I am having an issue trying to add in a custom provider into IdentityServer3 for ADFS 3.0 and was hoping someone could possibly point me in the right direction.
I have used the following references:
Middleware for external Authentication
Writing an Owin Authentication Middleware
OAUTH2 Authentication with ADFS 3
And I receive an error on the return page after coming from the IDP, returning the AuthenticationTicket.
Error
There is an error determining which application you are signing into. Return to the application and try again.
protected override async Task<AuthenticationTicket> AuthenticateCoreAsync()
{
//calls token and gets the values correctly
//context.Properties does contain a signinid
return new AuthenticationTicket(context.Identity, context.Properties);
}
The context.Properties does have a key/value pair for signinid.
And I do have all my claim data. Using this answer here
Here is the log:
18-09-13 07:44:59.412 -05:00 [Information] External login requested for provider: "https://idp.domain.com/adfs"
2018-09-13 07:44:59.417 -05:00 [Debug] Cache hit: 2
2018-09-13 07:44:59.419 -05:00 [Information] Triggering challenge for external identity provider
2018-09-13 07:45:25.389 -05:00 [Information] Callback invoked from external identity provider
2018-09-13 07:45:25.395 -05:00 [Information] No signin id passed
I am currently using:
https://localhost:xxxxx/identity/callback
/identity/callback
as my RedirectUri and CallbackPath, maybe these are incorrect? I have tried some others but received 404s.
I am just not sure what I am missing or what I am doing incorrectly, any help would be appreciated. I did do a search and found a few others had similar problems with WSFed or OpenID but there was no solutions that helped me.
Thank you.
After stepping through this issue (and ID Server code) I found the problem. I was receiving the no signin id error because the AuthenicateAsync("idsrv.external") call was failing inside IdentityServer3.
It was a result of the return url and callback path i used. Instead of calling /identity/callback directly I got this working by using /identity/signin-adfs and a callback path of /signin-adfs based on how the match in the custom providers given as examples were done.
Related
We are trying to ingest data from Amazon Selling Partner API. We currently have an azure function that signs our request and returns the header values. The authorization header contains commas in it and the comma causes the activity to fail on the client side.
Here is an exampleof the authorization header:
AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20130524/us-east-1/s3/aws4_request,SignedHeaders=date;host;x-amz-content-sha256;x-amz-date;x-amz-storage-class,Signature=98ad721746da40c64f1a55b78f14c238d841ea1380cd77a1b5971af0ece108bd
To reproduce, create a new pipeline and add a web activity. Enter "http://www.google.com" for the url with the method GET. Add a header like above.
You should get the following error:
Error calling the endpoint 'http://www.google.com'. Response status code: 'NA - Unknown'. More details: Exception message: 'NA - Unknown [ClientSideException] The format of value 'AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20130524/us-east-1/s3/aws4_request,SignedHeaders=date;host;x-amz-content-sha256;x-amz-date;x-amz-storage-class,Signature=98ad721746da40c64f1a55b78f14c238d841ea1380cd77a1b5971af0ece108bd' is invalid.'.
Request didn't reach the server from the client. This could happen because of an underlying issue such as network connectivity, a DNS failure, a server certificate validation or a timeout.
Any work arounds for this?
Thanks,
Scott
If you are using Authorization as a header to get data make sure to use bearer in front of the Token.
Authorization Bearer < Access Token >
I tried to reproduce the same in my environment and got below results:
Output:
For more information refer this SO thread .
I have designed an API REST service (with Bonita) to which I can perfectly connect with Postman, with the following parameters:
By the way, the x-www-form-urlencoded option that is selected comes from the Content-type application/x-www-form-urlencoded header that is not displayed in my screenshot. The official Bonita specification states that this header is needed and I always get a 200-OK status code as an answer.
How can I specify an equivalent request with the body part in a Mendix Call REST service in a microflow? Here is what I have so far:
I guess the body part should be specified in the Request tab, but I just don't know how to do it properly. I always get the following error message for my connector, which means that, whatever I specify, the username is not taken into account:
An error has occurred while handling the request. [User 'Anonymous_69a378ed-bb56-4183-ae71-c9ead783db1f' with session id '5fefb6ad-XXXX-XXXX-XXXX-XXXXXXXXb34f' and roles 'Administrator']
I finally found that the proxy setting was the actual problem. It was set at the project scope and simply clicking on No proxy in the General tab did the trick! (both services are hosted on my local machine so far)
I just had to fill in the dedicated Authentication field in the HTTP Headers tab then, with the correct credentials, to eventually log in my Bonita service.
In PostMan I'm trying to authenticate with RestAPIs provided in HPALM Guide (API Reference)
At first for authentication if I run this api "almserver/qcbin/authentication-point/alm-authenticate"
it gives
200 OK
but when I check the authenticated api "almserver/qcbin/rest/is-authenticated"
it gives
401 Authentication failed. Browser based integrations - to login
append '?login-form-required=y' to the url you tried to access.
and if I append this '?login-form-required=y' particular line in the end of the second api I will get html page as response
HP Application Lifecycle Management 12.53
background-color: #eee
whereas we expect this
Could some one please help me with this one?
#Sergi #Macintosh_89 I met the same issue with Manu, i post http://almserver***/qcbin/authentication-point/alm-authenticate, but only LWSSO_COOKIE_KEY return back without QCSession, do u knew why?
Your request to almserver/qcbin/authentication-point/alm-authenticate will return a LWSSO_COOKIE_KEY cookie.
You need to add this cookie to the request to almserver/qcbin/rest/is-authenticated.
I'm trying to use the Firefox Rest client extension to test out my Magento REST API. I followed this guide but I keep getting the "signature_invalid" error when making the final request to receive the access token.
Guide: http://devdocs.magento.com/guides/m1x/api/rest/testing_rest_resources.html
The URL I use for the final request is:
http://mymagento/oauth/token?oauth_callback=http://httpbin.org/get&oauth_token=99e48f7d46d3a2f8fef704865fe2f4e4&oauth_secret=eda948ee46250f335146f6f4c5f7d622&oauth_verifier=1d977f0b96f3ae07fff515c590ec6709
And these are the readers:
OAuth oauth_version="1.0", oauth_signature_method="HMAC-SHA1",
oauth_callback="http%3A%2F%2Fhttpbin.org%2Fget",
oauth_token="99e48f7d46d3a2f8fef704865fe2f4e4",
oauth_secret="eda948ee46250f335146f6f4c5f7d622",
oauth_verifier="1d977f0b96f3ae07fff515c590ec6709",
oauth_nonce="OmOzMMy2Z60m5sV", oauth_timestamp="1495611445",
oauth_consumer_key="abc77ce5a53e67333af04807dea1356b",
oauth_signature="tE6xzRXZIc4BPQ3Dxc80ddoitLg%3D"
The nonce, timestamp and signature are automaticly refreshed each request.
I'm using Magento CE 1.9.2.2.
I have also tried Postman, but that tool gives me a nonce_used error with every request, even though it's automaticly refreshed... Permissions are correctly set up as explained here: http://inchoo.net/magento/configure-magento-rest-and-oauth-settings/
Everything goes fine using the Rest client extension untill the final request where I want to receive the access token.
I found the solution... The local browser had cached the oauth responses...
I've got a secured Backbone.js app (that uses Spring security atm.), so a logged-in user must have a valid session-cookie (JSESSIONID). Now, if this session is invalidated (deleted, expired, whatever) and the user attempts to make a request, Spring security will return a 302 Error as an attempt to redirect the user to a login-form.
As is explained in this answer, this 302 response gets handled by the browser (it doesn't reach my app) so what is returned to my app is a 200 OK response with contenttype="text/html" (containing the login form).
Thats an issue, because when my Backbone model attempts to do a sync to a url, it expects JSON. If this sync happens without a valid session, the 200 "text/html" response is returned when "application/json" is expected, giving me a JSON parse error in jQuery.extend.parseJSON.
With great help from this question/answer, I've overridden the Backbone.sync method in order to use my own error handling. However, since the 302 never reaches my error handler I cannot override the redirect myself.
My situation is very similar to this question, however a final solution to the problem was never posted. Could someone please help me figure out the ideal way to ensure a redirect to the login page happens?
Instead of returning the login page with HTTP 200 OK, you should configure Spring Security to return HTTP 401 Unauthorized for unauthenticated AJAX requests. You can detect an AJAX request (as opposed to a normal page request) by checking for the X-Requested-With: XMLHttpRequest request header.
You can use the global $.ajaxError handler to check for 401 errors and redirect to the login page there.
This is how we've implemented it and it works nicely. I'm not a Spring guy, though, so I can't really help with the Spring Security configuration.
EDIT. Instead of custom coockie it will be better to use solution provided by #fencliff.
I think you can use some other field of XHR to detect this situation. A special coockie may do the trick.
You can define your own authentication failure handler from Spring Security side. At the moment when redirect to login page occurs you will be able to add some coockie to HttpServletResponse. Your custom Backbone.sync method will check this cookie. If it is present, it will launch your custom handler for this case (do not forget remove the coockie at the same time).
<sec:http ... >
<sec:form-login login-page='/login.html' authentication-failure-handler-ref="customAuthenticationFailureHandler" />
</sec:http>
<bean id="customAuthenticationFailureHandler" class="com.domain.CustomAuthenticationFailureHandler" />
CustomAuthenticationFailureHandler must implement org.springframework.security.web.authentication.AuthenticationFailureHandler interface. You can add your coockie and then call default SimpleUrlAuthenticationFailureHandler.onAuthenticationFailure(...) implementation.