I am trying to get the nodejs adapter to working with my Express application and am getting issues after an authorisation code is returned for a user and then a subsequent request is made to exchange this for an access token.
Through some debugging of the library it seems the redirect_uri being sent in the subsequent request is blank, and when adding a breakpoint and inspecting the below code, I can see a session object is present, but there is no auth_redirect_uri property present
Watching the initial request when authorising the user, I can see the redirect_uri is present in the request query params.
So I can only think for some reason this is not being parsed out by the nodejs adapter after the user has been authorised and then persisted to the session object.
My express application does use the express-session middleware which I have configured to save sessions to a mongoDB. I then use my configured session store with the keycloak middleware configuration, in the same way as per this example
Can anyone offer any thoughts on what may be happening here?
Thanks
Related
I'm building a small app with Node (server) and React (front). I make API calls to an external application and the token has to be refreshed often. For now, I've tried two options but they are not optimal :
First I get the Token on React parent component, save it in local storage then pass it to to the child component which will pass it to the server which will handle the call. The problem is that the asynchronous nature of React creates some problems.
Each time I call the API, I generate a new token. The problem is that I could have a lot of API calls.
What would you recommend me?
Thanks
You need a layer in the API to make sure that you don't request a new token until it expires or you don't have the token and ofcourse you need to make an API call only when you don't have token in local storage.
So, there are two places you need to write a logic to make sure if you need token or its already there.
Client-side: before making the API call check if token exist for the user. If it is not present, request the token from Node.js API.
Backend: You need to keep the token in DB or cache(in-memory db) with the client id or any unique id. Saving in DB can be good option even if your server restarted you have track of all the active tokens.
Before making the request to the external API check if you already have a token with you.
The problem might be you are missing one of these steps or both and thats why you are getting new token everytime.
An Oauth2 client application generated by Jhipster has a behaviour issue after some idle time. After a signed-in user has some idle time on the application, interaction with the application will lead to an undesired behavior such as a data isn't fetched from the database.
I have learned that user session data is stored in a form of a cookie on the front end. For the Vue front-end, searching
this.$cookie.set(
yields no result.
I do see JSESSIONID in a request header after a user signs into the application. So, I assume that the session id also is stored somewhere on the server. For every REST request, the server would verify the session id in the request header by comparing it with the session id on the server. When the session is time out, the server no longer has the session id. Any REST request from the point will lead to undesired behaviour in the current implementation. A filter is needed to verify a REST request session id with the server.
I have a look at the code in the security package as well as the security configuration. But, I don't see any code dealing with a user session.
How does the server work in this regard?
Update:
To deal with an invalid user session for a sign-in, I notice that the ExceptionHandlerExceptionResolver will handle the InsufficientAuthenticationException after refreshing a browser. Otherwise, the exception won't be handled. How to resolve this issue?
Actually I want to know that, what is the best way to secure my node js / express API from another application in which I'm calling the API from client side (Ajax call).
I know that, I could use JWT token based authentication, but I need to pass the Username and password to Node server to get token generated, I don't want to do this as I've already logged-in in an another application.
Any help / suggestions would be appreciated! Thanks.
So, you need to work with some Oauth server and your application before process the request sent to him must validate de token on that server.
But how it works?
In short terms, must exist in your application a middleware who will do a request to oauth server, after you receive that response (if will not with authentication error), you continue the process. If to exist a problem with the token or login, the oauth has the responsibility to block the process and return HTTP status 401 (when the user and pass wrong) or 403 (when the user doesn't have the permission to the resource).
Here are a few examples to follow.
I've been studying the OAuth 2.0 authorization code flow and am trying to write a React application with an Express backend that displays what a user would see on their own Instagram profile. I'm trying to do so with minimal external libraries (i.e. not using passport-js) and without bringing a database into the mix.
This is my flow as of now:
Resource owner clicks an <a> tag on the React application (port 3000) which redirects them to the /auth/instagram endpoint of my Express server (port 8000)
res.redirect(AUTHORIZATON_URL) sends them to Instagram's authorization server
Resource owner consents and the authorization code is sent back to the predefined redirect-url /auth/instagram/callback with the authorization code set as a query parameter
I strip the authorization code off the url and make a POST request to https://api.instagram.com/oauth/access_token to grab the access token
Now that I have the access token, how do I reach out to the React frontend to let them know that everything worked and that the user was successfully authenticated?
From what I've read, this is where the idea of sessions and cookies come into play, but I haven't had luck finding documentation on how to achieve what I want without bringing in third party libraries.
In the end, I would like for my app to support multiple users viewing their profiles simultaneously. Since I imagine passing the access token to the frontend defeats the purpose of securely retrieving it on the backend, I'm guessing I will somehow need to pass a session id between the frontend and backend that is somehow linked to an access token.
Any ideas as to what my next steps should be are greatly appreciated, as well as any articles or documentation you see fit. Thanks!
Since you're doing the OAuth authentication on the server side, you have to pass some parameter to the redirect_uri, identifying the user session (see: Adding a query parameter to the Instagram auth redirect_uri doesn't work? );
When the redirect uri is called from the authority server, you will know which user was authorized. To notify the browser there are two options: 1) Notify the client using web sockets; 2) Pull the state from the client using a timer triggered function;
We have developed a website in normal html and js in the frontend and node.js in the backend.
I have used sessions data to get somethings done such as welcome email or mobile otp verification after the successful registration.
Now we are developing a cordova app with same backend api's and the actual problem comes here.I am unable to access my sessions data i.e.. req.session.user is null which I have updated after the successfull registration.
Can someone please suggest what is the solution for this?
In order to work session properly, you need to pass the sessionId in every request on the website this ID will set in a cookie and automatically send in every request.
When comes on to mobile you can achieve the session with the following approach.
1)When a user successfully logged in issue a token and store that token in your Cordova app (usually in local storage).
2)For every request pass this token along and check whether the token exists or not.
Note: You can attach the token in the authorization header