I'm trying to run express-stormpath on my local NodeJS project, but I cannot do anything to sign up to get my API key. When I simply do:
var stormpath = require("express-stormpath");
app.use(stormpath.init(app, {
web: {
register: {
enabled: false
}
}
}));
I was told by all the documentation, that I should be able to visit http://localhost:3000/login and http://localhost:3000/register to verify the "installation" works, but I'm just getting timed out. My console reads:
Error: API key ID and secret is required.
When I go to the website, I can ONLY log in and when I go to https://api.stormpath.com/register to register an account, it just redirects me to the login page (got the link from here).
What do I do to register an account? This is one of the most frustrating things I have ever dealt with.
Sorry for the frustration.
Stormpath isn't accepting new tenant registrations, because the service is shutting down after the team joined Okta. The functionality of Stormpath will make its way into the Okta developer API.
Source: previously at Stormpath, now at Okta.
Related
So I recently used the quickstart method from Azure to make a JS app which authenticates using the MSAL.js library. I am able to authenticate using the normal users in AD, however when adding in google as an external identity provider, I get the Authorization error:
"Error 400: redirect_uri_mismatch
The redirect URI in the request, https://login.microsoftonline.com/te/{tenant-id}/oauth2/authresp, does not match the ones authorized for the OAuth client...."
I have checked the URI in my JS app, on Azure and added it in the Google develops console to no avail. I have followed the documentation as per: https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-google
I have tried fiddling with everything and don't know what to do to fix it. Keep in mind that when I created the Azure account, it automatically made my tenant name "Default directory" and my Primary domain as "{FirstName}{EmailDomain}#onmicrosoft.com". I since then change my tenant name to "NewTenant" (I will be changing all names for the purpose of this question as I would like to not reveal any actual details where possible).
To conceal my details I'll be making "{FirstName}": "Bob", and "{EmailDomain}": "mydomain"
JS code:
const msalConfig = {
auth: {
clientId: '{ClientId}',
authority: 'https://login.microsoftonline.com/{TenantId}',
domain: 'bobmydomain.onmicrosoft.com',
instance: 'https://bobmydomain.b2clogin.com/tfp',
redirectUri: "http://localhost:3000/"
},
cache: {
cacheLocation: 'sessionStorage',
storeAuthStateInCookie: false
}
};
Azure:
Azure redirect URIs
Google developer console:
Google redirect URIs Bear in mind I fiddled with the HTML so that I could get a nice screenshot. I have also configured the ClientID and ClientSecret for Google auth in the Azure external identity provider portal.
EDIT: http://localhost:3000/ was also added as a redirect URI to the Google dev console but also to no avail
Any help would be appreciated.
We have a SaaS web app and our clients are requiring SSO authentication for each of them. We are using AzureADB2C and it works great, but now are looking at adding SSO.
I put in the SSO setup into the B2C tenet and it works great, but really messed up our login screen with a "MyCompanySSO" button to log in with, on our customer-facing login screen.
So now my idea is to have a separate user flow that handles each SSO setup. Starting with us. We'd go to MyCompany.OurSaaSApp.us and that'd forward them directly to the user flow endpoint and prompt them to login with their SSO account (AzureAD).
This all seems to try to work, but I'm getting these errors within the AzureADB2C middleware:
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler:Warning: .AspNetCore.Correlation. state property not found.
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler:Information: Error from RemoteAuthentication: Correlation failed..
Then I get pumped out onto a error page and the login fails.
So 2 things...
1.) Am I going in the right direction knowing what we're wanting to accomplish
2.) What do we need to do to resolve this?
Thanks everyone for the help, it's been greatly appreciated.
(note:)
Just to reiterate. The SSO works properly when the custom identity provider is attached to the existing SignUpOrIn UserFlow I have configured in the app. I'm only getting this error when I try to use another UserFlow that I want to use specifically for this SSO.
I'm not sure about that specific error, although "state" parameter is a parameter that your app sends in the request that will be returned in the token for correlation purposes.
Using and different policy for each federation sounds like the right approach, but if you are doing from a single instance of your app, you'll need to modify the OIDC protocol message with the correct authority (ie policy) on redirect.
In your OIDC middleware configuration, set up a handler for the RedirectToIdentityProvider notification. Then handle it with something like:
private Task OnRedirectToIdentityProvider(RedirectToIdentityProviderNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)
{
//var policy = notification.OwinContext.Get<string>("Policy");
var tenantSegment = notification.Request.Path.Value.Split(new char [] { '/'}, StringSplitOptions.RemoveEmptyEntries)[0];
if (!string.IsNullOrEmpty(tenantSegment) && !tenantSegment.Equals(DefaultPolicy))
{
notification.ProtocolMessage.IssuerAddress = notification.ProtocolMessage.IssuerAddress.ToLower().Replace(DefaultPolicy.ToLower(), $"B2C_1A_{tenantSegment.ToLower()}_SignUpSignInPolicy");
}
return Task.FromResult(0);
}
If you need to inject anything else tenant-related, that would be the place to do it.
I am working on some client side web app like a chrome extension that needs access to outlook mail and calendar. I followed the instruction on https://dev.outlook.com/RestGettingStarted and successfully got access and refresh tokens to retrieve data.
However, I cannot find any way of implementing "logout". The basic idea is to let user sign out and login with a different outlook account. In order to do that, I removed cached tokens, requested access tokens in interactive mode. The login window did pop out, but it took any valid email address, didn't let me input password and finally returned tokens for previous account. So I was not able to really use a different account until the old token expired.
Can anyone please tell me if it is possible to send a request to revoke the tokens so people can use a different account? Thanks!
=========================================================
Update:
Actually it is the fault of chrome.identity api. I used chrome.identity.LaunchWebAuthFlow to init the auth flow. It caches user's identity but no way to remove it. So we cannot really "logout" if using this api.
I used two logouts via launchWebAuthFlow - first I called the logout link to my app, then secondly, I called the logout link to Google.
var options = {
'interactive': false,
'url': 'https://localhost:44344/Account/Logout'
}
chrome.identity.launchWebAuthFlow(options, function(redirectUri) {});
options = {
'interactive': false,
'url': 'https://accounts.google.com/logout'
}
chrome.identity.launchWebAuthFlow(options, function(redirectUri) {});
I am trying to create an application to browse my contacts directory on Exchange.
I have set up everything and I am able request the authorization from my app.
I can present the modal view, enter the login information, retrieve the token, but when I try to authorize the app with the same account I have created it I get this message:
The client <my app id> and resource <my app URI> identify the same application.
If I try to authorize another account, I receive this message instead:
User account <an email> from external identity provider <a url> is not
supported for application <my app id>
If I try to login on the Graph Explorer Console or on the Office 365 OAuth Sandbox, they work fine with the second address, but not with the first one.
I am really confuse. I feel like I have mess up some configuration option, but I don't really understand which one.
Regarding #1, please do not pass App ID of your application for resource querystring parameter when authenticating against your tenant URL. I ran into the exact same problem.
Then I ran WebApp-MultiTenant-OpenIdConnect-DotNet from Github and noted down the sign-in URL it created and I used the following:
var signInUrl = String.Format(
"https://login.windows.net/{0}/oauth2/authorize?response_mode=form_post&response_type=code+id_token&scope=openid+profile&client_id={1}&resource={2}&redirect_uri={3}&state={4}&nonce={5}",
Uri.EscapeDataString(tenantId),
Uri.EscapeDataString(clientId),
Uri.EscapeDataString("https://graph.windows.net"),
Uri.EscapeDataString(redirectUri),
Uri.EscapeDataString(state),
string.Format("{0}{1}", DateTime.UtcNow.Ticks, Guid.NewGuid().Stringify())
);
Basically I used https://graph.windows.net instead of App ID and magically things started to work :).
Another thing you could try (and I have not tried it) is authenticating against common endpoint https://login.windows.net/common/oauth2/authorize and provide your App ID for the resource querystring.
I'm trying to authorize with chrome.identity.getAuthToken() to get token for Picasa web service. I couldn't find Picasa API in Google Developer Console and set its scope to "https://picasaweb.google.com/data/" oauth2 part of manifest.json. Picasa docs say that I can skip this step.
chrome.identity.getAuthToken({
interactive: true
}, function (token) {
if (chrome.runtime.lastError) {
console.error(chrome.runtime.lastError);
} else {
console.log(token);
}
});
getAuthToken() always ends with an error "OAuth2 request failed: Service responded with error: 'bad client id: {0}'". If no scopes are set, the error looks like "OAuth2 request failed". Where have I mistaken?
Steps I take to make it work
Go to Google Developers Console and create a new project.
Go to APIs & auth > Credentials in the panel to create new Client ID. The application ID of chrome app can be obtained from Chrome Developer Dashboard if you your app is uploaded.
Go to APIs & auth > Consent screen and fill in Email Address and Product Name and Save.
I didn't know step 3 was necessary.
It seems amazing but after 1 day has passed, everything is working :)
UPD: I've tried gdrive sample from chrome-app-samples repo and added scope for Picasa. After everything worked fine, I copied its key and oauth2 section to my app's manifest. Everything worked fine too. After this I deleted client_id for app in developer console and created it again. And after that everything was ok.
You need to register your application in Google Developer Console and obtain a client_id. See the 'Credentials' pane to configure your application.