we are using keycloak 3.4.2 to try to integrate SSO behavior (via SAML). I configured two clients in the same realm; if user logins to clientA and he opens a new tab in the same browser and logins to clientB he is successfully automatically logged in.
But we are trying to integrate the following behavior:
- from ipad user opens safari and goes to site A
- he logins to site A successfully
- from site A he clicks an "universal link" to open an app previously installed which is simply a webview to site B.
Current result is the user lands in the login page of the app.
Expected result is the user gets automatically logged in.
We are using iOS 11 for frontend. Both site A and site B have a backend side written in Java6.
Our idea was to reuse all cookies from site A to app with webview of site B by using an iOS widget "SFAuthenticationSession"; but once logged in the only cookie available is JSESSIONID which is not enough I think.
In my tests when I am using only a browser with different tabs, for each different tab I have a different JSESSIONID so I expect to have a different JSESSIONID when I am landing to site B.
Our approach has been taken from current source code:
https://github.com/dvdhpkns/SFAuthenticationSession-example
So what can we do to accomplish our task ?
What are we missing ? Do we need any other tokens/cookie ? How to retrieve them ? And when ?
I hope I clearly explained issue, sorry but authentication issues are not my strong point.
Related
I have a web application (React js with Kotlin backend) that has normal email + pw (plus PIN) login, and it also supports 3rd party authentication (Google and Facebook). It works on mobile and web, however, when I open my webpage through Facebook app - which opens it's own browser - and try to log in with 3rd party authentication, I can click on that "Continue as me" button, but then the page refreshes and I'm not logged in. I saw the same thing happen on other sites too, e.g. Figma, Pinterest, etc. I thought it's impossible to log in this way anymore, however, I just noticed that you can actually log in to Stackoverflow this way (so facebook app -> facebook browser -> stack overflow -> 3rd party auth and it works).
Has anyone figured it out how it was possible for Stackoverflow to do this?
Ok, I found the solution. The problem was that when a user clicked on 'Login with FB' button on my site, I sent a request to fb to get back a content of a login window and I created a pop up window where I rendered it, I put on a listener on that pop up window and once it was done, then I got the access token and sent it to backend and logged the user in. On a normal browser it works perfect (both pc and mobile) but as I mentioned above it didn't work in an in app browser like facebook app.
The issue was that facebook app opens a website in it's own browser that doesn't handle any pop ups, so after a successful authentication I saw that nothing happened and it was because we were not redirected to the original window where we should have, and it had the token in the url. So the solution was instead of making this pop up window for FB login, just redirect the user to the fb login page (and stay on the same window), and once the login is successful, just handle the token as is.
I created a static Web site using Azure Static Web Apps (under the Free plan for now -- not sure if that's relevant to the issue at hand.) I can access the Web site through an ***.azurestaticapps.net URL.
I then tried to test Azure Active Directory authentication per Microsoft's instruction from this page:
https://learn.microsoft.com/en-us/azure/static-web-apps/authentication-authorization
My problem is that logging out does not seems to work as I would expect on a normal Web site. I could log out, but when I tried to login again (hoping to use a different Azure AD account,) the Microsoft login screen flashes by and I got logged right back in with the user that I just logged out from. Switching to a different tab doesn't help.
Steps to repro:
Navigate to /.auth/login/aad and login using a Microsoft Account. Say NO to 'Stay signed in?' prompt.
Navigate to /.auth/me to see the basic information on the logged in account to prove that I'm in the logged in state.
Navigate to /.auth/logout to logout. Immediately, navigate to /.auth/me again to confirm that my static Web App regards me as 'logged out.' I'd see this:
{"clientPrincipal": null}
Navigate to /.auth/login/aad again. Microsoft login page flashes by, and I am logged right back in with the previously logged out user.
Things that sort of worked
Any of the two actions below alone seems to make the browser forget my logged-in state:
Close the whole browser and relaunch it. I'd get asked to pick the previous user (and then enter the password) or choose a new user. This sort of works but reminds me of some Web sites 15-20 years ago that said 'For security reasons, please don't forget to close your entire browser after logging out from this one tab.'
Open a new tab in the same browser, and navigate to hotmail.com. That tab will enjoy my logged-in state from the Static Web Apps tab. I'd see my mails right away. Then I log out from the hotmail.com tab, switch back to ***.azurestaticapps.net tab and see that I am still logged into my Static Web App. Good! Then if I log out from my Static Web App and try to log back in, it has forgotten my logged-in state this time. In other words, logging out from the hotmail.com tab is somehow more powerful.
I also tested /.auth/login/google too and the same problem arises! So the issue seems to be on the Azure Static Web Apps side, not how idPs handle their logout process.
Am I missing anything obvious?
Using Visual Studio 2013 Update 5, I have created a boilerplate MVC 5 application with Individual User Accounts auth option selected, and I have been trying to implement social logins using the template code, but have been unsuccessful.
I have ensured all NuGet packages are up to date, and the code is using MVC 5.2.3; Owin 3.0.1; AspNet.Identity 2.0.0.
I can get everything working fine, including authenticator apps using OtpSharp, but the Facebook login is just not working whatever I try.
I have created the Facebook App, set all the relevant options on that and set the AppId and AppSecret in my Startup.Auth.cs file.
When I try to login with Facebook, the MVC site redirects me to Facebook, which prompts me with the auth screen for the app. I click OK and accept this then I am redirected back to the MVC app. If I check the authorised apps under my Facebook account, my app is listed and shows that it has granted permission to the app to retrieve email address.
The callback works fine but when it hits ExternalLoginCallback and in particular:
var loginInfo = await AuthenticationManager.GetExternalLoginInfoAsync()
loginInfo always returns null.
Looking at the Request it shows an error of access_denied:
https://localhost:44301/Account/ExternalLoginCallback?ReturnUrl=%2Fmanage&error=access_denied
I have read pretty much every blog post and SO question on this error and whilst most of them are helpful, most are also out of date and not relevant.
It would seem that something is missing from the templated project, or something has changed elsewhere as no matter which tutorial I read, and options I set, the result is the same.
I have tried this internally on a dev machine running IIS Express and externally on a hosted machine running IIS 7.5 too and the results are the same.
I've even decompiled the Microsoft.Owin.Security.Facebook library to see where that particular section of the querystring is set to no help.
If I had any hair I'd have pulled it all out by now.
I'll take any suggestions. Can anyone help?
Facebook loves to make things difficult. Access_denied sounds like they are blocking you on purpose. Check your developer dashboard and the accounts authorized to test your app while its in development mode. The email permission is approved by default, so that isn't your issue.
Make sure the account you are testing with is added here:
If that doesnt solve it, make sure you have the correct app domains (testing and live) listed in the domain section here:
I had the exact same issue. No matter what I did the facebook would show the login, get permissions and then return back to the Login page instead of the Email confirmation page.
Using Fiddler Facebook would invoke "http://localhost:1234/signin-facebook&code=SOME_SECRET_CODE_HERE", and then my application's controller would invoke "http://localhost:1234/ExternalLoginCallback?error=access_denied". I was sure Facebook is refusing the access. It was only after implementing a Facebook Javascript SDK Sample, I realised I could successfully login and also view FB scopes!
My Dev environment
MVC 5 application
Visual Studio 2013 Community edition Update 5
Microsoft.OWIN v2.2.1
Microsoft.OWIN.Security.Facebook v3.0.1
Finally I found a YouTube Video by ProCoder which mentioned to put the correct path in the Valid OAuth redirect URIs as http://localhost:1234/signin-facebook and it worked. If you haven't already added, you will need to add Facebook Login product to your Facebook app.
I also set App Domain to localhost and Site URL to http://localhost:1234/
I have added 127.0.0.1 and MY.EXTERNAL.PUBLIC.IP to the Server IP Whitelist Under Security in the Advanced Settings option of the Facebook app.
All these settings I replicated in a new MVC 5 application and it worked like a charm.
update the package Owin.Security.Facebook 3.0.1 to 3.1.0
It works for me
I must use facebook integration within desktop app on OSX. I've used part of facebook sdk for ios and modified all ui elements to properly work on desktop.
I'm presenting facebook dialogs within webView, display is set to popup, and redirect url is https://www.facebook.com/connect/login_success.html.
Everything seems to work fine (all the dialogs are working after login, token and expiration date seems to be ok and are stored between web sessions) except for the facebook cookies which are always set to be session only (even with the keep me logged in option turned on). This means user has to log in to facebook everytime app is opened which is really frustrating.
I've already tried setting display to other values (touch, page) with no success. Probably all relevant settings in facebook app are checked (Native or desktop app?, Embedded Browser OAuth Login, Client OAuth Login).
so the question is if anyone has encountered same problem or might know the solution to make keep me logged in option working properly?
I would like to integrate an existing, external application with Facebook using Mobile Web method and its authenticated referrals as well as to be able to redirect user (incoming from a different place) to Facebook login page. I do not want it to be embedded in Facebook page.
If I understand correctly how the authenticated referrals work, I must somehow reach the authentication dialog which will redirect me to the Mobile Web URL, which I specified in the application configuration.
Additional information: I would like to avoid making the application public until it is ready, so I have set the Sandbox Mode setting to Enabled.
How to get the URL, with which I will be able to test authenticated referrals?
You can land at your game's Mobile Web URL page using following steps:
Switch your user agent to iPhone or other mobile.
Go to the http://m.facebook.com page.
Press the "identity" icon in the top left edge of the screen to show the bookmarks menu.
Look for the application in the Apps section.
Press the application bookmark.
Above procedure worked for me. My user was an admin of the project but it will probably work also for devs and testers (just a guess).