I'm doing xamarin-forms application with azure mobile and azure ad b2c. Everything else is working great except "Forgot your password" link.
Screenshots are from UWP client. Android client and Azure portal profile tests dont work either but give different error "You do not have permission to view this directory or page."
Is there something wrong with my sign-in/sign-up b2c policy settings or is this supposed work yet at all? All help appreciated
When you click the forgot password link on this page, B2C will redirect back to your application with an error message. The expected behavior is that the MSAL library will capture the redirect, throw an exception, which you can capture and then use to redirect to a password reset policy.
It looks like MSAL is failing to capture that redirect for some reason. Then I'd recommend opening an issue on the code sample or library you're using. But before doing so, I would double check that you're using the right redirect_uri, and capture a network trace if possible. It would be necessary to know the exact web requests that occurred during this flow, and which URL is resulting in the error message above.
Related
We have web application with keycloak as identity broker, google SAML app as IDP for google managed workspace for domain say mycompany.com. Integration works fine for except a case described below.
If user is logged in with only one non SAML app google account, google returns
403 Error: app_not_configured_for_user.
i.e. If I am logged as with my personal gmail acccount & not with mycompany.com account
I have inspected SAML AuthnRequest payload SAML tracer which has ForceAuthn="true" but still it does not show up account chooser page.
I went through couple of stackoverflow threads. Few provided solution about using account chooser url and redirecting it to auth page https://accounts.google.com/accountchooser?continue={theredirectURL}.
Looking at community to help suggesting clean solution.
This error pretty much depends on which account is the primary one in the Google account chooser as it always takes that to complete the sign in process automatically.
There is no official way or setting from Google to do this, however the mosto commonly used workaround is to add the following URL to the Start URL section of the SAML app settings for it to force the authentication whenever you click on it.
https://accounts.google.com/AccountChooser?continue=https://accounts.google.com/o/saml2/initsso?idpid=[REPLACE]s&spid=[REPLACE]&forceauthn=false
There are 2 parameters that you need to replace in that URL and you need to get them from the Google apps menu next to your profile picture, then hover over the SAML app that you want to change and right click on it, then copy the link address and that will show the idpid and spid values.
I was following the active-directory-b2c-ios-swift-native-msal sample code. All was fine but when invoking edit profile flow, I was asked to enter credentials again. It was like B2C couldn't recognize that I was already authenticated and prompted me every time I went to the edit profile user flow. In comparison, this ms-identity-b2c-javascript-spa Javascript SPA works. So I don't think it's my B2C configuration.
This happened to both simulator and real device with iOS 14.x. (I didn't try previous version of iOS.) Has anyone encountered the same issue? I doubt this is the intended behavior of the sample code. Anyone aware of a solution? Thanks for the help.
As part of the call to edit profile, pass in a loginHint parameter with value set to the users identifier (usually their email). I believe otherwise, in the absence of loginHint, MSAL iOS will pass in prompt=login and causes the cookies to get cleared, forcing the user to login again. The object that contains loginHint is MSALInteractiveTokenParameters.
I'm trying to use the Spring Social Quickstart app from the Github repo, https://github.com/spring-projects/spring-social-samples. I updated the versions in build.gradle and ran the app.
A simple page was display with a button, "Sign in with Facebook". If I'm not already signed in with Facebook, I get an FB error page telling me to sign in (seems a bit contradictory!). If I sign-in and run the app, I get an error dialog saying:
URL Blocked: This redirect failed because the redirect URI is not
whitelisted in the app's Client OAuth Settings. Make sure Client and
Web OAuth Login are on and add all your app domains as Valid OAuth
Redirect URIs.
When I click on the "Okay" button, another error message pops up saying it "Can't Load URL" (there's more to it, but I figure the first error is the key one). This error keeps popping up every time I hit the "Okay" button.
As far as I know, everything on the Facebook app is configured correctly, but not 100% sure.
One other thing, when the "Sign in ..." button is pushed, the URL opened shows that it's trying to connect using v2.5 of the FB API. Don't know where this is being set, but it is 3 versions behind.
Going through the Spring docs as well, but there are a lot of moving pieces to work through. Any help would be appreciated.
Thanks.
So I discovered after looking more closely at the URL when the error comes up that I had the redirect URL incorrect. Once I corrected that, I was able to login and get the extra permission added.
I'd still like to know about where the version for the API is set.
I've using Twitter as one of the IDPs in my Google Identity Toolkit configuration. I followed all the required steps. I'm able to sign in with Twitter and it works fine for the most part except for 2 issues highlighted below. In my Twitter application settings, Permission is set to "Read only".
Every time I try to sign in with Twitter using an account used previously to sign in, it prompts me to "Authorize app" again. As I understand, the authorization should be one time only unless revoked. Why do I need to authorize with every sign in?
I found this thread: https://twittercommunity.com/t/why-does-my-app-need-permission-granted-every-time-the-user-authenticates-through-oauth/10251/5
It seems like Sign in with Twitter button seems to be routing to 'https://api.twitter.com/oauth/authorize' instead of 'https://api.twitter.com/oauth/authenticate'. Is this a bug in the GIT?
If I click Cancel instead of Authorize app, it brings me back to my callback page but I get a verifyAssertion error:
[identitytoolkit] verifyAssertion: {"error":{"errors":[{"domain":"global","reason":"invalid","message":""}],"code":400,"message":""}}
What is causing this error?
Any help would be appreciated.
Identity Toolkit is intended to use https://api.twitter.com/oauth/authorize because according to https://dev.twitter.com/oauth/reference/get/oauth/authorize, desktop app has to use this.
Which platform are you working on?
If you click Cancel instead of Authorize, Twitter will redirect user to Identity Toolkit with an error response. As a result, Identity Toolkit cannot verify user's identity, and fails the verifyAssertion.
When I'm trying to log in with my facebook button on asp page (jdk) I'm getting this error:
App Not Setup: This app is still in development mode, and you don't have access to it. Switch to a registered test user or ask an app admin for permissions.
I've tried so many solutions available online, but its not working.
So, my login java script is "http://localhost:8003/en/user/login/".
The things that I set on the facebook app are: contact mail, site url:"http://localhost:8003/"
Valid OAuth redirect URIs "http://localhost:8003/".
I have set option "Do you want to make this app and all its live features available to the general public?" to yes.
Does anyone have any idea why it isn't working?
So i made it work. I feel ashamed that it took me soo long to figure it out.
Just had to put javascript for FB login in master page and it is available everywhere on website and localhost:port/ work as valid Valid OAuth redirect URI.