Determining OpenID returnURL automatically - passport.js

I'm using passport.js to implement Google OpenID authentication for my webapp. However, I'm not sure what's the best way to specify the returnURL.
Right now I set my server hostname in a config file, like this
server.host = 'http://foo.bar.com:5990'
But hardcoding the server URL there seems silly to me.
Is there any way to tell passport.js or Google OpenID auth to return to the same domain it started from?

Actually, turns out I can just use a relative URL in the returnURL and it will work. :-)

Related

Getting Azure AD SSO to work with two differents URLs

We have an application that is reachable through a specific URL when connected from our office public IP, and that is reachable through another specific URL when outside the office with a VPN.
We managed to set up the oAuth2 SSO for the first usecase and I was wondering if there was any way to add the second URL, so that our users working through the VPN could also log in with the SSO.
Couldn't find a way to do it so far, if you have any clue.
Thanks !
As juunas said, when you set Redirect URIs in Azure App registration, you could add multiple redirect urls.
And when you use OAuth2 SSO, here such as using OpenID Connect flow, you could specify different redirect_uri when you authenticate the user.
Thanks for your answer, the second redirect URI configured in the Azure App was redirecting us to the first one specified, after hitting the SSO connection button. I guess we found something in the app that was forcing this redirection, we'll try to remove this setting on Monday.
Thanks for you help,
Steven

How to make a client for a site that handles logins with Facebook?

I'm writing a client in NodeJS that is meant to replace using a website, and it isn't my website. It uses Facebook to log in. Is it possible to log in via a Facebook username/password? It seems modules like passport-facebook are intended for use with a website that you own, which is not the case in my scenario.
I suspect that I can't login with a username and password, so I'd have to sniff web traffic of me browsing the normal website for my token for the website, and then somehow use that in Node, but I hope this isn't the case.
Thanks for your help.

How to obtain access tokens from google

How to obtain oauth access tokens from google if i have only registered app and no server to redirect (as a "redirect_uri" parameter)?
I'm guessing that when you say you have no server, that your app is a native app. eg a desktop app or an embedded app. If so, you can generate tokens using the OAUth playground. See How do I authorise an app (web or installed) without user intervention? (canonical ?) for details.
You can use https://www.example.com/oauth2callback as your redirect uri.
Yes you can get an access token without a server. We've made it fairly easy. See the docs
On android it is fairly easy
https://developers.google.com/identity/sign-in/android/additional-scopes
https://developers.google.com/identity/sign-in/ios/
https://developers.google.com/identity/sign-in/ios/additional-scopes
Web
https://developers.google.com/identity/sign-in/web/incremental-auth
You can just change the scopes you need.

OAUTH client secret security, localhost redirect URI and impersonation

I've been doing some work with OAUTH 2 in the last few years. I have a few authorization servers and several clients using them.
Anyone who has made an app or some client solution that uses OAUTH2 knows that the client secret can be a problem. One can mitigate this somewhat by using access code grant. There has been talk about using a proxy for the secret.
My question is about the redirect URI - this was meant to protect the Access Code grant process. The Auth server will only return the access code to the redirect that is on file (in the database for that client ID). The issue comes into play with mobile apps. They usually depends on https://127.0.0.1 or https://localhost for a redirect URI. Anyone can get a localhost token, right?
With this being the case, what is stopping someone from impersonating a clientID using the localhost redirect URI? Could I not make a copy-cat app, use the same OAUTH2 sign in flow using the real client ID and if I was able to get a user to login, I now have an OAUTH token to access resource servers with. Am I wrong?
If anyone can shed more light on this, I would be greatly appreciative. I want to learn as much as possible, anything helps.
The attack that you describe is a known weakness when using the Authorization Code grant for native mobile apps. An OAuth 2.0 extension called "Proof Key for Code Exchange" has been developed to mitigate against this threat through the use of a "code verifier" that is dynamically generated and only known by the real Client.
This work was standardized in the IETF as an RFC called Proof Key for Code Exchange by OAuth Public Clients, available at: https://www.rfc-editor.org/rfc/rfc7636

How to use "Restrict JWT Issuing option for Windows 8 apps" in Live Connect?

Based on the descriptions on http://msdn.microsoft.com/en-us/library/live/hh826544.aspx#restrict_jwt, I still don't know how to use this feature. My understanding is that:
I need to create two win8 apps. For example, AppA and AppB
Configure them with Live service on Configuring your app.
Only specify one app with redirection Uri. For example, specify "url://appA" as the redirection Uri for AppA.
Make sure both two win8 apps' "Restrict JWT Issuing" option is set to "No"
For AppB, use redirection Uri from AppA to initialize the LiveAuthClient object: var authClient = new LiveAuthClient("url://appA"); After that, the authentication token to AppB from Live connect should be able to be parsed by AppA's client secret. But it turned out that the authentication failed and no authentication token was returned.
Can some one help to point out whether my understanding is correct. Thanks in advance.

Resources