Securing SprintBoot Web App using Azure AD - spring-boot

Getting this error:
unable to acquire on-behalf-of token for client f93-3-4-a**
Please help!!
I am able to do firstime login and try changing password.After that clicking Login gets this error

Make sure that the admin has enabled user consent.
If you have already done that, try updating to SpringBoot 2.3.3. There was an issue in earlier version that could cause this to happen.

Related

Cockroachdb: Retrieving cluster info: failed Error: 401 Unauthorized

I am trying to connect to my Cockroachdb cluster using:
ccloud auth login && \
ccloud cluster sql ocean-panda
To which I am getting the following error:
logged in to "YASH KOTHARI's Organization" (org-3447v) as YASH KOTHARI
Retrieving cluster info: failed
Error: 401 Unauthorized
2022/11/02 17:58:59 401 Unauthorized
Therefore, it is logging into my account, but not giving me access to any of my clusters. What to do? Did I mess up any certificates or something? I have tried to remove and reinstall anything cockroachdb related but nothing is working. I tried to do this on someone else's system and it is working fine. I am getting this error just on my system!
I am on a Mac (M1) btw.
Thanks a ton for sharing this, we're currently testing some new connection flows using the ccloud CLI and this is a new one!
I'm going to look into it on our side, since this looks like a bug. In the meantime I'd recommend using the other connection options that are available. They can be reached using the "Connect" button in the cluster overview page.
A few other steps that could potentially get it working:
ccloud auth logout && ccloud auth login to refresh the login parameters
ccloud cluster list and see if the same error occurs

Can't login with SSO - NOSTATE SimpleSaml (ITfoxtec.Identity.Saml2)

I have following problem:
I configured my .NET Core 3.1 app to be my service provider (according to this tutorial, just changed identity provider - with Okta IdP mentioned in this guide everything works perfect) and actually I can go to my login page, which is Identity Provider in PHP (SimpleSAML). After login I have SimpleSAML_Error_NoState: NOSTATE and I stay logged out in my .NET app, but it seems that my login was sucessful, because I don't have to login on another sites which uses this IdP. Also upon going to login page in my app I don't have login page, but only this error. My cookies are set properly I believe, that is why I'm logged in on another app.
I don't know if I should post code fragments here, because it is the same as tutorial mentioned above, the only difference is appsettings.json.
It seems like the SimpleSAML_Error_NoState error is related to SimpleSAML. Maybe you can see more details in the SimpleSAML log.
Maybe SimpleSAML require an additional request parameter, but it is not anything I know about.

Error: restricted_client when authorization Youtube API V3

I got this error when I create new client secret in new project.
That’s an error.
Error: restricted_client
Unregistered scope(s) in the request: https://www.googleapis.com/auth/youtube.readonly
Request Details
access_type=offline
response_type=code
client_id=487794563386-mujtj6b5iatnmvdailldn468gg028p8g.apps.googleusercontent.com
redirect_uri=http://localhost:61515/authorize/
scope=https://www.googleapis.com/auth/youtube.readonly
That’s all we know.
How could I fix that ?
403 errors are errors with the users access. The user you are currently authenticated with does not have permission to do what you are trying to do in your case it appears to have something to do with the following scope.
https://www.googleapis.com/auth/youtube.readonly
Its hard to know what you are doing without seeing your code. I suggest you attempted to authenticate your user again. IF you changed the secret then its not going to work with a refresh token generated by another secret.
I am going to contact Google to be sure that there hasnt been any changes recently. I cant see anything in the change logs myself. There may have been a stealth change that they didnt release.
Status

Error: invalid_client no registered origin

I have installed the Google Drive Realtime API sample files on my web server, following these instructions, including generating a client_id in the Cloud Console and inserting it into the index.html file.
When I visit that page and click the button to authorize the app, it pops up with a new window and shows:
Error: invalid_client
no registered origin
The Request Details are:
openid_connect_request=true
cookie_policy_enforce=false
scope=https://www.googleapis.com/auth/drive.install https://www.googleapis.com/auth/drive.file https://www.googleapis.com/auth/plus.me
response_type=token
access_type=online
redirect_uri=postmessage
proxy=oauth2relay865404532
origin=http://mywebsite.com
state=264939258|0.165356673
display=page
client_id=1077585001321.apps.googleusercontent.com
authuser=0
I can't see any other client_id that I should be using in the Cloud Console. Does anybody know how to overcome this error? Thanks for your help.
In the new Google API Console, configure your OAuth2.0 authorized origins from
Your Project > APIs & auth > Credentials
You might need to add a new Client ID specifically for a web application (I did because the default was for AppEngine)
Create Client ID > Web Application > Authorized Javascript origins
If you are running on a local dev server, just add the exact URL such as :
http://127.0.0.1:9000
UPDATE: I changed accepted answer to Johno Scott instead as he refers to the newer version of the console, whereas mine was only true for the older version.
I solved it. I needed to enter a WEB ORIGIN on the OAuth 2.0 Client ID screen. Specifically, it had to be the exact path/url of the index.html file, otherwise it defaults to the root domain which doesn't work.
This screenshot shows you exactly where it needs to be entered:

Windows Azure: AD app for external access throws error on token issue

I am trying to build an AzureAD access app. I have to enable this app for external tenants. I have enabled external access on this app and it is configured to use the Graph API also. I have tested the app in the tenant in which it was created and everything(auth+ graph api access) works. Now here is the flow for the external tenant
I take the external tenant user to the grant consent URL of my app, the user(who is an admin of the external tenant) grants the access and i get the correct response
Now i want to get the authorization token for this user, so i take the user through the normal Oauth process via
https://login.windows.net/common/oauth2/authorize
followed by
https://login.windows.net/common/oauth2/token/
At this point Azure throws the following error
{"error":"invalid_grant","error_description":"AADSTS50000: There was an error issuing a
token. AADSTS65005: No permission to access \u0027https://graph.windows.net\u0027
resource is configured for \u0027d2037ff7-24e4-4cac-8e5e-16e370b36238\u0027 application,
or it is expired or revoked.\r\nTrace ID: 472aa92f-35a2-4ed9-ab07-
12488cc9e6f5\r\nCorrelation ID: b163dde5-eac5-4c82-99ad-0e1100487cb9\r\nTimestamp: 2013-
09-23 05:28:41Z","error_codes":[50000,65005],"timestamp":"2013-09-23
05:28:41Z","trace_id":"472aa92f-35a2-4ed9-ab07-12488cc9e6f5","correlation_id":"b163dde5-
eac5-4c82-99ad-0e1100487cb9"}
Why this error even when the app has been granted access. I tried to lookup the STS errors
but found no explanation. Any ideas?
[update]
SAML process continues to work for the external tenant however i.e I can use the app for SAML(SSO) login for this external tenant. The problem only seems to be coming for getting access to the graph API.
Try adding &prompt=consent or &prompt=admin_consent to the full authorize URL to re-request the user consent. My experience has been that the consent will be randomly revoked (maybe a bug) and will not ever be automatically re-requested (definitely a bug).

Resources