I'm currently working on an application that would rely on connecting with Coinbase and am relying on OAuth2 for authorization.
After reading and watching tutorials on implementing it via Spring, I'm able to open the authorization request page for Coinbase but cannot redirect to retrieve the token. When it redirects, it goes to the same port (localhost:8080) that is used to establish authorization. Whereas in other tutorials I've seen the application handle this properly and continue, the application instead launches the authorization page again.
What I'm wondering is how is Spring supposed to retrieve the token/code once the redirect occurs? If I change the redirect to something besides the url used to start authorization (8080 to some other number), then I see the url containing the code in my browser, but my application can't programmatically use it (unless I copy paste but this would be improper). If the redirect is 8080 then, it starts the process all over again and I can't use the code that was passed. It's probable a simple error but I appreciate any feedback as I'm still new to this.
security.oauth2.client.clientId=[redacted]
security.oauth2.client.clientSecret=[redacted]
security.oauth2.client.scope=wallet:accounts:read
security.oauth2.client.accessTokenUri=http://www.coinbase.com/oauth/token
security.oauth2.client.userAuthorizationUri=https://www.coinbase.com/oauth/authorize
security.oauth2.resource.userInfoUri=https://www.coinbase.com/oauth/authorize
security.oauth2.resource.preferTokenInfo=true
security.oauth2.client.pre-established-redirect-uri=http://127.0.0.1:8080
security.oauth2.client.registered-redirect-uri=http://127.0.0.1:8080
security.oauth2.client.use-current-uri=false
Related
Im currently trying to load test a website with keycloak authorization.
The problem is that i cant find the authorization code anywhere in the previous https requests, so i cant use the regular expression extractor to grab it and turn it to a dynamic variable. So how do i configure it to be dynamic?
the auhorization code as it was recorded with blazemeter
i already turned to session_code, tab_id and executive into dynamic variables, but it still returns "{"error":"invalid_grant","error_description":"Code not valid"}"
As per Authorization Code Flow:
Browser visits application. The application notices the user is not logged in, so it redirects the browser to Keycloak to be authenticated. The application passes along a callback URL (a redirect URL) as a query parameter in this browser redirect that Keycloak will use when it finishes authentication.
Keycloak authenticates the user and creates a one-time, very short lived, temporary code. Keycloak redirects back to the application using the callback URL provided earlier and additionally adds the temporary code as a query parameter in the callback URL.
The application extracts the temporary code and makes a background out of band REST invocation to Keycloak to exchange the code for an identity, access and refresh token. Once this temporary code has been used once to obtain the tokens, it can never be used again. This prevents potential replay attacks.
My expectation is that you don't see the code anywhere because the code has been passed from keycloak to the application via the redirect URL.
So instead of asking keycloak to send the redirect back to application with the temporary code you need to ask it to send the request to JMeter and catch it via i.e. HTTP Mirror Server, once the request reaches JMeter you should be able to get the temporary code using Regular Expression Extractor or Boundary Extractor from the Location header.
So, I have a WAS Liberty server which configured to work with OpenID provider. Then I have an Angular application which heavily using REST Api endpoint.
When I first open an application or open it after token has been expired everything is ok, WAS redirects me to OpenID provider and then regular flow defined by OpenID and backed by openidConnectClient-1.0 implementation.
But how do I suppose to care about following use case: token has been expired while the application were open, and user issues GET or POST request without reloading the application? Right now WAS perform redirect too, so I can't actually distinguish between regular response and redirect (both return status 200).
The only solution which I think about is to say to Websphere not to perform redirect for some endpoints but to return 401/403 errors. So I'll be able to monitor response codes in my client side and perform accordingly. Is it possible to achieve? Perhaps there's another solution which I didn't know about?
Update: After I've written this I thought about using Authentication Filters, i.e. define something like:
<authFilter id="testFilter">
<webApp id="simple" matchType="contains" name="simple"/>
<requestUrl id="excludeUrl1" matchType="notContain" urlPattern="/basic"/>
<requestUrl id="excludeUrl1" matchType="notContain" urlPattern="/api"/>
</authFilter>
But I immediately see two drawbacks on this approach:
Maintain app's logic in two different places, server.xml and app itself. It'll make maintenance of the application very cumbersome.
Due to nature of Authentication Filters it will fallback to another registry to perform login. It potentially can be a security flaw.
Update 2: Solution from above doesn't work. When server returns 401 Error together with www-authenticate header, browser shows popup of basic authentication, see proposed solution below.
To resolve this issue I've used Angular's Interceptors, where I check if there're following headers within the response: no-cache, no-store, must-revalidate, private, max-age=0. If they persist within the response I know that session expired and perform reloading of my application.
While reloading, liberty itself redirect it to SSO provider. Another solution is to extract redirect URL from response and redirect to it manually.
I'm new to web development and trying to get my feet wet by building a web app that uses Google APIs. I was reading Google's documentation on using OAuth 2.0, but the redirect URL bit has me a bit confused. According to the example here a successful authentication will send a response to
{redirect_url}?state=/profile&code={auth_code}
The response URL doesn't specify a user and neither does the response load as far as I know. How does the redirect URL endpoint know which user is tied to the authorization code it just received?
There was a very similar question here, but the answers focus on passing query parameters to the redirect URL. I'm not trying to do that. I want to understand how the redirect endpoint associates an OAuth response to a particular user. Note that I'm pretty new to all of this, so my confusion might stem from not understanding how HTTPS calls work or something similar.
A notable detail is when your redirect URL receives a response with code, it is the Google authorization server that redirect user's browser to your server. So it's user's browser that send a request to your server with code.
In other word, actually, you question is: "When your server receives many requests from many users, how do you know which user a request comes from"
I think you need to learn something about session or cookie which allows
HTTP to become stateful.
I have implemented an OAuth2 authentication mechanism in my GWT app. The OAuth2 server is based on Spring framework 3.x (using its Spring security OAuth2 implementation).
I am using the OAuth2 "Authorization code flow" to get the user authenticated (though implicit flow may have been a better choice in our case). So at first, the user is redirected to the OAuth2 server authentication page, he enters his credentials and if he is successfully authenticated, he is redirected back to a url with an oauth code. He will then make a second call to get an access token from the OAuth2 server.
Now, the issue is, we would like the user to be able to bookmark a page in the application and directly access it. If he has already authenticated then he would have direct access to it (no more auth involved). Otherwise, he would have to go into the OAuth2 authentication flow but in the end, should be redirected back to the bookmarked page he intended to access at the beginning.
How can I store this page url and get redirected to it after the user successfully authenticates ?
any help would be appreciated. Thanks!
EDITED
The initial url redirection is done via javascript's document.location.href
The way to maintain the original URI in an OAuth 2.0 Authorization Grant flow is to pass it in the state parameter so that the redirection endpoint can use it, after it exchange the authorization code for an access token, to redirect the user back to that URI.
FYI, this is exactly what Google suggests in the examples in their OAuth 2.0 documentation, e.g. https://developers.google.com/accounts/docs/OAuth2Login
Original answer:
The problem is using the hash part of the URL for the place, which is not sent to the server and thus cannot be used in the redirection to the OAuth2 server authentication page.
You have 2 (maybe 3) solutions:
stop using the hash for the place and switch to HTML5 History; either through gwt-pushstate at the History level, or a custom PlaceHistoryHandler.Historian if you use the Places API. That limits your audience though: http://caniuse.com/history
stop using an HTTP redirect, and instead use JavaScript so you can put the hash in the OAuth2 redirect_uri. So instead of redirecting, send an error page with the appropriate scripts bits.
some browsers append the hash to the URL after a redirection, so your OAuth2 server might be able to pick it (in JavaScript) and append it to the redirect_uri. That might depend on the HTTP status code used for redirecting (from experience, it works with a 301, but you don't want a 301 here). Needs testing.
You can do this using GWT activities and places.
I'm trying to access a REST service via a server-to-server GET request that is secured by OpenSSO/Spring Security and am unable to. It's like my Spring Rest Template client is not stateful to hold the cookies it should as I get redirected through the authentication workflow.
When doing this with a browser, the initial request is redirected to OpenSSO, I'm challenged for my cert (PKI), I present it, get a response with my authentication cookie header. Then I am redirected back to my original destination, I present my auth cookie in the request header and I'm on my way.
This isn't happening in my server-to-server invocations.
I've searched for quite a while now and can't seem to find any solutions that hold onto this state across redirects!
Following the link in zagyi's comment may have worked, but I spent some more time and found the following solution, which does not involve overriding anything:
To handle the authentication cookie in the REST controller, you have to explicitly tell it to accept cookies. Before handling the call, add the following line of code:
CookieHandler.setDefault(new cookieManager(null, CookiePolicy.ACCEPT_ALL));