I have set basic auth in spring boot, when I try to access the web application using the browser by (entering localhost:8081/api/users) it directs me to the default login page generated by spring boot, then if the credentials were correct it re-directs me to localhost:8081/api/users and displays all the users.
But if I wanted to do the same thing in Postman it gives me a 200Ok and returns the html file in the body!!. I have set the autherization to basic auth and entered the right credintials but nothing seems to work on postman !!
Related
I'm currently working on an application that would rely on connecting with Coinbase and am relying on OAuth2 for authorization.
After reading and watching tutorials on implementing it via Spring, I'm able to open the authorization request page for Coinbase but cannot redirect to retrieve the token. When it redirects, it goes to the same port (localhost:8080) that is used to establish authorization. Whereas in other tutorials I've seen the application handle this properly and continue, the application instead launches the authorization page again.
What I'm wondering is how is Spring supposed to retrieve the token/code once the redirect occurs? If I change the redirect to something besides the url used to start authorization (8080 to some other number), then I see the url containing the code in my browser, but my application can't programmatically use it (unless I copy paste but this would be improper). If the redirect is 8080 then, it starts the process all over again and I can't use the code that was passed. It's probable a simple error but I appreciate any feedback as I'm still new to this.
security.oauth2.client.clientId=[redacted]
security.oauth2.client.clientSecret=[redacted]
security.oauth2.client.scope=wallet:accounts:read
security.oauth2.client.accessTokenUri=http://www.coinbase.com/oauth/token
security.oauth2.client.userAuthorizationUri=https://www.coinbase.com/oauth/authorize
security.oauth2.resource.userInfoUri=https://www.coinbase.com/oauth/authorize
security.oauth2.resource.preferTokenInfo=true
security.oauth2.client.pre-established-redirect-uri=http://127.0.0.1:8080
security.oauth2.client.registered-redirect-uri=http://127.0.0.1:8080
security.oauth2.client.use-current-uri=false
Our application is a Spring Boot application and we have gotten a requirement to implement OAuth2 authorization with the IdentityServer3 as the provider.
However, with everything set up properly, we keep getting the error The client application is not known or is not authorized. when redirected to the login screen of the SSO system.
Using postman, we are able to access the login screen when clicking 'Get New Access Token'
Using AdvanceRestClient, we get the same error as our Spring Boot application.
Checking the log of these 2 tools, i found that on postman, the request will POST to the Access Token URL first, while on both Spring Boot security and the AdvanceRESTClient, it will generate a GET URI to the authorize URL.
Example of POSTMAN:
POST https://login.xxx.com.my/LoginHost/core/connect/token
Example of AdvanceRESTClient first request:
GET https://login.xxxx.com.my/LoginHost/core/connect/authorize?response_type=code&client_id=xxx.web&redirect_uri=https%3A%2F%2Fauth.advancedrestclient.com%2Foauth-popup.html&scope=openid%20email%20profile&state=XXX
This is confusing. Which behaviour is correct? And why is there a difference there?
Hope anyone can help with this. Thanks.
* UPDATE 1 *
POSTMAN settings:
AdvanceRESTClient:
After looking at the console logs of both client, it seems that the issue is caused by the redirect-url. After changing the redirect url on AdvancedRestClient to match with postman settings then it works.
Im having a problem to understand the OAuth flow with Spring.
I have a server running, which got protected endpoints to deliver metric data about the users, revenue usw.
These are used inside an admin panel written in Angular2. Currently the access_token for these endpoints is received by sending the ClientId/Secret and username password to my server.
But obviously its bad to store the Clientsecret on a javascript site.
So I need a way to retreive an access_token from javascript without exposing the client_secret.
I tried to implement the Spring OAuth2 implicit flow which somehow works, but only when I type it inside a browser so the /login page from spring shows up.
My Admin panel has its own Login page so this doesnt work out.
Does anyone have suggestions?
I've added the client id and secret to the yml configuration file, but it's not working. When I try to login with one of the providers, it redirects me to a blank page with the message 'cannot POST /signin/google', if I try to login with Google, for example. I generated a monolith application with JWT authentication and social login feature (I'm using Angular 2+).
Maybe you should check https://console.developers.google.com/apis/credentials and set properly your Authorised JavaScript origins and Authorised redirect URIs. First one should be set to just for example http://localhost and second one must contain several entries for example
http://localhost:8080
http://localhost:8080/signin
http://localhost:8080/signin/google
I am currently working on a small project using keycloak 2.5.0
I've already set up the user login and i'm now trying to implement a page wide logout button.
As the documentation states, is simply called the route
http: //my-auth-server/auth/realms/master/protocol/openid-connect/logout?redirect_uri=http: //application-root.com/
For the sake of simplicity i used an anchor tag to make this GET Request.
If i take a look into the Network tab of the firefox developer tools everything seems to be working fine. I am getting back a 302 status code for the redirection request. And after that, the application successfully requests the http: //application-root.com/ with a status code of 200 and redirects me to this page.
But when i want to request the locked content again (the one secured by keycloak) its still accessible.
But whenever i manually delete the JSESSIONID and KEYCLOAK_ADAPTER_STATE cookie after the redirection, everything works fine and i'm being logged out correctly. Sadly i can't delete those cookies programmaticly because they are HttpOnly
What is the expected behaviour of this request ?
Am i missing something ?
Has anyone experienced anything similar ?
Thanks for any help
I implemented logout using Keycloak 4.8.3 version. Mandatory parameter is id token (id_token_hint). Optional parameter is redirect url (post_logout_redirect_uri).
Example:
http: //my-auth-server/auth/realms/master/protocol/openid-connect/logout?id_token_hint=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJEY0gyNnl0OFV0OEJQTGxoR&post_logout_redirect_uri=http:%2F%2Fapplication-root.com%2F