We have a spa (Angular 2) that we are trying to integrate with okta. I created an app in okta with SWA sign on method. I click on the app and it redirects me to my spa app as expected.
However, I do not see and information being passed on the redirect. How do I validate that the login was successful? Is there some token info that I can validate? Something else?
Thanks!
The SWA sign on method depends on the Okta plugin - do you have it installed? If so, when you hit your login page (and the origin matches the url you've configured in the app), the plugin will try to inject the creds into the login form. It uses a heuristic to figure out which fields to inject into, so ideally your login page will look like a standard login form (i.e. text field for username, password field for password, and a login button).
There are other template apps you can use if you don't want to depend on the plugin being installed (not sure about your setup) - for example, "Template App" will post the credentials to an endpoint (although this is usually not an option since most apps will want to add an XSRF token to their login forms).
Related
I want to implement oAuth2 flow in my Slack app, but it's impossible to test properly.
I have added /slack/redirect-url as a redirect URL on my App management page. Then try to install\reinstall the app on the following page:
Unfortunately, it doesn't work, my endpoint isn't called.
However, if I go to the "Distribution" section and try to install the app from there it does call my redirect URL:
So, what's the issue? Why the first approach doesn't call my redirect URL, but the second one does? Am I missing something fundamental?
The "Reinstall App" button will handle the entire exchange of verifying and granting the OAuth token within Slack, so there is no need for the redirect.
The redirect URL is intended for users who are authenticating with your service, and thus you need to store the token.
User clicks the install button
User authorizes through Slack UI
Slack redirects to your desired URL
You grab the code included in the redirect call
You exchange the code for the OAuth token
You store the OAuth token
When you use the "Reinstall App" button in your app management view, steps 3-6 are handled entirely by Slack and the token is displayed to you.
To properly test the redirect URL, you can go through the OAuth flow manually. Given that they're simply GET requests, you can just modify the links and paste directly into your browser.
Step 1: Authorize the app – this will send you to Slack for authorization, and then your redirect
https://slack.com/oauth/authorize?client_id=CLIENT_ID&scope=SCOPES&redirect_uri=REDIRECT_URI
Step 2: Exchange the verification code for OAuth token
https://slack.com/api/oauth.access?client_id=CLIENT_ID&client_secret=CLIENT_SECRET&redirect_uri=REDIRECT_URI&code=CODE
I'm trying to fit the Okta Asp.NET Core Mvc example (https://github.com/oktadeveloper/okta-aspnetcore-mvc-example) into my React Asp.Net Core app. (The reason I'm not using Okta's React example is that it uses Babel and my VS2017 React project uses Typescript.) The Mvc example runs fine against my Okta account, and my React app compiles and runs w the Okta SDK and other code copied from the Mvc example, but I can't get it to authenticate.
Okta returns an http 400: Identity Provider: unknown, Error Code: invalid request, Description: the 'redirect_uri' parameter must be an absolute Uri that is whitelisted in the client app settings.
All I've done is add [authorize] attribs to my controller and a button that requests account/login. Both actions return the same error. I do have the app Url in my Okta app settings.
This, most likely does not have anything to do with React/asp.net but the OIDC flow. If we strip down the SDK, your call to get the jwt token will look something like this: {{url}}/oauth2/v1/authorize?idp=0oae59ifqdtRaTT4G0h7&client_id={{client_id}}&response_type=id_token&response_mode=fragment&scope=openid&redirect_uri=https://www.bing.com
note the redirect_uri above should be the listed in your application setting. To do that: go to Okta's admin dashboard > application >application > choose the application that you used the id of above, and add the above URL to "Login redirect URIs" in the general tab. If that is correct make sure there is no space in the above request.
It's so strange that this simple solution is not yet implemented or is it that I can't Google it ;p) (I'm trying from last 5 days).
My requirements:
Call from Angular App (withCredentials = true) on a URL to see if it is windows user (challenge NTLM). (I may configure this based on what URL user accessing it). If it's a valid Windows user and I find them in DB, I return the Bearer Token.
If Above call returns Unauthorised (401), I show login form to user in my AngularJS (1.6) client. User provides non-windows username and password and when user click Login, from angular service go to another URL (for getting Bearer Token - standard OWIN stuff).
** In any case above, I store Bearer Token in my client for any further API interaction.
I'm not using ASP.NET identity but I have my own DAL to verify user from DB.
I'm going to have my own custom Authorise (inherited) attribute (which will check for Bearer Token only).
I don't want users to enter Windows login on my form and to authenticate them from Active Directory.
I Don't want windows users to click on any separate button to login. (They should just login seamless - with prompt from browser asking them windows login)
I've seen hundreds of posts but nowhere I could see exactly what need. Either the mixed authentication needs to be Cookie based or separate MVC implementation. (Lot's of confusion)
Already referred:
https://techblog.dorogin.com/mixed-windows-forms-authentication-for-ajax-single-page-application-e4aaaac0424a
https://techblog.dorogin.com/mixed-windows-forms-authentication-for-ajax-single-page-application-e4aaaac0424a
https://github.com/MohammadYounes/OWIN-MixedAuth
Don't know if this may help: (but again with cookie) https://github.com/pysco68/Pysco68.Owin.Authentication.Ntlm
Can someone please help?
I may have to give up on this by tomorrow evening :-(
I have the following setup:
1) WebAPI that accepts JWT Bearer tokens for auth.
2) Portal (WebApp) that puts a nice face on the json output from this WebAPI. It does OpenIdConnect authentication and uses Cookies to persist login information. It is an ASP.NET Core MVC app.
3) The WebAPI and WebApp are on different domains.
4) The WebAPI layer is designed to be called by any 3rd party who can present a valid token - either via App auth (client_credential flow, for eg) OR Delegated User auth (implicit flow, for eg). The WebAPI also does RBAC auth.
At this point, the problem I have is this:
1) I want to be able to make AJAX calls from the WebApp controller pages (cshtml) to my WebAPI so that the pages are responsive and there are no POSTs. So I integrated ADAL.JS into the page for that purpose. It works from a functionality pov.
2) HOWEVER, this results in multiple authentication dialogs (web page popups).
-- 1st auth popup. Upon navigation to the Portal homepage, I get challenged and have to enter my credentials on my company login page (federated AD auth).
-- 2nd auth popup. Then when I invoke anything on the Portal pages that involves ADAL.JS (namely the AJAX calls), it causes another login dialog because ADAL.JS cannot see the login cookie from ADAL.NET layer. This dialog comes up and goes away without any input needed tho (because the cookies from (1) are sent along to the server automatically by the browser). At this point, I have the ID_TOKEN and an ACCESSTOKEN for the PortalApp's client_id show up in the ADAL localStorage area.
-- 3rd auth popup. Then another dialog pops up; it uses a Hello pin login (I assume this is due to 2-factor auth requirement enforced by my tenant). At this point, I see the ACCESS TOKEN for the WebAPIApp's client_id show up in the ADAL LocalStorage area.
And now my AJAX calls start working.
Is there a better way to do this so that I can get the benefits of AJAX and not have to resort to serverside POSTs and have only 1 auth dialog instead of 3?
(I thought of may be switching ALL authentication to be done by ADAL.JS for the entire site, but I like the paradigm of using the [Authorize] flags and RBAC for the Controllers. OR is there a way to make my WebAPI accept both JWT and Cookie authentication?
Thanks!
I've added the client id and secret to the yml configuration file, but it's not working. When I try to login with one of the providers, it redirects me to a blank page with the message 'cannot POST /signin/google', if I try to login with Google, for example. I generated a monolith application with JWT authentication and social login feature (I'm using Angular 2+).
Maybe you should check https://console.developers.google.com/apis/credentials and set properly your Authorised JavaScript origins and Authorised redirect URIs. First one should be set to just for example http://localhost and second one must contain several entries for example
http://localhost:8080
http://localhost:8080/signin
http://localhost:8080/signin/google