After authenticating, the user is always sent to the root url of the application, even though they initially requested a deep link.
I've read that there is a concept of RelayState, however I'm not sure if that is something I need to explicitly look for as a property somewhere and then redirect, or something that should be functioning automatically if I have things setup correctly.
I have tried tacking on a url to the signOn url but that didn't seem to have any affect. This is just when I manually enter a url in the browser, though, so I assume that isn't an "SP initiated login"
When I need to authenticate I am redirecting to a deep link like so (hard coded just while trying to debug)
string deepLink = "?returnUrl=http://localhost:35246" + app.Context.Request.FilePath;
string logInPage = "~/Saml2/SignIn" + deepLink;
HttpContext.Current.Response.Redirect(logInPage);
The logging output shows this.. should SignInUrl show something different?
SUSTAINSYS [VERBOSE] Expanded Saml2Url
AssertionConsumerServiceUrl: http://localhost:35245/Saml2/Acs
SignInUrl: http://localhost:35245/Saml2/SignIn
LogoutUrl: http://localhost:35245/Saml2/Logout
ApplicationUrl: http://localhost:35245/
Any pointers?
it needs to be
?ReturnUrl=
rather than
?returnUrl=
Related
I am currently working on a 1 page HTML app that uses URL parameters to do an API call. the URL parameters are set and used in QR codes so its necessary that they are able to change dynamically. A example URL would be something like app.com/index.html/?environment=demo&location=Kiosk
I currently have this app deployed in AWS Amplify, but I cant get other keywords to chain together. I have the following redirects in place:
These redirects make sure that every URL parameter I pass in the link works EXCEPT some keywords like the "location" keyword, next to some others. Using this keyword as a URL param gives a 502 server error, or if the redirects are not used an access denied error.
does anyone know how to get the location keyword to work? Thanks in advance!
You should be able to use a single rule that will forward everything to index.html EXCEPT urls with a "file extension" from the list below. That lets all your links work, but assets like images, fonts, code will pass through.
Doc for: Using Redirects - Single Page Apps
</^[^.]+$|\.(?!(css|gif|ico|jpg|js|png|txt|svg|woff|woff2|ttf|map|json)$)([^.]+$)/>
So I am trying to use single sign on in an outlook addin. I have registered my app at https://apps.dev.microsoft.com/.
In my Manifest I have
<WebApplicationInfo>
<Id>{myId}</Id>
<Resource>api://mydomain.com:3000/{myId}</Resource>
<Scopes>
<Scope>Mail.Read</Scope>
<Scope>profile</Scope>
</Scopes>
</WebApplicationInfo>
mydomain.com is actually a domain i map to my local IP.
Outlook accepts my manifest just fine. How ever when i call Office.context.auth.getAccessTokenAsync, I get the following response
{name: "Invalid application resource Url provided.", message: "Invalid resource Url specified in the manifest.", code: 13004}
How else should i write the resource url. Am i supposed to add this url somewhere else?
I followed https://learn.microsoft.com/en-us/office/dev/add-ins/develop/register-sso-add-in-aad-v2 and was able to get further. But now i Get {name: "Preauthorization missing.", message: "Missing grant for this add-in.", code: 13005}
I was able to solve Error 13005 by adding /taskpane.html to the end of my redirect URI in the authentication tab of my App Registration [Figure 1]. Originally I just had https://loacalhost:3000 as my redirect URI. Just make sure that whatever endpoint the user is being redirected to is the redirect URI. Seems simple but I spent a lot of time on this.
If you can't figure out what your redirect endpoint is, inspect the taskpane element and then look at the top of the tab. It should be something like DevTools - {localhost:3000/taskpane.html}?_... The text inside of the curly braces is the endpoint, make sure that the whole string is added to the Authentication tab in App registrations.
App Registration Page Example Picture
I hope this helps,
Lucius
I have a JavaEE Application. I am trying to implement OAuth.
But I am facing some strange issues:
As per the documentation to manually building the sign in web flow I have to provide a link like this https://www.facebook.com/dialog/oauth?client_id=1231298371123&display=popup&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fc%2Fportal%2Fauth%2Ffacebook_login%3F&scope=email,public_profile,user_birthday&response_type=code%20token which will open the dialog. But the dialog is not opening.
And when the SSO is successful FB is redirecting to the url given above but the problem is FB is appending the query strings like state, code, etc with #. Something like: http://localhost:8080/c/portal/auth/facebook_login?#state=ASDASDASDASD&access_token=EAANXZAlBTi........ Because for this I cannot get the parameters in Java.
Do any one came across this kind of issue.
Please help.
Not sure if I understood the question right but if you want to read the string after # you can use the following code
URI uri = new URI("http://test.com/#something=some");
String fragment = uri.getFragment();
fragment will be everything after #
Several web application authentication protocols (like WS-Federation and the SAML protocol, i.e., so-called 'passive' protocols, and apparently also ASP.NET Forms authentication, see this StackOverflow question, and AppEngine, see this GWT bug comment) lose the original 'URL fragment', i.e. the part after the #-sign.
What happens is roughly the following: in a clean browser (so no cached info/cookies/login information) I open URL (1) http://example.com/myapp/somepage?some=parameter#somewhere. This makes the browser request (2) http://example.com/myapp/somepage?some=parameter, the server redirects me to my identity provider (including URL (2) in the authentication request), and ultimately I'm redirected back to where I came from, which is URL (2): that is the only URL that the server knows about. But I wanted to go to URL (1), and the URL fragment ('anchor') has been lost along the way, actually in the first step already.
This seems to be a fundamental limitation of these protocols, since the server never sees the URL fragment at all.
I know that it according to specifications that the browser requests (2) from the server, when I navigate to (1), leading to this fragment-losing limitation on the SAML protocol, WS-Federation, etc. My question is: how do I work around this limitation?
The obvious workaround is to avoid URL fragments, as suggested in this answer. However, for our specific web application that is not nice, since we use bookmarkable URL fragments in our single-page GWT application, to make sure that a navigation within our application does not cause the page to reload.
My question: What other workarounds or standard patterns are there for this situation?
(I'm specifically interested in a GWT + SAML protocol solution.)
You basically have two options:
avoid using location.hash (use HTML5's pushState instead, at least on browsers that support it; and/or propose a way to generate permalinks within your app – Google Groups does that)
do the redirection using JavaScript. I.e. instead of sending a redirect from the server, send an empty HTML page with some script that takes the full URL (with the hash) and does the redirection using location.assign() or location.replace(). With a bit of luck (depending on the servers), you'll be redirected to that full URL after authentication.
You can of course do both: if the link is a deep-link into the app, then do the redirect (i.e. assume there's no hash), otherwise send a page with JS to make sure you don't lose any state present in the hash.
And finally the obvious third solution, far from ideal: don't do anything, and try to educate users that when they needed to (re)authenticate then they should re-paste the URL or re-click the link or re-click the bookmark.
According to RFC 1738 anchor tags are not sent by the client to the server, when requesting for a resource.
Anchor tags are used to identify a location within a resource and not a different resource on the server. In order to identify the location in the resource, the client needs to fetch the complete resource from the server, and this process need not involve transfer of information about the fragment (as it does not mean anything to the server).
If you do wish to send the fragment character (#) to the server, then you'll need to encode it in the query string, or the client(browser) will simply ignore that section of the URL when it sends the request to the server.
EDIT:
I don't know any real solution but to work around this issue you need to save your full return URL (with anchor tags) somewhere on the client side, because server don't know anything about anchors. For that you could use SessionStorage (http://www.w3schools.com/html/html5_webstorage.asp) to temporary store ReturnUrl until login process is completed. Please note that it won't be supported on older browsers (like <= IE7).
In that case workaround would look something like this:
<script>
if(typeof(sessionStorage) == 'undefined')
{
sessionStorage = {
getItem: function(){},
setItem: function(){}
};
}
window.onload = function ()
{
var key = 'ReturnUrl';
//try to get last returnUrl with anchors
var returnUrl = sessionStorage.getItem(key);
//if we got something, do the navigation
if(returnUrl !== undefined && returnUrl !== document.URL)
{
//clean it up
sessionStorage.setItem(key, null);
//navigate to last URL
window.location = returnUrl;
}
else
{
//store url
sessionStorage.setItem(key, document.URL);
}
}
</script>
PS. Bear with me if there are some syntax errors because I wrote it down from top of my head and didn't try it.
to connect to an app on facebook, the user types in
www.facebook.com/login.php?api=12312312323123123
how can I add an extra get var to this url and pass it to my script on successful login?
Do you add a redirect_url as part of the login call?
If so you can add the GET parameter to that. For instance let us say you are asking Facebook to redirect to http://tld/fbhandler after user logs in. You can change that to http://tld/fbhandler?extra=value.
This URL is specified at the time of making the (OAuth) login call to Facebook and therefore you can change the value as you see fit.
You cannot do this. Facebook will strip custom query values from the url. I have found that there are two ways to do this. The first is that they will let you have a single query value at the end of the url if you encode the ? to %3F. For example:
redirect_url=http://www.example.com%3FmyextraParameter
You could use this approach to do something like base64url encode your values and add them at the end.
The other thing that I have done is to change the parameters to be path variables
redirect_url=http://www.example.com/realUrl/parameter1/parameter2
Neither are great solutions, but I have yet to find a way to send querystring values without them being stripped off.