I have a React app as frontend and django-rest-framework as backend. I installed django-rest-framework-simplejwt for authentication.
The login page works ok. I send a post with user and password. Django response 200 OK and put these cookies in the client side:
csrftoken ...
my-auth ...
my-refresh-token ...
sessionid ...
After the login page, there is another page with a form to send some data back to a django view that needs authentication. But this time It fails. The response says that no credentials were send.
I suppose I have to send some tokens, or information back to the django, inside the form. So that I don't have to send user and password again. But I don't know exactly what information and what format to use.
And after that, I need to know how to get in the client the session expiration event so that I can handle that and send the user to the login page again.
Thanks in advance
Related
If Keycloak's self-registration form is used, once submitted, it will send an email verification link to that newly registered user.
Once the user clicks the link, his email will be verified, and it will redirect him to the redirectUri from his client and provide the authorization code, which is perfect.
The problem arises when I don't want to use Keycloak's registration form, instead I have a custom registration mobile form, which sends the user data. Those data is then sent to the Keycloak by Admin REST create user API.
Once the user is created, by triggering /send-verify-email or /execute-actions-email APIs none of them are returning authorization code in the end. Yes, they do redirect to the redirectUri which you specified, but I need authorization code as well, in order to be logged in automatically upon clicking on the link.
Desired result:
User should be able to register and then he should be able to login thrugh a mobile app (event if the email address isn't verified), the app shows a warning that email isn't verified and some app functionality a disabled
What i have:
native mobile app that has user signup and signin functionality
api server consumed by the app
keycloack instance
signup functionality is done by api server, it is a keycloak confidencial client that can create users
signin is done by the mobile app directly with a post call to keycloak /token endpoind that returns access token
all good, now i have a token that can be consumed by my api server and i know that it is a registered user with unconfirmed email address
The problem is that user don't receive any Welcome/Confirm email, but: if user goes to keycloak LogIn webpage and try to login with newly created user then he receives an email from Keycloak, but for LogIn through api there are no emails. Is there any way so solve this? Am i doing something wrong?
The only way to request user to verify emails is by requesting "Verify Email" action, but if i do this then user can't login with unverified email anymore
Login is done with POST to /auth/realms/realm/protocol/openid-connect/token and with {grant_type: 'password', password: 'string', username: 'string'} body
Calling PUT /{realm}/users/{id}/send-verify-email seems to behaves the same like requesting Verify Email to /execute-actions-email
I know I'm a few years late for this answer, but for anyone who comes here in the future, the devs answered in this thread here
This is a limitation with the execute actions endpoint and it uses a
generic email. It's not a bug, rather a limitation
And that's it. They have a specific endpoint just to send an email of verification but it's only a wrapper to the endpoint execute-actions-email
I'm reading about refresh tokens: https://auth0.com/learn/refresh-tokens/. I'm building an Authentication Server (AS) myself.
To get a refresh token from a email/password authentication, the client app sends 4 pieces of information:
client id
client password
user email
user password
My question is: how does the AS pass the client id and password to the client app?
My first idea: is the password generated randomly beforehand and hard-coded in every client app? Why is the client id needed then?
My 2nd idea: the client app on first startup hits the AS to gets its client id/password, and uses this pair to get all future refresh tokens. But it isn't secure, as any hacker can hit this same endpoint.
Help appreciated.
I want to test an API which has the followoing instruction:
This API requires the caller to have an authenticated user web session.
When I login to the application and send a GET request in other tab it works. But I want to send a PUT request now so I cannot use browser. How can I have an authenticated user session while sending request through some other rest client. For eg: postman/ mozilla rest client.
I have tried logging into application through chrome and then using postman rest client. But it did not work. I have also tried Basic authentication providing application username and password.
So, given you mentioned you're using JWT, your API is most likely handing out this token upon logging in. At this moment your web client (javascript?) is probably storing it somewhere (cookie, local storage, session storage… – you can use your browser's dev tools to inspect). For all subsequent requests, this token is attached. If this token is getting persisted as a cookie, the browser itself takes care of attaching it to every request. If it is persisted somewhere else, your client has to "manually" attach this token to every request.
If you want to test your API call, first you need to login and get your hands on the token. Then, for all authenticated requests, you need to attach this token (probably as the Authorization HTTP header).
I have an API that requires google auth2 authentication, and this is how it works tell now.
the client access /login/google
the server redirect him to google authentication page
google send him back to server with a special code
the server use that code to fetch more data about the current user
from google
at the end the server save the user information to db and returns a
bearer token as a response to client
the only problem here is that the client is an angular2 app and I don't know how to get that bearer from server.
I think about adding a login button, that open a frame to /login/google and at the end of authenticarion workflow I have to get the bearer and close the frame.
but again I don't know if that's possible and if there is a better solution.
thanks in advance.