I'm following this Quickstart guide: https://auth0.com/docs/quickstart/webapp/java-spring-security-mvc to create an authorization flow in which my back end handles the login/signup before forwarding the session to an SPA.
I downloaded the sample application, created a new Auth0 application and filled in the auth0.properties file with the required values from my Auth0 application, and added the callback and logout URLs as instructed. The app runs, but upon filling out the signup form I get this error in the signup request:
{"name":"BadRequestError","code":"invalid_signup","description":"Invalid sign up","statusCode":400}
I checked the values being sent in the signup payload and they all conform to the values expected. This is about as "out of the box" as can be expected but it still doesn't work, and I'm unsure of how to proceed.
Related
I have a problem where the user still can call the API after logout the application by using POSTMAN. There is no problem with the browser side after logged out since I have removed the access token and clear the cookies. But the user still can call the API and get the results using POSTMAN, which means the back-end doesn't invalidate the OAuth token. This may cause security issues if anyone stole the access code.
I have think to apply validation before the API called. I will add a column in the database table which its' value is either login or logout to indicate the current user status. Then, I will fetch this value from database for every API called to do validation. If the value is logout, then the API will return some error message. Is it possible to do by using the spring security?
I'm trying to fit the Okta Asp.NET Core Mvc example (https://github.com/oktadeveloper/okta-aspnetcore-mvc-example) into my React Asp.Net Core app. (The reason I'm not using Okta's React example is that it uses Babel and my VS2017 React project uses Typescript.) The Mvc example runs fine against my Okta account, and my React app compiles and runs w the Okta SDK and other code copied from the Mvc example, but I can't get it to authenticate.
Okta returns an http 400: Identity Provider: unknown, Error Code: invalid request, Description: the 'redirect_uri' parameter must be an absolute Uri that is whitelisted in the client app settings.
All I've done is add [authorize] attribs to my controller and a button that requests account/login. Both actions return the same error. I do have the app Url in my Okta app settings.
This, most likely does not have anything to do with React/asp.net but the OIDC flow. If we strip down the SDK, your call to get the jwt token will look something like this: {{url}}/oauth2/v1/authorize?idp=0oae59ifqdtRaTT4G0h7&client_id={{client_id}}&response_type=id_token&response_mode=fragment&scope=openid&redirect_uri=https://www.bing.com
note the redirect_uri above should be the listed in your application setting. To do that: go to Okta's admin dashboard > application >application > choose the application that you used the id of above, and add the above URL to "Login redirect URIs" in the general tab. If that is correct make sure there is no space in the above request.
Im having a problem to understand the OAuth flow with Spring.
I have a server running, which got protected endpoints to deliver metric data about the users, revenue usw.
These are used inside an admin panel written in Angular2. Currently the access_token for these endpoints is received by sending the ClientId/Secret and username password to my server.
But obviously its bad to store the Clientsecret on a javascript site.
So I need a way to retreive an access_token from javascript without exposing the client_secret.
I tried to implement the Spring OAuth2 implicit flow which somehow works, but only when I type it inside a browser so the /login page from spring shows up.
My Admin panel has its own Login page so this doesnt work out.
Does anyone have suggestions?
I've added the client id and secret to the yml configuration file, but it's not working. When I try to login with one of the providers, it redirects me to a blank page with the message 'cannot POST /signin/google', if I try to login with Google, for example. I generated a monolith application with JWT authentication and social login feature (I'm using Angular 2+).
Maybe you should check https://console.developers.google.com/apis/credentials and set properly your Authorised JavaScript origins and Authorised redirect URIs. First one should be set to just for example http://localhost and second one must contain several entries for example
http://localhost:8080
http://localhost:8080/signin
http://localhost:8080/signin/google
Normally ,the client redirect to Oauth server ,with client id
http://localhost:8181/sparklr2/oauth/authorize?response_type=code&client_id=tonr-with-redirect&state=xyz
the login page is displayed ,after proper credentials are received and authenticated ,confirmation is not call back done to client with authorization code
http://localhost:9090/tonr2/sparklr/redirect?code=gm4XN3&state=xyz
If the user is not registered and sign up need to be done ,then how to generate a authorization code after sign up with out login
I think this is a general question for Spring security, what you want is a login flow which supports signup and generates a complete authentication at the end of the signup flow.
So you will have to create a custom login form flow that offers signup and then completes the authentication at the end of the signup flow.
If you do this properly Spring oauth should take over and continue the redirect flow just as if you signed on the normal way.