I have a dynamic website hosted on Heroku and I am using Azure AD for authentication using oAuth 2.0.
I am trying to do Dynamic Whole site delivery using CloudFront.
During authentication, during the step when Azure AD server sends me the authorization code, I am getting a set-cookie in response headers when I run the authentication on Heroku (when I access the website using the Heroku URL)
But when I try to access the website using the CloudFront URL, I'm not getting the set-cookie in response header during the step when Azure AD server sends me the authorization code, hence my authentication logic is breaking.
Why is it so?
Related
I have just developed a PERN stack SPA where the app and the server are both hosted on Heroku. The SPA uses Azure authentication (MSAL). Everything works well and user on authentication is redirected to our SPA hosted on Heroku.
Now the API which is built is still not secure. Anyone having the endpoints can access and manipulate data in our database. Can anyone guide with the current structure how can I authorize my server API's hosted on heroku with Azure AD credentials.
Example : https://my-first-app.herokuapp.com/getusers
The example API above can by used by anyone to get results, how can I prevent this and only allow users logged in to my SPA to use the API's only.
To protect your node API you can use:
express-jwt
passport
For the SPA keep using MSAL to get access tokens for your API/resource.
I am buiding an app using svelteKit and django rest framework. SvelteKit is responsible for rendering HTML page(SSR) and django rest framework is responsible for providing restful API.
Both App server and browser will fetch my restful API. I want protect my restful api by add Authorization. After reading some documents, I plan to use OAuth2(django-oauth2-tookit) and I draw the following chart:
My auth flow chart
But I was confused by following problems:
I can use Authorization Code grant flow auth APP server, but how about the browser?
Can I separate the auth server and restful server, If so, how auth server protect restful server?
I can use Authorization Code grant flow auth APP server, but how about
the browser?
In fact the authorization code based flow is the one that is suitable & meant for web client. While using this flow server will redirect the intermediate code (oauth code) to the redirect uri passed in the request so client can capture that code and make another request to exchange it with access_token.
Can I separate the auth server and restful server, If so, how auth
server protect restful server?
Blockquote
Yes, you can. The resource server should talk to auth server to get the authentication/token object verified.
I have an Angular App with a Spring Boot Backend. I use "azure-active-directory-spring-boot-starter" for the authentication via Azure AD. Everything works fine locally.
After the successful external (azure) login "https://local.../login/oauth2/code/azure?code=..." is called.
The request headers on this request contain authorization cookies from azure and the response header contains two "set-cookie"-entries: JSESSIONID, XSRF-TOKEN
After that request the user is logged in as expected.
With the production setup however it seems, that cookies are not set successfully.
The application runs on a Tomcat 9 behind a apache reverse proxy. The azure login itself is successful.
Also the request headers contain the two cookies, however "set-cookie" is not set. Any ideas how to solve this?
I am working through a process of validating the JWT after OKTA Login. I have a SPA Sample SPA Site that handles user login and calling an API.
SPA SITE
User Logins into OKTA
Obtains a JWT
Passes JWT to a .NET Web API (hosted on my own server not at OKTA).
WEB API: This accepts the JWT and needs to validate it.
Per OKTA I need verify the JWT through an Authorization Server. I setup the Authorization Server but I cannot see where the two features (shown on the images) are located on the SPA API or the Auth Server. This includes a URL that is required that follows the format of xxxx.okta.com/AS/{key}
Is there something that has to be enabled that is not enabled in my OKTA Account? I think so but what is it? OKTA support states that everything is enabled and confirmed this is a good code sample (GitHub) to use.
The Image Below should appear after setting up the SPA App. I cannot find this feature under the SPA or under the Auth Server. It does not seem to exist anywhere on OKTA. This is why it seems something is not enabled on my Dev account, or this documentation is outdated?
SPA Code Sample (includes the images below from the PDF) https://github.com/oktadeveloper/okta-oauth-spa-authjs-osw
I see that under the Security menu item -> API.
Also, when I had my app OpenID Connect enabled, I used well-known endpoint:
GET /.well-known/openid-configuration to get "jwks_uri", I used this url to self-verify the JWT token at the API level.
OKTA confirmed the code sample and documentation is out of date. They have no ETA to any updated samples and could not provide any documentation to help. This was via a response on a support ticket. Well already then, time to look at Azure.
I have an issue with a web api returning HTTP 401 – Unauthorized when I use a Bearer Token to access it from a xamarin client. Either the iOS or UWP fail.
-This is an application that authenticates with Azure Active Directory to allow a user to login
-Once successfully logged in it gets a token that in turn is added to the web api request header
-The web api has its authentication turn on
The issue with azure settings
https://1drv.ms/v/s!ApPhjsvemKJggpR2ax5w4wRJcY7uXQ
the code
https://github.com/wleon12/XamarinForms-AAD-WebAPI.git
I cant seem to figure out what is wrong, appreciate any input or guidance
It depends how you protect the web API.
Normally, when we protect the web API using Azure AD, we will provide the the Audience and Tenant like this code sample. So that when we send the request with the token, the web API will verify the signature of the token and the value we config.
So for the 401 issue, please check the token you acquired with the value you config for the web API project. To check the Audience, Tenant and other values in the token, you can decode it from this site.