I am trying to use Keycloak admin REST API to recreate an access token when I have a valid refresh token.
I have accomplished that, by invoking with POST /auth/realms/{realm}/protocol/openid-connect/token.
The problem is that the endpoint also returns a new refresh token each time. Is this the way a JWT authorisation flow should work?
I think the correct flow would be to only get a new access token when the auth endpoint is invoked, and when the refresh token expires, to sign in again to acquire a new refresh token; Not to get a new refresh token each time we query for a new access token.
I have also read this stack overflow post. Am I missing something here?
You may find a pic with the request below:
Using one-time refresh token is a modern best practice, because that allows the authorization server to kick out the user if the same refresh token is used twice.
How can that happen? well for example if the refresh token is stolen, then the hacker and your application will both try to use it! Otherwise it is a bit harder to detect hackers in the system
First of all you mix up two things.
Open ID Connect Authentication with JWT and Oauth authorization tokens and refresh tokens.
This are two different objects.
You will get a new OAuth refresh token each time you obtain an access token. This is the way OAuth grants you a "endless session" but with the option to deny a new access token at any try of exchange.
Also see from RFC https://datatracker.ietf.org/doc/html/rfc6749#section-1.5
+--------+ +---------------+
| |--(A)------- Authorization Grant --------->| |
| | | |
| |<-(B)----------- Access Token -------------| |
| | & Refresh Token | |
| | | |
| | +----------+ | |
| |--(C)---- Access Token ---->| | | |
| | | | | |
| |<-(D)- Protected Resource --| Resource | | Authorization |
| Client | | Server | | Server |
| |--(E)---- Access Token ---->| | | |
| | | | | |
| |<-(F)- Invalid Token Error -| | | |
| | +----------+ | |
| | | |
| |--(G)----------- Refresh Token ----------->| |
| | | |
| |<-(H)----------- Access Token -------------| |
+--------+ & Optional Refresh Token +---------------+
Figure 2: Refreshing an Expired Access Token
Related
I am looking for the powershell scripts/commands to get the details of below points
| Key | OutPut |
| ------------------------------ | ---------------- |
| Seurity [FIPS Alogithm Policy] | Enabled/Disabled |
| Is Client SSL 2.0 Enabled? | Enabled/Disabled |
| Is Server SSL 2.0 Enabled? | Enabled/Disabled |
| Is Client SSL 3.0 Enabled? | Enabled/Disabled |
| Is Server SSL 3.0 Enabled? | Enabled/Disabled |
| Is Client TLS 1.1 Enabled? | Enabled/Disabled |
| Is Server TLS 1.1 Enabled? | Enabled/Disabled |
| Is Client TLS 1.2 Enabled? | Enabled/Disabled |
| Is Server TLS 1.2 Enabled? | Enabled/Disabled |
I have tried the below code but getting different different errors.
$Socket = New-Object System.Net.Sockets.Socket([System.Net.Sockets.SocketType]::Stream, [System.Net.Sockets.ProtocolType]::Tcp)
$Socket.Connect($ComputerName, $Port)
$NetStream = New-Object System.Net.Sockets.NetworkStream($Socket, $true)
$SslStream = New-Object System.Net.Security.SslStream($NetStream, $true)
$SslStream.AuthenticateAsClient($ComputerName, $null, $ProtocolName, $false)
I have Sql Server 2014 installed with the latest updates.
I am looking for the Correct Powershell scripts to get the details for the FIPS Algorithm status and the status of protocol (SSL and TLS) for client/server.
I tried the above code but its not working.
Is it possible to manually map all users when switching the Azure Active Directory connection for Azure DevOps?
The directory that we're switching to has guest accounts for the source UPN set up for 95% of the users in ADO, so they're automatically mapped. Rather than that happening, we'd like to map each source user to their new UPN in the destination domain.
What's happening
| Source UPN | Source Type | | Destination UPN | Destination Type |
| ---------- | ----------- | ---- | --------------- | ---------------- |
| user#a.com | Member | \ | user#b.com | Member |
| | | -> | user#a.com | Guest |
What we want to happen
| Source UPN | Source Type | | Destination UPN | Destination Type |
| ---------- | ----------- | ---- | --------------- | ---------------- |
| user#a.com | Member | ---> | user#b.com | Member |
| | | | user#a.com | Guest |
Is it possible to manually map all users when switching the Azure Active Directory connection for Azure DevOps?
I am afraid there is no such way to manually map all users when switching the AAD connection for Azure DevOps. Automatically map behavior is by designed, in order to provide us with convenience when switching AAD.
If we want to manually map the users, we need to delete those users from target AAD before switching AAD. In this case, when we switch AAD, Azure Devops says "X member(s) of the xxx organization can't sign in because they're not in the XX AAD. Delete any unwanted users in Organization settings, and then Resolve for remaining members.". Hit the resolve button a page shows up with the Users, then we can match them manually.
I've created a .net application with Azure AD B2B and it works fine, but whenever i try to login it redirect to Microsoft page there it ask for credentials then it come back to my application.
Redirects create user confusion. I want to create the full user experience without the customer leaving our Application. We want to take advantage of secure technologies though.
Is there any way to consume a Azure AD services which help us to login AzureAD without redirecting to Microsoft page?
Please advice!
This is impossible.
This is for the security consideration. The web app which protected by Azure Active Directory requires to login the users via the page proved by Microsoft. This is how OAuth 2.0 Authorization Framework work. You can refer the flow from below. The Authorization Server stands the server provided by Microsoft.
+--------+ +---------------+
| |--(A)- Authorization Request ->| Resource |
| | | Owner |
| |<-(B)-- Authorization Grant ---| |
| | +---------------+
| |
| | +---------------+
| |--(C)-- Authorization Grant -->| Authorization |
| Client | | Server |
| |<-(D)----- Access Token -------| |
| | +---------------+
| |
| | +---------------+
| |--(E)----- Access Token ------>| Resource |
| | | Server |
| |<-(F)--- Protected Resource ---| |
+--------+ +---------------+
If the web app provided the login-page to input the Azure AD account, the site looks like a phishing site which will not be trusted by users.
Is it possible to run and access a mesos master on a machine that is placed behind a proxy?
I have successfully succeeded to deployed a MesosMaster/Marathon/MesosSalve on my local infrastructure.
The problem arises when I want to put the MesosSlave somewhere in the internet, so that MesosSlave and MesosMaster shall communicate through public IPs
My conf is the following:
Internet My Infra
.----------------------. .-----------------. .-----------------. .-------------------------------------------------.
| Mesos Slave VM | | Front Machine | | Proxy | | Tool-VM |
| 178.22.17.248 | | 39.224.147.94 | | 10.2.0.57 | | 10.1.10.176 |
|----------------------| | my.domain.com | |-----------------| | 192.168.5.1 (docker bridge) |
| | |-----------------| | | |-------------------------------------------------|
| | | | | | | |
| __________ | | __________ | | __________ | | .-----------------------------. |
| [_...__..5051.°]| |[_..5050.__...°] |<---|[_..5050.__...°] |<------------^| | Mesos-Master Container | |
| | | | | | \ __________ | 192.168.5.4 (docker bridge) | |
| | | __________ | | __________ | |[_..5050.__...°]^|-----------------------------| |
| | |[_..2181.__...°] |<---|[_..2181.__...°] |<------------^| \ __________ | |
| | | | | | \ __________ |[_..5050.__...°] | |
| | | | | | |[_..2181.__...°]^| __________ | |
| | | | | | | \[_..2181.__...°] | |
| | | | | | | '-----------------------------' |
'----------------------' '-----------------' '-----------------' '-------------------------------------------------'
However:
My domain infra redirect everthing that arrives from outside on ports 5050 (for Mesos) and port 2181 (zookeeper) ONLY for requests that are addressed to the domain 'my.domain.com' (which is a virtualhost of 39.224.147.94). But not for the other requests (that are arriving on 39.224.147.94).
So I try to execute the service through CLI for the moment:
Execute Mesos Master(in Mesos Master Container)
/usr/sbin/mesos-master --ip=192.168.5.4 --work_dir=~/Mesos/mesos-0.23.0/workdir/ --zk=zk://192.168.5.4:2181/mesos --quorum=1 --log_dir=/var/log/mesos --external_log_file=/dev/stdout
Execute Marathon (in Mesos Master Container)
/usr/bin/marathon --zk zk://192.168.5.4:2181/marathon --master zk://my.domain.com:2181/mesos
Execute Mesos Slave (in Mesos Slave VM)
/usr/sbin/mesos-slave --master=my.domain.com:5050 --work_dir=/var/lib/mesos/agent --port=8009 --containerizers=docker --executor_registration_timeout=3mins --log_dir=/var/log/mesos
The Mesos Master can see the Slave resources.
However, when I send a Job through Marathon, this job stay in a waiting state.
It seems that the slave is not able to communicate on the hostname of the Master, but only using it's public IP:
I have this in the Slave logs:
New master detected at master#39.224.147.94:5050
However incoming traffic on 39.224.147.94:5050 is blocked by my infra (only my.domain.com:5050 is accepted)
So, is it possible to create a connection between Master and Slaves, using domain names, but not IPs?
It's a bit confusing to bee honest. What I don't understand is that you seem to use the 192.168.5.4 ip for the Master process, but it's nowhere to be found in your diagram. I'd expect to use 39.224.147.94 instead.
Furthermore, I'd recommend to use the ip addresses instead of hostname in all connection strings, you're using a mixture...
Additionally, you can try to set the LIBPROCESS_IP environment variable to the respective ip addresses for the agent and Marathon processes.
Another question would be why you use such an old version of Mesos... Mesos 1.1.0 is out already!
I'm using Eclipse Luna on multiple monitors setup as one single desktop. I resize the Eclipse window to fill the primary monitor (in the center, secondary on the right). When I type Ctrl-E to get the "Quick Switch Editor", the dialog spans over the gap between the monitors and shows up on both (1/2 on each monitor). That is really annoying, but I can't see how to move the dialog position.
How can the dialog position be changed? I don't see any handles on the dialog.
A screenshot doesn't really show the problem, it looks OK there. However, some ascii art may help to show what is really happening:
+-----------------------------+ +-----------------------------+
| +-------------------------+ | | |
| | +---| | |--+ |
| | | | | | | <- popup dialog spans |
| | +---| | |--+ both monitors |
| | | | | |
| | | | | |
| | Eclipse window | | | |
| +-------------------------+ | | |
| Primary monitor | | Secondary monitor |
+-----------------------------+ +-----------------------------+
This is on Red Hat Enterprise Linux 5, with Nvidia "TwinView".
The Quick Switch Editor popup (invoked with Ctrl+E) isn't movable or resizable. What you're seeing doesn't happen on Windows, so it's likely a platform-specific bug.
As an alternative, you can use the Swtich to Editor dialog (invoked with Ctrl+Shift+E).