Am using SAML2.0 AUTH with help of ITfoxtec.Identity.Saml2.Mvc package but I need to increase the session timeout to a 2 to 3 days . But currently default value there . How We can override the session time out . With .net core 3.1
You can set a custom session timeout in the AssertionConsumerService method in the Auth Controller. Se documentation.
Set session timeout to 2 days:
await saml2AuthnResponse.CreateSession(HttpContext,
lifetime: new TimeSpan(2, 0,0,0),
claimsTransform: (claimsPrincipal) => ClaimsTransform.Transform(claimsPrincipal));
It is also possible to configure the session as persistence:
await saml2AuthnResponse.CreateSession(HttpContext,
lifetime: new TimeSpan(2, 0,0,0), isPersistent: true,
claimsTransform: (claimsPrincipal) => ClaimsTransform.Transform(claimsPrincipal));
Related
Migrating from Wildfly 18 + Keycloack adapter, to Wildfly 26 w/ build-in OIC support.
Previously, to allow Sign-Out (I mean really Signing out from Keycloack, not just invalidating the session) I fetched the token from the session attributes and added to the logout URL (see below. That was tied to wildfly server, but it worked).
How do I get the OIC token in Wildfly 26 ?
org.keycloak.KeycloakSecurityContext securityContext = (org.keycloak.KeycloakSecurityContext) request.getAttribute(KeycloakSecurityContext.class.getName());
String token = securityContext.getIdTokenString();
Got it,
use org.wildfly.security.http.oidc.OidcSecurityContext
instead of wildfly-elytron-http-oidc-1.19.0.Final.jar
I found in the documentation steps to set the timeout value.
const instance = axios.create({
baseURL: 'https://some-domain.com/api/',
timeout: 1000,
headers: {'X-Custom-Header': 'foobar'}
});
But I could not find the default value in the official axios documentation - https://github.com/axios/axios
What is the default timeout?
Also, Underneath AXIOS uses http server/client (https://nodejs.org/api/http.html#http_class_http_clientrequest)
Does it use the http default timeout?
I see my program timesout after 2 minutes.
According to the README, it is 0 which means no timeout
// `timeout` specifies the number of milliseconds before the request times out.
// If the request takes longer than `timeout`, the request will be aborted.
timeout: 1000, // default is `0` (no timeout)
https://github.com/axios/axios/blob/master/README.md#request-config
I have a thick client application (C# but that should not matter).
All the users already exist in an authentication/authorization (3rd party) system that provides OAuth 2 API (authorize/access_token plus a user_info service).
I have a Spring Boot web service tier that will have RESTful web services that will be called by the thick client application that must only be called by authenticated users for protected web services.
To authenticate the thick client will launch a Web Browser (OS installed default) and will open https to restful.web.server:8443 /login of the Spring Boot web service tier. This will do the OAuth 2 (authorization_code) interaction. Once redirected back with a valid token I want to redirect to a custom URI passing the token and for the browser to close (if possible) so an OS registered application can extract the token and pass it via an IPC mechanism to the thick client application.
The thick client application can then pass the token to the Web Services in the header (Authorize: TOKEN_TYPE TOKEN_VALUE).
The Web Services must then validate the authenticity of the token.
The Web Services if called with an invalid token must just return an HTTP error and JSON error content (e.g. code+message) and not try and redirect to the login screen. This will be orchestrated by the thick client application.
I have no concern with any of the custom URI handling, IPC development, or thick client web service calls. It is all the Spring/SSO magic in getting the token to be sent to my thick client and returning the relevant error from protected web services without returning a redirect to the SSO login.
I appear to be authenticating and being sent a token but then I get an exception.
I have made some progress and it appears that by manually launching a browser and hitting my web service tier https to restful.web.server:8443 /login it redirects to the SSO site https to 3rdparty.sso.server /oauth/authorization (passing in client_id, redirect_uri, response_type=code, state). I can log in, and Spring is calling the https to 3rdparty.sso.server /oauth/access_token endpoint (I had to create a custom RequestEnhancer to add in Authorization: Basic ENCODED_CLIENT_ID_AND_CLIENT_SECRET to satisfy the access_token SSO API requirement).
This returns 200 OK but then I get exceptions and do not know how to extract the token. The access_token returned may not be using the standard property names but unsure when to go and check if this is the case. I done the authentication this way to keep the client id and client secret out of the thick client application and my web services must do the authorisation anyway. If there is a better way or pointers to someone else doing this already it would be greatly appreciated. I find so many examples that are either not quite relevant or more towards web applications.
server:
port: 8443
ssl:
key-store: classpath:keystore.p12
key-store-password: **********
keyStoreType: PKCS12
keyAlias: tomcat
servlet:
context-path: /
session:
cookie:
name: UISESSION
security:
basic:
enabled: false
oauth2:
client:
clientId: *******
clientSecret: *****************
accessTokenUri: https://3rdparty.sso.server/oauth2/access_token
userAuthorizationUri: https://3rdparty.sso.server/oauth2/authorize
authorizedGrantTypes: authorization_code,refresh_token
scope:
tokenName: accessToken
redirectUri: https://restful.web.server:8443/login
authenticationScheme: query
clientAuthenticationScheme: header
resource:
userInfoUri: https://3rdparty.sso.server/oauth2/userinfo
logging:
level:
org:
springframework: DEBUG
spring:
http:
logRequestDetails: true
logResponseDetails: true
#Configuration
#EnableOAuth2Sso
#Order(value=0)
public class ServiceConectWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter
{
#Override
protected void configure(HttpSecurity http) throws Exception {
http
// From the root '/' down...
.antMatcher("/**")
// requests are authorised...
.authorizeRequests()
// ...to these url's...
.antMatchers("/", "/login**", "/debug/**", "/webjars/**", "/error**")
// ...without security being applied...
.permitAll()
// ...any other requests...
.anyRequest()
// ...the user must be authenticated.
.authenticated()
.and()
.formLogin().disable()
.logout()
.logoutSuccessUrl("/login")
.permitAll()
.and()
.csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
;
}
I expect that the secured web services would be accessible once authenticated via the browser whilst testing without the client and would not expect exceptions to be thrown. I need to be able to extract the returned token and pass it back to my thick client.
Redirects to 'https://3rdparty.sso.server/oauth2/authorize?client_id=***HIDDEN_CLIENT_ID***&redirect_uri=https://localhost:8443/login&response_type=code&state=***HIDDEN_STATE_1***'
Then FilterChainProxy : /login?code=***HIDDEN_CODE_1***&state=***HIDDEN_STATE_1*** at position 6 of 12 in additional filter chain;
Request is to process authentication
RestTemplate : HTTP POST https://3rdparty.sso.server/oauth2/access_token
RestTemplate : Response 200 OK
IllegalStateException: Access token provider returned a null access token, which is illegal according to the contract.
at OAuth2RestTemplate.acquireAccessToken(OAuth2RestTemplate.java:223) ```
Then end up at an error page
Whitelabel Error Page
This application has no explicit mapping for /error, so you are seeing this as a fallback.
There was an unexpected error (type=Internal Server Error, status=500).
Access token provider returned a null access token, which is illegal according to the contract.
The access_token service was returning non-standard JSON names.
I created a MyOwnOAuth2AccessToken with the relevant non-standard JSON names the necessary de/serialisation classes.
I created a MyOauth2AccesTokenHttpMessageConverter class for returning my OAuth2AccessToken.
The MyOauth2AccesTokenHttpMessageConverter was plumbed in from an
#Configuration
public class ServiceConnectUserInfoRestTemplateFactory implements UserInfoRestTemplateFactory
within the
#Bean
#Override
public OAuth2RestTemplate getUserInfoRestTemplate()
method with the following code:
List<HttpMessageConverter<?>> messageConverters = new ArrayList<>();
messageConverters.add(new ItisOAuth2AccessTokenHttpMessageConverter());
messageConverters.addAll((new RestTemplate()).getMessageConverters());
accessTokenProvider.setMessageConverters(messageConverters);
There is probably a better way to do this but this worked for me.
OpenAM as single sign-on in Redmine is working for me, but I can't sign out from Redmine. This is the error I get:
HTTP Status 400 - Error processing LogoutRequest. Single Logout Response Service location not found.
The config file is:
Redmine::OmniAuthSAML::Base.configure do |config|
config.saml = {
:assertion_consumer_service_url => "http://xxxxx/redmine/auth/saml/callback", # The redmine application hostname
:issuer => "Redmine", # The issuer name
:idp_sso_target_url => "http://xxxxxx:8080/openam/SSORedirect/metaAlias/idp1", # SSO login endpoint
:idp_cert_fingerprint => "DE:xxxx", # SSO ssl certificate fingerprint
:name_identifier_format => "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
:signout_url => "http://oxxxx:8080/openam/IDPSloPOST/metaAlias/idp1",
:idp_slo_target_url => "http://xxxxxx:8080/openam/IDPSloRedirect/metaAlias/idp1",
:name_identifier_value => "mail", # Which redmine field is used as name_identifier_value for SAML logout
:attribute_mapping => {
# How will we map attributes from SSO to redmine attributes
:login => 'extra.raw_info.username',
:firstname => 'extra.raw_info.first_name',
:lastname => 'extra.raw_info.last_name',
:mail => 'extra.raw_info.email'
}
Please help me fix it.
Your ruby app protected by omniauth is not defining any Single Logout Service URL so if there is any SLO flow, the IdP doesn't know where to send the LogoutRequest / LogoutResponse.
ruby-saml defines it as 'assertion_consumer_logout_service_url' or 'single_logout_service_url', and here is how the ruby-saml toolkit process a SLO
Sadly omniauth does not support yet this feature, but there is a PR that you can apply.
I want to add timeout to service in JBoss.
The problem is that when I run this row for WSDL:
Service service = Service.create(wsdlURL, serviceName);
I get timeout from WSDL like this:
org.jboss.ws.core.WSTimeoutException: Timeout after: 30000ms
I try to add timeout to my service like:
((BindingProvider)service).getRequestContext().put("com.sun.xml.internal.ws.request.timeout", 500);
// ((BindingProvider)service).getRequestContext().put("com.sun.xml.internal.ws.connect.timeout", 500);
but I have exception.
What is the reason for that?
Try with javax.xml.ws.client.connectionTimeout and javax.xml.ws.client.receiveTimeout.
Eg:
//Set timeout until a connection is established
((BindingProvider)port).getRequestContext().put("javax.xml.ws.client.connectionTimeout", "6000");
//Set timeout until the response is received
((BindingProvider) port).getRequestContext().put("javax.xml.ws.client.receiveTimeout", "1000");
Ref: Develop a JAX-WS Client Application