I'm trying to implement google OAuth into an iframe, but i saw that it has blocked due to security issues.
Is there any workaround/customization that can be done to make it work.
Note: I have used keycloak google auth as well.
So it would be great if it can be made possible from keycloak.
You can not. You need to use a pop-up window.
accounts.google.com sets X-Frame-Options to deny
Related
I have a website that uses the Facebook Login feature successfully and it still works as we speak. But I want to use the same facebook app on another website using the same keys etc...
But for some reason, even though I have added the correct URI's into the OAuth part of the Facebook page, I still get:
URL blocked: This redirect failed because the redirect URI is not
white-listed in the app's client OAuth settings. Make sure that the
client and web OAuth logins are on and add all your app domains as
valid OAuth redirect URIs.
Does anyone have any ideas on where I can start to find out why Facebook isn't accepting these new urls?
Okay, it seems to be working now - perhaps was a timing issue which was wierd because it updated straight away on previous sites.
Thanks again for the help though WizKid!
A web application I'm currently developing needs users to be able to sign in via Facebook OAauth. However the problem is, all these users are behind a firewall that blocks access to facebook.com (company policy). We've looked into several solutions to get around this, like;
Putting a (squid) proxy between Facebook and the users. This could solve the problem since squid supports fine grained regex-based ACLs. However, most of the Facebooks OAuth strategy runs on www.facebook.com and inspecting PATH_INFO to whitelist specific paths is not possible if the users use HTTPS (which is mandatory).
Adding a proxy-like site in the DMZ of the firewall, which just passes and alters the urls/Facebook request. This obviously isn't the way to go either since it would basically mean users leave their credentials at our server, which is against Facebooks terms.
Loosen up the firewall a bit to just enabling IP addresses needed for OAuth authentication, but as far as we could find out there isn't a dedicated IP or subdomain just for authentication (it would be nice if graph.facebook.com would provide something like this).
Any ideas for alternate solutions? Is this even possible at all?
No, because the OAuth Login process for the API works by sending the user to a HTTPS URL on facebook.com you won't be able to easily distinguish between the traffic needed to setup the login to your app and other traffic to Facebook.com
You'll have the same problem trying to verify a Facebook user by use of a social plugin like the Like Button - you can't easily separate the traffic for the plugin and other traffic to facebook.com
A web application I'm currently developing needs users to be able to sign in via Facebook OAauth. However the problem is, all these users are behind a firewall that blocks access to facebook.com (company policy). We've looked into several solutions to get around this, like;
Putting a (squid) proxy between Facebook and the users. This could solve the problem since squid supports fine grained regex-based ACLs. However, most of the Facebooks OAuth strategy runs on www.facebook.com and inspecting PATH_INFO to whitelist specific paths is not possible if the users use HTTPS (which is mandatory).
Adding a proxy-like site in the DMZ of the firewall, which just passes and alters the urls/Facebook request. This obviously isn't the way to go either since it would basically mean users leave their credentials at our server, which is against Facebooks terms.
Loosen up the firewall a bit to just enabling IP addresses needed for OAuth authentication, but as far as we could find out there isn't a dedicated IP or subdomain just for authentication (it would be nice if graph.facebook.com would provide something like this).
Any ideas for alternate solutions? Is this even possible at all?
No, because the OAuth Login process for the API works by sending the user to a HTTPS URL on facebook.com you won't be able to easily distinguish between the traffic needed to setup the login to your app and other traffic to Facebook.com
You'll have the same problem trying to verify a Facebook user by use of a social plugin like the Like Button - you can't easily separate the traffic for the plugin and other traffic to facebook.com
TL;DR version:
Can you authenticate with Facebook without having a callback URL for a web application since the web application isn't actually running on a server.
Full explanation:
I'm working on building a connectedTV platform application where the "app" itself is a bunch of HTML/JS/CSS running locally (like File -> Open on your desktop browser) and I'd like to integrate Facebook into this.
The problem is that all of Facebook's OAuth calls for the web require you to have a callback URL to redirect the user to in order to complete authentication. Here's the gotcha -- there is no URL for this application -- it's a locally running webpage on the device.
I know this is what out-of-band authentication was designed for, but I can't seem to find any documentation on how to use this (or how to do a non-callback OAuth flow) with the Facebook OAuth system.
You're describing desktop authentication or any situation where you are authenticating to FB without a server. The redirect URL you pass to the OAuth dialog is https://www.facebook.com/connect/login_success.html When the browser redirects you can get the access token. You can read all about it in the FB documentation, way at the bottom in the Desktop Apps section (https://developers.facebook.com/docs/authentication/)
Just reread your question and since the application runs inside a browser you will need to open another window to authenticate and get the access token from that.
If you're doing HTML/Javascript, use their Javascript SDK. You can log the guy in simply by using FB.login and getting the access token from the callback from that.
I really don't think this is directly possible. Unless there is something totally undocumented, Facebook has no mechanism to send authentication data except by loading a url. I'm sure it's meant at least partly as a security measure, functioning as sort of a "whitelist" of where auth data will be sent.
The only way I can think of for you to work around it might be to set up a url on a server somewhere that could answer the redirect and store the auth data, and have your client-side code poll that server to get it. Kind of a proxy authentication service, in effect. You would probably have to open a second browser window with the Facebook auth screen in it, but in theory it could work.
I am working on a site that uses Facebook Connect for user login/creation. I have a development server which is used for QA, and I'd like it to be password protected. We wanted to use HTTP basic authentication, but that seems to break Facebook Connect (it falls in a loop). Does anybody know why that may be happening?
I believe that basic authentication is done on a browser basis, and all the communication between Facebook and our site is done in the browser of the user. What could be the problem?
Facebook Connect uses iFrame inside iFrame hack to overcome cross domain boundaries limitation (see http://wiki.developers.facebook.com/index.php/Cross_Domain_Communication for details). My guess is that when Facebook redirects to the callback page (xd_receiver.htm) it fails because later requires basic authentication.
More information needed on the "falls in a loop". But based on your question, from what I've read is that facebook connect will create a random password on account creation, and if they are logging in over basic auth, it will need to be changed to match up(http://www.boonex.com/unity/forums/topic/facebook-connect-error-.htm)
But you don't specify if that's the way you are using FBconnect.
Are you requiring basic auth to get to the point of FBconnect account link/create?
Or are you using FBconnect to create the login for the basic auth?
How are you requiring basic auth? Server type?
Does everything work without requiring basic auth?