Keycloak inserts session_state, state and code in url fragment params.. sometimes after successful login these remain on the url...
Or, when alternate routes are clicked in the app, these appear again.
Unnecessarily exposing the internals of keycloak params to users.
Is there some solution to not have these appear or delete them?
e.g. http://localhost:3000/home/#state=e625140e-c4f9-4500-858e-32c80e89f8a9&session_state=445229c3-d7eb-46e9-bfba-3339253dd17e&code=af0abde4-a60d-4f34-a101-8db5c76546b9.445229c3-d7eb-46e9-bfba-3339253dd17e.59915134-a59b-4ffb-878a-d02e7e84f2dd
Update:
with more tests narrowed down the issue to occur when
anything on the keycloak instance is touched. e.g. keycloak.token
any function call of keycloak is invoked... then after that these params get added and removed for every url route thereafter...
e.g. await keycloak.updateToken()
Keycloak Sever and js lib Version : 9.0.2
It is not a Keycloak issue. That's how used login flow works (maybe you need different flow, which will be more suitable for your use case). Your app code (used OIDC/OAuth library) should "clean" URL fragments. Cleaning can be: exchange code for the token (in this particular case), remove URL fragments, clean browser history, etc.
I am a fairly novice Symfony (v3) developer and try to implement a Facebook login on my web application with HWIOAuthBundle. I have already read upon OAuth2 and understand the basic workflow using Authorization Code. Furthermore I have studied Facebook's relevant on tutorial. Also I followed the complete HWIOAuthBundle tutorial. However, due to the very sparse documentation imho on HWIOAuth-side, I am still not able to grasp "all the magic" that is happening under the hood inside the bundle.
(1) I do not fully understand the example Twig Template:
(a) If I understand correctly, if response.status === 'connected' then Facebook has already returned an access token. In the template, a call is made to url("hwi_oauth_service_redirect", {service: "facebook"}). Do I assume rightly that the controller behind the service then loads the rest of the user information from Facebook and then calls the configured oauth_user_provider to start authentication process in symfony?
(b) If response.status is not equal to connected, then user is still not logged in yet (either not into Facebook or not into app). In the Twig template, again a redirect is being made to url("hwi_oauth_service_redirect", {service: "facebook"}). Why is again the same controller called and what does it do then?
(2) I do not understand all configuration parameters as shown in the HWIOAuthBundle tutorial:
(a) routing.yml:
What is the entry for
hwi_oauth_login:
resource: "#HWIOAuthBundle/Resources/config/routing/login.xml"
prefix: /login
good for?
(b) security.yml:
oauth:
resource_owners:
facebook: "/login/check-facebook"
login_path: /login
failure_path: /login
What is behind /login/check-facebook?
What is the purpose of login_path, what is behind /login?
1)a) No. The controller (link) ends up redirecting the user to an authorization url It redirects the user to the authorization url
1)b) You can be logged into facebook but you might have rejected the app in the past. FB.login asks the user again for permission (that's why the scope:email is added there)
2)a) it loads the login routes under a prefix if you check that file you'll see that it adds a route under the "/" path putting the prefix helps you avoid conflicts with your other routes.
2)b) it's not a real route it gets intercepted by the firewall to check user auth. If you've implemented a normal login html form it's the same as /login_check, it's where your login html form action is but there's no controller behind it. Symfony security is extremely flexible so it can get a little bit complicated to wrap your head around it, I recommend that you see this slides from Sarah Khalil where she explains it. login_path is where your normal login form would live, in this case it's where your facebook login button, and the rest of your twig template, would be.
As part of a session security feature I am checking $ENV{REMOTE_ADDR} to make sure the users IP is the same during the whole stay on a website.
Some parts of the website show a waiting screen, if for example the rendering of a file takes some seconds, and I redirect the user to a result screen by the use of a meta tag <meta http-equiv="refresh" content="$time; URL=…">.
Unfortunately after this redirect the $ENV{REMOTE_ADDR} variable does not return the users IP but the one from the server.
Is there something I am missing to get this to work properly and/or are there alternatives I could use to redirect the user?
For various reasons htaccess or http-header redirects are not an option and I don't want to use JavaScript for this.
I am already using a 'click me' button to allow the user to manually skipping the wait.
You could try to alter between temporary/permanent type of redirect. Check in server logs, the the http code is 301 or 302?
I misread the accesslogs … it was actually a different script executed on the server, therefore having the servers IP, which caused all this.
I have requirement that once user has logged in and is authenticated URL should be changed to SSL and when he logs out url is back to HTTP.
I am aware about Properties in webpart where we can set YES/NO/INHERITS/NEVER.
I am able to set HTTPS permanently but not dynamically.
Any suggestion/help is appreciated.
I'm not aware of any functionality within Kentico to do this, but you should be able to create a webpart and place it on the masterpage. This web part would just check the current user, and if there is a user that is logged in redirect to https version and vice versa.
You could also add some logic to make sure it doesn't do this in the the edit tab in cmsdesk.
You can check the user with
CMSContext.CurrentUser
Some help with redirecting to the secure page can be found at
asp.net c# redirecting from http to https
As rocky said there is not functionality out of the box that will do this for you.
You need to create a web part like it was suggested by Lukek that checks that the user is logged in and redirects them to the https address.
The code below will redirect.
if (!Request.IsLocal && !Request.IsSecureConnection)
{
string redirectUrl = Request.Url.ToString().Replace("http:", "https:");
Response.Redirect(redirectUrl);
}
As suggested bu lukek you need to check the CMSContext.CurrentUser however I would also use the HttpContext.User property.
That will enforce the request to be https.
The title really says it all. Under some (undetermined) conditions FB.getLoginStatus() just stops working and won't invoke the callback I gave it. The only interesting clues I've found are
FB.Auth._loadState is stuck on "loading" -- whatever is supposed to make it click over to "loaded" isn't happening
slight delays like putting in alert() calls tend to make it start working
Any hints at all about even how to investigate this welcome.
This usually happens for me when I am running the page under a different domain from what has been registered in Facebook. Typically this is when I am developing locally.
If you are running locally, you'll have to set up a local web server and then modify your hosts file to point the the registered domain to 127.0.0.1 in order to test on your local machine. Don forget to remove that line from the hosts file when you want to test it on the server.
According to:
https://developers.facebook.com/bugs/240058389381072
You cannot put your application under sandbox mode, or else it won't work. Go into your app settings, advanced, and switch it. This stumped me for a couple hours until I happened upon the bug report.
I had similar problem with FB API. It turned out, that my Facebook App was misconfigured. Please make sure that this is not the case for you. My problem was that my "Site URL" param in FB application was pointing to https, but I was using http protocol for development. Any call against FB api after FB.init was not calling my callback functions. So the first thing to do should be to double check App config.
Now, if some reason you depend on FB api but you wish to have a fallback option in case it;s inoperative - workaround with timer should be ok for you. Just set up a timer and disable it if FB Api gives you proper response. If not - fallback to some custom function which will perform some additional logic.
function callFbApi() {
var timeoutHandler = setTimeout(function() { requestFailed(); }, 1000);
function requestFailed() {
// When this happens, it means that FB API was unresponsive
doSomeFallbackWork();
alert('hey, FB API does not work!');
}
FB.getLoginStatus(function(response) {
clearTimeout(timeoutHandler); // This will clear the timeout in case of proper FB call
doSomeUsualWorkAfterFbReplies();
return false;
}, true);
}
If your application is in sandbox mode, Facebook acts as if your application is invisible to anyone who is not listed as an application developer. If you're not logged in, then it would stand to reason that your app is now invisible.
The callback will only fire if you're initializing with a visible application. Otherwise the following response is returned:
<span>Application Error: There was a problem getting data for the application you requested. The application may not be valid, or there may be a temporary glitch. Please try again later. </span>
For more info please see my comment on this bug ticket:
https://developers.facebook.com/bugs/240058389381072
Maybe you are using the asynchronous call. The same thing happened when I called FB.init with window.fbAsyncInit. All I did was delay the FB.getLoginStatus with a setTimeout function
window.setTimeout(checkLogStatus, 1000);
function checkLogStatus(){
alert("check");
// fetch the status on load
FB.getLoginStatus(handleSessionResponse);
}
It seemed to work after that
On the new version of the Developer app, you have to make sure to have put the correct URL you are using to access the application in the Website field under the
Select how your app integrates with Facebook
section.
Make sure the protocol is HTTPS and not HTTP.
I had a similar problem. The site worked every time when I was opening the browser, but fails when I tried to reload.
The cause was the missing "www" on the site name on Facebook configurations. Note that putting "www" (like www.yoursite.com) works on both situations (yoursite.com or www.yoursite.com).
As others have posted, you must be accessing your site at the same URL that facebook expects. For example if facebook has a callback "example.com" but you're browser has "www.example.com", that can cause this problem.
In addition, if third-party cookies are not allowed by your browser, you may also see this problem. Or you may see the callback erroneously reporting the user is not connected.
Just posting a situation I had were calling FB.getLoginStatus got absolutely no response.
My application is designed to run in a tab, and I only entered the Page Tab URLs on the app admin page, and not the App On Facebook (i.e. Canvas) URLs. The tab loads perfectly, but any calls to the FB JS SDK provoke no response.
In Facebook App Settings, go to Client OAuth Settings, look at Valid OAuth redirect URIs
Make sure you have listed all URIs which are the domains from which Facebook SDK is being invoked. For example:
I develop at localhost:5000 and deploy to Heroku. Notice the format: http://domain.name/