In an application if a user wants to sign in using SSO they get redirected using SAML's deep links(https://developer.okta.com/docs/reference/api/idps/#redirect-with-saml-deep-links) but the problem is that if a user enters the wrong credentials the application doesn't get any logs from Okta. So, I added Okta's event hooks and now there are logs coming but these logs don't come with the relayState. I was wondering if there was a way to configure Okta's event hooks to attach the relayState when they send their logs or if there is another approach on obtaining logs with the relayState? If the user signs in correctly then we get the response with the relayState, which is expected behavior. Would appreciate any help.
Related
I have used this sample to integrate a bot in MS Teams
https://github.com/microsoft/BotBuilder-Samples/tree/main/samples/csharp_dotnetcore/46.teams-auth
I needed to configure a third party OAuth provider and had all sorts of trouble doing so. Thanks to a smart gentleman on another thread, I am now able to authenticate my user with such provider.
Here's a quick example of the conversation flow. Don't mind the buttons in French, Oui is Yes and Non is No. On first boot of the application, when I click on the Sign In button, my provider's authentication windows opens and shows the auth form just fine.
However, when it comes time to logout the user and I type "logout" as indicated within this code sample
If I type anything else to log back in, I am instantly showed that I'm logged in, the authentication window opens and closes instantly and my token remains obtainable. How do I go about actually clearing that token? I don't feel like this is the intended behaviour, as shown by the docs here:
Do I have to clear it manually? If so, how should I approach this?
Thanks for any help you can provide on this
Note: I have tried to revert back to the default sample, with an AzureAD v2 connection and the result is the same. I login just fine with my Azure AD account, but the token persists even after a logout.
EDIT
Following the sugestions, here are additional screenshots
This is some info from the Context object passed down to the Interrupt
This is the content of the AuthenticationContext available in the Context object above
Note that I get my Success when I call the logout endpoint that was suggested
I want to build a web application in Go. I'm using Google App Engine for deployment combined with Identity Aware Proxy (IAP) to authenticate user access.
I want to know how to access the authentication to get the user email, which I can link to app data stored in a back end database. Essentially I want to avoid my users logging in and then having to authenticate again to get their profiles from the back end.
I have looked into the IAP documentation and I can see it uses JWT Headers and that is where my knowledge lacks. My guess would be a link to the incoming request which accesses those headers to get the email.
I am trying to run the active-directory-dotnet-webapi-onbehalfof sample in single tenant mode. I've registered the web app service and the native app client as global admin for the tenant. When I run the sample, as a user in the tenant, I can get a token in the client only after consent pops up (first-time for user), and then call makes it to the service, but there it fails with below. Why is that? Documentation says that when a tenant admin registers the application no further consent is needed? I don't think it is possible to give consent when a remote webapi tries to get OBO token. Something seems buggy... AAD team, please clarify how the OBO feature should be used.
AADSTS65001: The user or administrator has not consented to use the application with ID 'b824502e-fe8a-4770-bd98-8d65a07efcc3'. Send an interactive authorization request for this user and resource.
Trace ID: ad7843d0-be4e-4098-8f7c-43c8e5505cfc
Correlation ID: 140466a4-7250-429f-8843-dbd4f63dc60e
Timestamp: 2016-11-25 21:46:13Z
When you register an application using the Azure Management Portal (manage.windowsazure.com) as a tenant administrator, then yes you should not get consent, as long as subsequent tokens are being retrieved in that same tenant.
Because you are seeing consent for the native client app, and then getting that error message, we must assume that something is not being satisfied which would suppress consent for your app.
To resolve this issue, my recommendation is to simply initiate an interactive authorization request just like the error message implies. You can do this by generating a log-in url for your application, with a specific query string that will force prompt tenant wide consent (prompt=admin_consent).
Here is the skeleton for the URL you need to complete:
https://login.microsoftonline.com/<TenantID>/oauth2/authorize?client_id=<AppID>&response_type=code&redirect_uri=<RedirectURI>&resource=<ResourceURI>&prompt=admin_consent
You can do this for all the applications you registered, and you should not run into consent issues (assuming you are indeed signing in as a tenant admin).
I hope this resolves your issue.
We're using Spring Social LinkedIn in a single page javascript app to authenticate a user. We're able to successfully authenticate against LinkedIn, but we're having trouble getting that to integrate with our javascript app. It actually breaks down into two issues:
Issue 1:
We're using one API key for a set or related apps - and we use a single sign-in process. We need a way to identifiy which app the user came from and to send them back to the right app after logging in. The problem we're having is LinkedIn only allows one redirect URL and I don't believe it can carry any parameters (that would probably be the solution if it's possible to carry a parameter like the identifier of the app they're in). Do you know of a way to conditionally redirect the person after login?
Issue 2:
When the user is authenticated, we store the user info in our database, but after that we need the log the user into our app and provide the user with a token. Is there a way after the LinkedIn authentication completes to trigger another call to the server to request the token?
I am creating a windows plugin which would access Yammer data like groups user follows etc, for this i created a client application and accessed yammer rest api using client id and access token i get after user allows my app to access his data in a consent page. I am able to successfully do all this when people of my network are trying to login but this does not work when the plugin is being used by people of other networks, I am able to receive the access token after the user gives his consent in user consent page, but when i try to access his data like fetching groups using rest uRL i get an error saying "{"response":{"stat":"fail","code":17,"message":"Attempt to access a protected resource failed."}}"
please be noted the client app i created is not yet deployed into Global App directory, I really doubt if this is the actual cause of the issue, because i think if this was an issue it should not have recognized the client id itself and would not have shown the external network users the consent page too. may be if i am wrong please correct me
To access users on other networks' data, your app must be globalized (even if you don't want it to be listed in the Global App Directory). Without the user's consent, your app is not allowed to attempt to login on behalf of the user, thus they see the popup for authentication, and then the auth process fails because the app is not globalized.