I am trying to experiement with keycloak for authentication and authorization.
I have deployed keycloak operator on kubernetes and created example keycloak instance. I have created demo client , realm and user
I have been successfully able to port forward and login to admin console.
Now I want to test it using react-keycloak . I have downloaded keycloak.json for my demo client and updated the env file required in react-keycloak example. But it is not working.
Going to http://localhost:8080/auth/realms/user_realm/ gives me:
{
- realm: "user_realm",
- public_key: "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAk/ppy1MdjUBSTdidubb8wwlAKP2Pt4AyfAdQUYA4F1Ecvliir9EC/RZVICfFbQa4Jiekmr8K4Ye7DsXspseOll6ppL8zO3wDVMQNqthLbFHzEzPd+atkA//G6T/pgDKXO45EC0dNuo1Z2O4UWIn1ZewDMM2RlKXg6bcNtYKsWxcfNGqr/SRLkInrGa0yDVfr/anKhPTZhaUkbTrtemucSxGHD3vye5yWSoUbu22TDMmnLKiUOI5TATe/W11Vvbuv6cSEZVx9w1k6nvuHlAwnjrQEmHNS66lL1qtfau7cckM77Lz0TA5P/lYLhFsuGsqFzKyWqG1y1hYcHweYyL48/QIDAQAB",
- token-service: "http://localhost:8080/auth/realms/user_realm/protocol/openid-connect",
- account-service: "http://localhost:8080/auth/realms/user_realm/account",
- tokens-not-before: 0
}
I tried these urls and got the following results:
Seems like token service is not enabled. What do I need to do to enable it?
Also, on checking the logs of keycloak pod, I found the following. Not sure if it is related.
Any tips for me ? :)
Does this page open after redirection from your app?
As far as I can see on the first screenshot in URL :
.../auth?client_id=account&redire.... - instead of account should be 'client-secret'(as I understand from https://github.com/keycloak/keycloak-operator/blob/master/deploy/examples/client/client-secret.yaml)
Related
We have the following Azure AD B2C Application (which we will call aadb2c) with the following settings
Include web app/ web API: YES
Allow Implicit Flow: YES
Reply Url:
- https://localhost:44339/
- https://productionURL.com
- https://productionURL.com/
App ID URI (which is optional): none
Native CLient: NO
This Application is what our website https://productionURL.com uses to login it's users with azure AD B2C.
However, on production we keep on getting the error:
The redirect URI 'productionURL.com' provided in the request is not registered for the client id 'aadb2c'
According to this we should add the link to out reply url.
But as you can see above, we already included https://productionURL.com in the "Reply URL" section
of the Azure AD B2C blade.
What could be causing this error to happen? How do we resolve the redirect URI request not registered error?
It needs to be configured in the code as well and you need to make sure that the protocols match. This can also happen if there's a mismatch with the tenant ID or the app ID.
Check the B2C callback request in Chrome DevTools > Network with "Preserve log" to see what URL is being returned. This should give you insight into the problem.
As an extra measure to ensure that the protocols are matching, you can add:
if (context.ProtocolMessage.RedirectUri.Contains("http:"))
{
context.ProtocolMessage.RedirectUri = context.ProtocolMessage.RedirectUri.Replace("http:", "https:");
}
After hours looking at our code and finding no traces of the url without any protocol or any trace of "http:", we now had to look at our deployment orchestrator.
Apparently in Octopus we are deploying the app with an incorrect URI: it's missing the protocol "https://"
Recently I created IBM APPID service and download nodejs code from service dash board and deployed on IBM cloud. As per instruction in dashboard it should work with default settings and no need to do additional setting in identity providers
But when I clicked on login but it gives me below error on redirect
{"error":"invalid_request","error_description":"redirect_uri doesn\'t belongs to the clientID"}
Not sure but is it something to do with redirect URL on identity providers-> manage page or something else
My understanding is that I downloaded nodejs code is from APPid service and it should work with default configuration of service
Manage page
App.js code
const LOGIN_URL = "/ibm/bluemix/appid/login";
const CALLBACK_URL = "/ibm/bluemix/appid/callback";
Have you clicked on the edit button and insert facebook\google App id\Client ID or password?
If you did so you aren't using default configuration anymore and need to follow the instructions of adding appid's redirect URL to facebooke\google and add your redirect to appid in the lower box
I'm trying to run express-stormpath on my local NodeJS project, but I cannot do anything to sign up to get my API key. When I simply do:
var stormpath = require("express-stormpath");
app.use(stormpath.init(app, {
web: {
register: {
enabled: false
}
}
}));
I was told by all the documentation, that I should be able to visit http://localhost:3000/login and http://localhost:3000/register to verify the "installation" works, but I'm just getting timed out. My console reads:
Error: API key ID and secret is required.
When I go to the website, I can ONLY log in and when I go to https://api.stormpath.com/register to register an account, it just redirects me to the login page (got the link from here).
What do I do to register an account? This is one of the most frustrating things I have ever dealt with.
Sorry for the frustration.
Stormpath isn't accepting new tenant registrations, because the service is shutting down after the team joined Okta. The functionality of Stormpath will make its way into the Okta developer API.
Source: previously at Stormpath, now at Okta.
I am relatively new to sharepoint app development.
Trying to create a on premises, High Trust provider hosted app with App + User Policy. I have followed below document to create a demo.
https://msdn.microsoft.com/library/office/fp179901(v=office.15)
http://blogs.msdn.com/b/russmax/archive/2014/06/23/part-1-intro-to-provider-hosted-apps-setup-the-infrastructure.aspx
I am facing few issue and I have some question to clarify, if anybody can help.
1) When I inspect my request in dev tools, it give me below form data.
SPAppToken:
SPSiteUrl:
SPSiteTitle:Home
SPSiteLogoUrl:
SPSiteLanguage:en-US
SPSiteCulture:en-US
SPRedirectMessage:EndpointAuthorityMatches
SPErrorCorrelationId:f069e89c-a0cd-20ce-a1c0-7db95db0334b
now when i inspect log with above corelation id, i am finding below errors.
-- Error when get token for app i:0i.t|ms.sp.ext|ab8ff461-bc75-4516-b475-b666ac47eec0#802f23e1-6e11-45d1-909c-07a7b0ab0ce2,
exception: Microsoft.SharePoint.SPException: The Azure Access Control
service is unavailable.
-- App token requested from appredirect.aspx for site: 92bfe5c4-7255-4b09-a89a-07e0e2b03622 but there was an error in
generating it. This may be a case when we do not need a token or when
the app principal was not properly set up.
-- Getting Error Message for Exception Microsoft.SharePoint.SPException: The Azure Access Control service is
unavailable.
a) I belive in high-trust app it shouldn't look for Azure ACS.
Is this error because of some incorrect configuration?
b) SPAppToken is null here. Is it null always in case of hig trust app?
2) Say I am logged into sharepoint with User A and trying to launch sharepoint app.
Within app code I want to get identity of logged in user(which is A). From below code i found that Request.LogonUserIdentity gives me identity of user A. But how can we sure that request is came from sharepoint only. I can copy the same app URL and paste in browser window and login with window credential and get the same result. So question is how can I verify if its legitimate request came from sharepoint only and no one is faking request.
ALos, when I inspect request in dev tools, its passing Authorization key in request header. What is use of this?
using (var clientContext = TokenHelper.GetS2SClientContextWithWindowsIdentity(hostWeb, Request.LogonUserIdentity)) { clientContext.Load(clientContext.Web, web => web.Title); clientContext.ExecuteQuery(); Response.Write(clientContext.Web.Title); }
3) Also what happens if my app doesnt support windows authentication and only support FBA, is there any way to get user identity in this case?
Any help would be much appreciated.
Thanks
For issue #1: It looks to me that the step # 9 (Configure authentication settings) in this section (from the first MSDN article you have referred) was missed, i.e., 'ACS Control service' was selected instead of 'Use a Certificate' option.
For issue #2: There are helper methods in TokenHelper.cs to validate the AccessToken from the HttpRequest, which identifies the validity of the request.
I am trying to create an application to browse my contacts directory on Exchange.
I have set up everything and I am able request the authorization from my app.
I can present the modal view, enter the login information, retrieve the token, but when I try to authorize the app with the same account I have created it I get this message:
The client <my app id> and resource <my app URI> identify the same application.
If I try to authorize another account, I receive this message instead:
User account <an email> from external identity provider <a url> is not
supported for application <my app id>
If I try to login on the Graph Explorer Console or on the Office 365 OAuth Sandbox, they work fine with the second address, but not with the first one.
I am really confuse. I feel like I have mess up some configuration option, but I don't really understand which one.
Regarding #1, please do not pass App ID of your application for resource querystring parameter when authenticating against your tenant URL. I ran into the exact same problem.
Then I ran WebApp-MultiTenant-OpenIdConnect-DotNet from Github and noted down the sign-in URL it created and I used the following:
var signInUrl = String.Format(
"https://login.windows.net/{0}/oauth2/authorize?response_mode=form_post&response_type=code+id_token&scope=openid+profile&client_id={1}&resource={2}&redirect_uri={3}&state={4}&nonce={5}",
Uri.EscapeDataString(tenantId),
Uri.EscapeDataString(clientId),
Uri.EscapeDataString("https://graph.windows.net"),
Uri.EscapeDataString(redirectUri),
Uri.EscapeDataString(state),
string.Format("{0}{1}", DateTime.UtcNow.Ticks, Guid.NewGuid().Stringify())
);
Basically I used https://graph.windows.net instead of App ID and magically things started to work :).
Another thing you could try (and I have not tried it) is authenticating against common endpoint https://login.windows.net/common/oauth2/authorize and provide your App ID for the resource querystring.