I have done the setup Access Management(OPENAM) version 6.5.0.1.
I can directly access .well-known/openid-configuration via below url without login
http://XXXXXXXX:8080/openam/oauth2/realms/root/.well-known/openid-configuration
Is there any way to restrict this url or only admin user can access this url.
Related
I want to implement a feature in which there is a central login site lets say: https://example.com , and when user enter login credentials in this page and select from dropdown on which sub domain user wants to log into, the user gets logged into that subdomain like https://abc.example.com.
I am using MEAN stack and jwt token for authentication. JWT implementation is applied in standard way in which first: request is sent to "/authenticate" and then token is returned which will be stored in browser local storage.
I have successfully done one site authentication ie. login from https://example.com and logging user in that domain, but now I want to implement like this flow =>
On login page of https://example.com :
User can select an option from drop down in which subdomain to login
After that user enters login credentials ( these credentials can be different or same for all subdomains )
User gets redirected to dashboard page of that subdomain ( with JWT token stored in the local storage of that selected sub domain )
Above is the flow I want to be implemented but can be changed if other flow achieves the same result
I have searched questions and blogs regarding this topic:
I have gone through SSO ... but that is not what exactly I want; because SSO is like login in one subdomain and it gets logged in everywhere else... but I want to login from a single login page to subdomain's dashboard page based on user selection.
How I have thought of implementing this (not working) :
I will first send "/authenticate" request to https://example.com with parameter like
{ username: "alice", password: "****", subDomainUrl: "https://abc.example.com"}
My nodejs backend will authenticate and return me the JWT token. Now I will redirect to that subdomain(https://abc.example.com) and send this token from https://example.com to https://abc.example.com and somehow it will get stored in this subdomain's(https://abc.example.com) localstorage. After it is stored in local storage I can easily do my other work.
So how to implement this? Is the above approach practical; if then how to properly do it? What is the best way to implement these kind of architectures? Any help will be great, Thanks!
I suggest you first send /authenticate request from https://example.com/.
It will be validated by nodejs backend and then generate JWT token and redirect to the new subdomain including token.
http.get('*',function(req,res){
res.redirect('https://abc.example.com?token='+JWTtoken);
})
You can fetch the token from the subdomain and store in your local storage. Further, you can use this token for your api authentication.
I am using Azure AD, in which access token comes to teh redirect URL when the user is successfully signed in into their Microsoft account. Can we avoid getting this token in the URL, and get it somewhere else? Or is there any different approach required for this?
As if someone gets that token, they can hit the backend server of my application and can get data.
Your concern is well-founded, but receiving a token in the redirect URI is central to how OAuth flows work, regardless of whether that's Azure AD or any other OAuth IdP.
From an OAuth redirect URI overview:
Because the redirect URL will contain sensitive information, it is critical that the service doesn’t redirect the user to arbitrary locations.
The best way to ensure the user will only be directed to appropriate locations is to require the developer to register one or more redirect URLs when they create the application.
You're redirecting them to a source you control, using an encrypted channel, and that's considered good enough for current Internet security operations.
A very simple situation:
Azure webapp with AD authentication
the redirect URI is an index.html static page.
Open browser to http://xxx.azurewebsites.net/index.html
redirect to AD login page. Users enter username / password.
redirect back to http://xxx.azurewebsites.net/index.html
Now I want the landing page shows "Hello, [first name] [last name] !". I know the first name, last name, and other info can be found in the id token after successfully login.
In chrome, I open the developer tool and start opening that URL. After I get to the index.html, I'm not able to find the id token in the request header in all network call.
I have servlet to dump all the request header data also cannot see the id-token.
So how can I get the id token from backend or even front end (javascript) ?
Yes I know I can use graph API to fetch user info. But if it is available in the token, I don't want to make extra call.
How to redirect users to login page when users try to access without login using direct URL.
I have completed a token based authentication, after user login I got token, so I will maintain same token for further request. But I tried direct url without login, page is loading. I want to allow access only after user login.
Please refer this link https://github.com/strongloop/loopback-example-access-control. I have downloaded this application and I tried the direct url without login (that is http://localhost:3000/projects), page is loading. Here I want to redirect login page. Please suggest any sample application.
I am not using AngularSDK
I want to mimic the features of a secure FTP Server, such that the end user would have to present credentials or a token before the end user can download a file.
How can this be accomplished using blob storage? Shared Access Signatures does not work, as once you have the URL you have access to the file?
I want a feature such that the user either enters his/her credentials or presents token before the download. Any Ideas?
The recommended pattern is to write your own service that authenticates the user, checks if they're authorized for the requested resource, and then returns either:
the requested resource:
or a Shared Access Signature for the requested resource:
http://azure.microsoft.com/en-us/documentation/articles/storage-dotnet-shared-access-signature-part-1/#when-should-you-use-a-shared-access-signature