I am getting started with securing my webapp using KeycloakOIDCFilter ,
For logout my application redirects to url
http://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri
, this clears the session in keycloack, but application continues to show secured pages, and this filter pulls security information (SerializableKeycloakAccount) from cache.
by removing KeycloakAccount.class.getName() attribute from session and redirect to auth-server
is redirecting to login page , and preventing acces to secured pages after logout,
Is this how logout should be implemented ?
This filter also has PreAuthActionsHandler, this has handleLogout , should application use this ?
Related
We have a Keycloak 18.0.2 with realms integrated to external IdP (Okta / Ping / Azure). In one realm we started seeing lots of IDENTITY_PROVIDER_LOGIN_ERROR / cookie_not_found in login events. And had users reporting that they were only able to login if they cleared their browser’s cache and cookies.
We found some ways to reproduce this behaviour in dev environment:
Multiple browser tabs:
At the browser, tab 1, user opens application menu-navigator and is redirected to the External SSO login page (after Keycloak auth flow redirection). We see this login page being initialized with cookie KC_RESTART (auth endpoint).
At the same browser, tab 2, user opens application dashboard-frontend and follows a similar flow as previous app.
Both websites are written in Vue.JS and are using oidc-client-ts library. When initialized, OIDC lib loads the realm metadata, creates a user storage, and executes signin flow. After user is authenticated and has an active session KC_RESTART cookie is expired.
As a result, when user back to tab 1 which is opened at step and try to login, user encounters an error since system cannot find authentication session and then try to use KC_RESTART cookie to reset authentication session however the cookie is even not there since it is expired at step c.
Then user is redirected to Keycloak and sees the Cookie not found message.
Stale sessions:
User opens the application (menu-nav or dashboard), sign in, do some operations, and close the tab.
Users opens the application again in a moment between Session Idle and Session Max timeouts.
User is redirected to Keycloak and sees the Cookie not found message.
We’ve seen the message in other situations, but we couldn’t consistently reproduce.
While we were debugging this problem, we saw a Keycloak redirection to applications call-back endpoint with erro=login_required. So, we decided to handle this and other possible errors trying to make the client app do a silent signin or do a signin redirect if signin silent fails.
This seems to be effective to that error and now we see some IDENTITY_PROVIDER_LOGIN_ERROR / expired_code which we believe it’s OK and associated with the session max timeout and makes user go to the SSO login screen.
Any thoughts about this?
everyone
I am using CAS and okta to do the SSO , I found a issue that when I input 2nd times SSO url it will show the CAS login page ,
the case is :
sso url in the same browser : https://CBX-PF217JHT-E490.cbxsoftware.com/cas/clientredirect?client_name=ldlint2&service=https://CBX-PF217JHT-E490.cbxsoftware.com/main/j_spring_cas_security_check
open a browser tab and input the sso url, it will sso login into my app server
open another browser tab and input the sso url again , it will show me that the CAS login successful
anyone know why this happen and is that possible to redirect to a customize url after show such page ?
2021-10-12 11:47:46,137 DEBUG [org.apereo.cas.web.flow.DelegatedClientAuthenticationAction] -
issue is in the
org.apereo.cas.web.flow.DelegatedClientAuthenticationAction#doExecute
if already has the sso session , then will not go to the service again
I am using Keycloak to secure my web application which is a war deployed on Tomcat.
My application redirects to Keycloak login and on successful login,the user is redirected to my home page.
The requirement is to redirect the user to different pages based on the user role(admin, user). Can anyone tell me how to achieve this.
I have tried adding different redirect Uris in the client on keycloak console. I also added in web.xml file but it does not work. I keep getting error msg about too many redirects.
I could do this by having a default web page to redirect from Keycloak.
Then,in the default page, I call a method in the backing bean to check the user and redirect accordingly. This method is called on loading the default page.The default page never has a user interface, it just calls the method on event . This is what I have in my default page below.
<f:event type="preRenderView" listener="#{bean.roleRedirect}"
I will try to keep the question as clear and direct as possible.
Social authentication (Facebook) configured with Okta with redirect URI as URL to my custom webapp. This custom webapp relies on Okta for authentication.
User visits my custom webapp (unauthenticated) and clicks on the social authentication URL to login to my custom webapp.
User follows the normal flow, gets authenticated by facebook and thereby by Okta (as per usual flow) and is then redirected by Okta back to the custom webapp.
The entire flow is successful and the user can see an Okta session cookie set in their browser.
Custom webapp now needs to show the user their own profile by making an Okta API call.
Problem: How can my custom webapp identify who just logged in so that they can fetch their Okta profile using API?
I am aware that Okta knows who just logged in due to claims that facebook sends to the OAuth client (Okta), but how will my app know the identity of the user who logged in?
Thanks,
Jatin
It depends on the OAuth2 flow you've chosen for your app, but the end state is getting an id_token from Okta which contains claims about the user that just logged in.
If you've set response_type=code in your social auth url (/authorize), after Step 4 you'll get a code query param in the redirect that you can then exchange for the id_token using the /token endpoint.
Or, if you've set response_type=id_token, you should already have the id_token in the redirect - you just need to validate/decode it (more info here).
I have four custom apps (that are SPs), using Auth0 or OneLogin as my IdP. In Auth0 I create a connector for each application. When I login to one application and then open the other application, I get redirected to Auth0 to login again.
Is it possible to log the user into my IdP (or Auth0/OneLogin) automatically on that second app without having to click the login button on Auth0, since they've already authenticated with Auth0?
There is an unfortunate need to embed the second app into the first app and it's a poor UX to have the user login to the first app and then login again in the iFrame.
Auth0 Dev here, Yes this is supported Out of the box in Auth0, for this to work you'd have to turn Use Auth0 as IdP "ON" in your Client. When doing this Auth0 will then remember the client for 10 hours upto 3 days if the client is active.
The flow in your scenario will be
User logs in to any of the application.
User visits the other application.
The other application sees no session.
The other application redirects to /authorize endpoint.
Auth0 notices the session and redirects it back to your application immediately.
This is further detailed and explained at https://auth0.com/docs/sso
SSO is not having to re-enter credentials again but you only get SSO once you redirect to the IDP and you authenticate under the hood i.e. seamlessly.
So you still have to do something to trigger the redirect.
You could programmatically redirect to a dummy page that requires authentication that then redirects via your client stack e.g. OWIN OIDC.
Also, there is no standard for the cookies so you don't get SSO across multiple IDP unless they are federated together.
So if no federation and you login to Auth0, you will still have to login to OneLogin.