We're using AppAuth for a macOS application to authenticate Google accounts. This has been working for years, except recently Chrome has started to block all http connections by default. The loopback server in AppAuth is hard-coded to work with http connections only. The following issue also seems to have gone unanswered: https://github.com/openid/AppAuth-iOS/issues/624
What other options do we have for using a https loopback server on macOS for OAuth2 authentication? We need the loopback server to be able to extract parameters Google sends back after authentication. Asking users to switch from Chrome is not desirable.
Interesting - with loopback desktop logins there are two URLs involved:
The URL in the desktop app, which is meant to be HTTP according to OAuth standards, since it runs on end user PCs. Using HTTPS would require the entire user base to host SSL certificates, which is highly impractical. Typically a loopback URL is a value such as http://localhost:8000, where the port number is often calculated at runtime.
The URL used to invoke the system browser is a value such as https://myauthserver/authorize?client_id=xxx&redirect_uri=http://localhost:8000..., and this should be HTTPS of course.
PROBLEM DIAGNOSIS
I'd be very surprised if Google have blocked this if you are using standard desktop logins, since it has been referenced on their Native Apps Page for years.
Are you sure something else is not the cause? One possibility might be lack of a user gesture in the system browser. Is the problem consistent and are there any differences in these cases:
Make Safari Browser the default before login
Make Chrome Browser the default before login
Make Chrome Browser the default before login and clear browser cache
Let me know and I may be able to suggest some next steps ...
There are several articles on NiFi secure cluster setup and ldap integration.
After following Pierre Villard's Integration of NiFi with ldap and Bryan Bende's Authorization and Multitenancy I'm able to run a secure nifi cluster which works seemlessly from firefox browser.
But, when I access the same url from chrome, i get the following error:
Attackers might be trying to steal your information from xyz.abcd.com (for example, passwords, messages, or credit cards). NET::ERR_CERT_REVOKED
I haven't generated any user certificates because LDAP login is expected which actually works fine with firefox. Is there anything extra that needs to be done for chrome which firefox actually doesn't require? The issue has been same from all the users who are using chrome to authenticate into my cluster.
I believe Chrome after version 56 enforces stronger certificate validation. In addition, Chrome uses the OS keychain, while Firefox provides its own. So you may have marked the generated server certificate as trusted within Firefox but this would not translate to Chrome. Is there a text link below that message to go into "Advanced Settings" or similar?
Depending on how you generated this certificate, check that it has not expired, it was not actually revoked by the issuing CA, etc.
I have an Intranet Web Application which uses Windows Authentication. All windows/PC users can login in fine.
There happen to be 2 Mac Users that use Safari as their default browser and prefer it over chrome for Mac.
When trying to access the Intranet Web Application on the network, nothing happens. But when trying to access the Intranet Web Application from another network or source of internet outside the network, the user is able to login.
Is there something I have missed? Any thoughts on this please.
Converting them to Chrome is the last option in this option.
Thanks in advance
If anyone stumbles across this, the answer was simple. In IIS under the Authentication. Setting the providers. I removed Negotiate and kept NTLM. Apple seems to accept this security method.
I have setup a secure(Kerberos) Oozie environment in CentOS 6.3 using CDH 4.1.2. I am able to view the Oozie web console from CentOS machine which is hosted in server. But is there a way to view the webconsole from my local Windows machine.
I have tried creating a HTTP principal with my windows machine as hostname. I am able to get a valid ticket for HTTP principal. But when I open the Oozie Web Console, I get the following error
org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
Am I missing something. Help me guys.
Thanks,
Vishnu Ganth
This error occurs because your browser sends request for NTLM authentication instead of kerberos.
In internet explorer follow below steps,
go to Internet Options
In security tab, select Local intranet.
Click Custom Level in the below, Make sure Automatic logon only in intranet zone under the User Authentication section.
In the Internet Options, select Advanced tab and make sure enable Integrated Windows Authentication selected under security section.
Once the above steps done, it will work on both internet explorer and google chrome.
If you are accesing it from the Cross realm, your widows-based clients should know the KDC location to create proper SPNEGO token. You need either create a separate policy in your AD for that type of users or you can manually from command line add mappings in client machine's registeries so that they would know about your Hadoop realm KDC:
ksetup /addkdc HADOOP.DOMAIN.COM hadoop.nodewithkdc.com
ksetup /addhosttorealmmap hadoop.nodewithkdc.com HADOOP.DOMAIN.COM
I heard that on Windows you can login from a web browser to the web server without going through the usual login entering username and password but using instead the credentials from Windows directly, using the NTLM protocol.
How is this achieved? Does the web server need to support some additional authentication?
Update: I'm asking for a generic web server, not just IIS. How to do that on Apache for instance?
The webserver just needs to be configured to support Windows authentication (which will be NTLM, or - better - Kerberos if both client and server are W2K or later). I believe that IIS or Apache can be configured to do that.
The browser also has to support this - at least IE does so (not sure about the others, it may be possible). edit: looks like firefox has some support for this too, and safari on MacOS
edit: for details on apache, google modules for NTLM authentication. Kerberos modules also exist. as per other answers, this really only works on an Intranet - not just because the browser needs to be in an Intranet zone (only applies to IE), but because any intervening firewall will typically stop this working, and because the necessary interdomain trusts will probably not exist. It's also a bit trickier to make work if the apache server is on UNIX, and especially if you also have Kerberos servers on UNIX in the mix, but still possible.
It will only be seamless in a specific situation; namely the webserver needs to support NTLM (for example, IIS), and it needs to be in a zone that the client is configured to trust (The "Intranet Zone" in IE parlance, unless the end user has tweaked their settings)
If your webserver and client pc's are on a network secured by Active Directory or similar, you can set 'Windows Integrated Security' in IIS on the web server for the website which automatically logs in all I.E clients (That are allowed).
As stated previously, NTLM is typically used if your back end is Windows Managed (MS Active Directory). However, there are also modules available for Apache that will tie into this: mod_ntlm.
Since this is it's own protocol, it is required that the browser is able to understand this protocol and reply to the authentication challenges. I don't know which browsers support this off hand, but my assumption would be that most do.
From my experience, kerberos is more of a prefered method, but I have not worked with it much, so unfortunately, I don't have much advise as far as that goes.
On a side note, I recall reading somewhere that the JRE also has ways of tying into NTLM on your web server in order to obtain identity information for the authenticated user. As stated previously, .NET has support for this as well.
Also, Firefox does not support NTLM by default but it can be configured using the following tut: http://www.crossedconnections.org/w/?p=89
If you set the IIS settings to require authentication then your users will need to log in to access the page. They then have any rights (if not an interface) to anything on that server that they would if they logged in the normal way (from the console).
Other than this, I am not sure what you are referring to.
Yes this is possible. It is often used in intranet applications where users are. windows uses NTLM or Kerberos to authorize the user against a central service, typically Active Directory on the windows platform. On the .NET platform the current user information can be accessed through the System.Threading.Thread.CurrentPrincipal.Identity instance.
You might also want to look into Jespa. It seems a little bit more straight forward than Kerberos but provides good ntlm sso capabilities.
I was looking for more information about Kerberos (because NTLM, even v2, become deprecated with AD 2008), and I found this article, explaining how make it work with Apache (as you mentionned it).
http://blog.scottlowe.org/2006/08/10/kerberos-based-sso-with-apache/
This question is probably outdated (or at least solved), but if it can help someone ...