the user denies access the browser will redirect to the "redirect_uri" with the following parameters: error=access_denied&
error_description=The+user+denied+your+request.
But if Facebook is using an additional redirect to my application from the "redirectt_uri": http://www.facebook.com/pages/page name/pageid?sk=app_appid
...the error response seems to be lost.
Note: I can successfully capture the error parameters when setting the "redirect_uri" to the canvas url, but I need to have the redirect_uri formatted to open the application in the context of the installed Page if the user allows access.
How would I capture the error parameters in this scenario?
I solved this by adding a flag to the app_data parameter for the redirect_uri. When the user accesses the application initially, this flag is set. I check for OAuth token, if one does not exist I redirect to the OAuth dialog with a redirect_uri to the application installed on the Fan Page. The redirect_uri now includes the flag in the app_data parameter. So, after "Canceling" the application, Facebook redirects to the installed application on the Fan Page - I then check for the flag and redirect to an error page.