I'm attempting to understand how spring boot uses http sessions to manage the oauth authorization code flow.
I understand that after the user submits their credentials via the /login form spring will persist the authentication object so it can be retrieved when the browser is redirected to retrieve the authorization code.
What I dont understand is if the browser needs to sends jsession cookie to the server or http basic authentication header when invoking this flow.
For example if I wanted to initiate the flow manually via curl do I need to specify any special headers ?
It doesn't use HTTP sessions to persist it, the client ID and authorisation code (the code that's passed back to the client app after the user authenticates) is used to identify the authentication object. The authorisation code is then used to obtain the access token.
So:
The client app redirects to the auth server, passing in their client ID.
The user authenticates with their username and password on the auth server , which stores the authentication against the code and client ID and passed the authorisation code back to the calling app as a request param on the redirect URL.
The client app calls back to the auth server, authenticating with it's client ID and secret and passing in the authorisation code. This is then swapped for the access (and possible refresh) token.
If the app needs the user details, the client app calls the user details endpoint authenticating with the access token it now has.
Related
According to the CAS Webflow (https://apereo.github.io/cas/5.0.x/images/cas_flow_diagram.png):
After successful authentication the CAS server sends a redirect to the browser that contains a Cookie and a URL (Location-Header). This URL appears to be the originally requested protected URL with the addition of a ticket Parameter (containing the Service Ticket). Is it a violation of the CAS protocol if the CAS server adds more parameters to this URL?
In my actual case the user selects a language from a dropdown, when authenticating at the CAS server. This lang-Parameter is then submitted along with username and password and the CAS server simply appends it to the URL he sends in the redirect as something like "&lang=fr-FR".
The Apereo Java client runs into a validation failure because of that parameter. This is because the Service URL to validate the Service Ticket for contains this lang parameter. The CAS server then does not validate the Service Ticket, because it was issued for a different URL (without lang parameter).
So my question is: does this particular CAS Server violate the CAS protocol?
Or would the Apereo CAS client be expected to deal with this by stripping off all unknown request parameters when constructing the Service URL for validation?
So my question is: does this particular CAS Server violate the CAS protocol?
Yes.
From the CAS Protocol, service for the login endpoint is:
service [OPTIONAL] - the URL of the application the client is trying to access.
From the CAS Protocol, service for the validation endpoint is:
service [REQUIRED] - the identifier of the service for which the ticket was issued
Also specified under error codes,
INVALID_SERVICE - the ticket provided was valid, but the service specified did not match the service associated with the ticket. CAS MUST invalidate the ticket and disallow future validation of that same ticket.
I am looking for the component that interacts with the email client and passes credential for further authentication within Dovecot.
I am also looking for the component that passes from the mail process to the email client.
We have configured the ELB with 2 server for the Web API. Updated the MachineKey in both the server to be same.
When the Reset Token password/Confirm password is created from server1. The Url is sent to the User Email when the Verify token call is Made the Server1 Verify the token successfuly, But if call is sent to the Server 2, Server 2 always returns Invalid Token. Do i need to make any configuration chanages other than the Machine Key.
You need to make sure that the all the request belongs to one session goes to the single backend.
In order to do this enable session stickiness on the ELB. This will make sure that request always gets routed to the same backend.
On Classic Load balancer : https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-sticky-sessions.html
On Application Load Balancer : https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-groups.html#sticky-sessions
I am building a "proxy client" extension for chrome and i have following scenario:
Users can login to the extension and get a token from API. Tokens are valid for 2 hours.
After login users can select a proxy server from a list and that proxy is set with chrome.proxy api.
I am using Squid on proxy servers. When a user connects to a proxy server and lands on onAuthRequired i return email and token as authCredentials.
Chrome uses those credentials from cache until token is not valid anymore and proxy server responses "407, Proxy Authentication Required". Now the problem i am facing here is when i login with another username on same browser and connect to same proxy server it still sends old users credentials to the server because they are still valid. My question is how can delete chromes proxy auth cache so that it lands onAuthRequired again and i can return new users Credentials.
I tried to modify the response from proxy server to "407, Proxy Authentication Required" when user makes his first request over the proxy server to force a onAuthRequired but its not working. Chrome still uses cache and still returns credentials from old user to the proxy server.
Have you tried to hook up another event handler within the webRequest API in order to manipulate the http headers before Chrome takes on authentication?
E.g. onBeforeSendHeaders or onHeadersReceived
I'd like to use realtime API with server side OAuth2 authentication flow. This would improve the user experience as it forces the user to grant access only once.
Is there a way to "inject" the server side token into the realtime API on the client side?
What Drive API uses to authorize user is access_token. After all OAuth process, you will save credentials which will provide you access_token on server side. You can pass this access_token from server side to client side and use it in javascript client. However, you should make sure that access_token is sent securely to client side, over SSL, or otherwise, it will make serious security issue.