OAuth2 redirect URI for enterprise application - redirect

I'm working on an enterprise application and our UI is a web application. We are looking to add OAuth2 support and I don't understand what to provide for the redirect URI field to the OAuth provider.
For example, I have registered my app in github OAuth provider.
Homepage URL: https://localhost:7980/index.html
Authorization callback URL: https://localhost:7980/oauth_callback
Now this works fine with localhost as the hostname. But, when this application gets used by the customers they can install it on any of their boxes and invoke the web app from any device connected to our server via https://[hostname]:7980/index.html. In this case, if the customer wants to use OAuth2 authentication option, then I don't understand what should be the redirect URL. Obviously I cannot use localhost for redirect URL as the customer can access the web app from any machine. I wouldn't know the machine ip/hostname where the customers are going to be installing our server beforehand.
One suggestion was to use a server from our company which would handle redirect URLs for the OAuth2 authentication. Is this a good idea? Is there a standard way for handling the use case I have narrated above in OAuth2?

Related

Sign In using ADFS in Ionic

I am developing an app using Ionic 6 and Capacitor 3. I want the users to authenticate using ADFS. We have an on-premise ADFS server and I am trying to set up the relying party trust for the SSO.
In RPT we need to provide the callback URL which should be https.
I tried using the following package for OATH2:
https://github.com/moberwasserlechner/capacitor-oauth2
As per the above package, the return URL is of localhost which will not work with ADFS. Since the Ionic Apps run on mobile they will not be hosted on any server (Frontend part). So we cannot have a return URL of the frontend.
Another approach I can try is using the passport saml library in the backend using Node. But ADFS opens its own page for authentication. I am not getting how to pass data between frontend and backend and vice versa. In Capacitor 3 I am not getting the appUrlOpen events which I can listen for URL change. Also the browserPageLoaded, browserFinished gets fired but these do not return any data.
Is there any other approach? We cannot use miniOrnage or Auth Connect as the app is internal and will not be shared publically.

SimpleSAMLphp: is it possible to use an existing auth service for authentication?

I'm trying to create a SAML IDP for the system I built. Probably I'm getting confused with concepts. My problem is as follows:
This system was built in SymfonyPHP which authentication is made by OAuth token. Nothing so special, the username and password are passed to the /auth endpoint and the request returns the token if the credentials are valid. It's working fine.
Now I have to integrate this credentials to a client system. Once the user is logged to my system, so it should be on the client side (like the "login with Google button). I've been searching and realized I should use SAML for that.
I installed the SimpleSAMLPHP and I'm trying to understand how to set it up as my IDP. Once it's made, I can create SPs for my clients systems.
Question: how to make the SimpleSAML use my existing service for authentication? Which module should I use?
With SimpleSAMLPHP acting as an IdP, you want to have a look at authentication modules. The latter is a component that encapsulates the mechanics of signing into the identity provider. For example, if you were trying to sign in to the IdP with your Facebook account, SimpleSAMLPHP ships a FB authentication module that does this for you.
If your existing service can be supported by one of the SimpleSAMLPHP modules, then you're all set. Else, you need to develop your own module.

IdentityServer3 bearertoken ignored? if not localhost

For the past couple of years we've been developing a client/server application and it's been working well with us hosting the server and applications. I've recently started work on getting our mobile app to connect and have run into a snag.
The mobile app can login and obtain a token but when it presents that token for an API call Owin is failing to create a valid Principal.
The same API call from our desktop app (running on the same physical machine as the server) has an HttpRequestMessage "MS_OwinContext" property with the Authentication.User field populated. The same call from the mobile does not.
Yet both of them seem to be sending the same API request (different bearer token of course). Alternative can anyone tell me where I might at least start looking or how I could get information from OWIN as to what it's doing? It's also worth pointing out that the mobile app (Xamarin) shares most of its code with the desktop application.
Right now I'm staring at a black box and all I know is that 'it doesn't work'.
Okay the problem was that the server was setting Authority in the bearer options to be localhost. Audience is derived from this so when connecting using the host name validation fails.
The answer appears to therefore not use localhost as part of the authority.

Facebook login flutter app error

I have encountered the following FB error:
Given URL is not allowed by the application configuration: One or more
of the given URL is not allowed by the App's settings. To use this URL
you must add a valid native platform in your App's settings.
Also Facebook OAuth redirect URI, does not accept http local host.
You may need to review the OAuth settings for your Facebook application
Also Facebook OAuth redirect URI, does not accept http local host
HTTPS is required for new Facebook integrations. You can get free certificates from Lets Encrypt or use self-signed certs and add them to your mobile device. It's a little more complicated, but it's really for the best :-)

Need to provide both Basic Authorization and SSO on Bluemix Liberty server

I have a Java app running under Websphere Liberty on IBM Bluemix. I need to be able to authenticate users 3 different ways - Basic Auth, SAML SSO, and OpenAuth SSO, in that order.
I can set up the app to do Basic Auth (using custom code) or SAML SSO (using the Bluemix Single Sign On service), but can't figure out a way to configure it to handle both at once. (I haven't even looked into how to do OpenAuth yet.) If I configure the app to use the Bluemix SSO service, then my app never sees the incoming requests to check for a userid and password to try Basic Auth before the SSO service grabs it.
I tried changing the redirect URL in the SSO service to an endpoint inside my app, but then all I get is
CWOAU0062E: The OAuth service provider could not redirect the request because the redirect URI was not valid. Contact your system administrator to resolve the problem.
I can't be the only one that needs to do this. Can anyone tell me how they did it?