I am trying to pass tenant id as parameter to identityserver4 implicit grant end point. The client is written using angularjs, are there any examples to pass the tenantid from angular app to identityserver4 end point.
I have found that this feature was implemented using acr_values. More details are here - https://github.com/IdentityServer/IdentityServer3/issues/348
yes of course. you can always pass userID or any other variable in the state variable of your AUth request. if you include userID as a parameter in your request URL when sending it to Auth server, it'll return the state to redirect URI. which means you'll have access to it there. the issue is when an implicit request is being sent, it practically detaches your app from server cause the response URI (possibly) is in a different state/page. so by passing it as in state, the authorization server includes this value when redirecting the user-agent back to the client.
public Authenticationrequest() {
var client_id = "YOUR-CLIENT-ID";
var scope = "OPTIONAL";
var redirect_uri = "YOUR_REDIRECT_URI";
var response_type = "token";
var authserver = "YOUR-AUTH-SERVER-URL?";
var state = "OPTIONAL"; // put UserID here
var AuthenticationURL = authserver + "response_type=" + response_type + "&scope=" + scope + "&client_id=" + client_id + "&state=" + state + "&redirect_uri=" + redirect_uri;
return AuthenticationURL;
};
Related
i'm making an IOT project with an esp32
the webApi key is hardcoded in a #define.
i have this code working for the auth part
String url = "https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword?key=" + String(apiKey);
http.setTimeout(2000);
http.begin(url);
http.addHeader("Content-Type", "application/json");
String dataSent = "{\"email\":\"" + String(email) + "\",\"password\":\"" + String(pswd) + "\",\"returSecureToken\":\"true\"}";
// Issue the HTTP POST request.
int status = http.POST(dataSent);
Serial.println(status);
it returns 200 and the response is parsed, and the idToken is stored in my String token
when i try to make a patch to firestore it returns 401
String url = "https://firestore.googleapis.com/v1/projects/timer-test-soulx/databases/(default)/documents/devices/" + uniqueID + "?key=[" + apiKey + "]"; //working ok
http.setTimeout(1000);
http.begin(url);
http.addHeader("Authorization", "Bearer " + String(token)); //needs fixing
http.addHeader("Accept", "application/json");
http.addHeader("Content-Type", "application/json");
// Issue the HTTP POST request.
int status = http.PATCH(dataSent);
my rules are allow read, write: if request.auth != null;
already tried changing the rules to allow read and write, then commenting out the authorization header and it works perfectly. so i think its clear the problem is the authorization header. am i using a wrong token?
I have a realm with several OpenId clients using SSO. I need to determine from which client each Keycloak user came from.
How can I get this information?
Answering my own question.
I didn't find natively this information in Keycloak's token. So I added a script.
In Authentication > Registration flow, I add an execution of type "Script" with the following function:
function authenticate(context) {
var username = user ? user.username : "anonymous";
var uri = context.getUriInfo();
LOG.info("setClientIdAttribute for URI " + context.getUriInfo().getRequestUri());
if (uri !== null) {
var clientId = uri.getQueryParameters().getFirst("client_id");
if (clientId !== null) {
LOG.info("Attribute 'origin' set with value " + clientId + " for user " + username);
user.setSingleAttribute('origin', clientId);
}
}
context.success();
}
If decoded each JWT has parameter azp, which is the client id.
If you decode the token, the field "aud" is your "client_id".
Check this information using jwt.io.
My facebook login url
https://graph.facebook.com/v2.3/oauth/access_token?client_id=1105783646200782&redirect_uri=http://petmilyapp.com/test3.php&client_secret=69389226fe79865b3ab557f17e8e54ad&code=AQCgR8S7oM2eZWQVP_U8ieBmPcEy_ztQ3LGbcYDsAGWnn0343kOyS6t6_n8AWGggUbF7ib9pU-q4Nr2QBewRMFLe_MROdzpgvhdYwRaFZlr6geC9pESjUrGGNHxEqkjwftVBbmGd4_QOkZAFNJnJQYeW8hvyHhfgiY-W02HTczpMa3PIIGL6OGO0qoRN8KWkBi84qMBNCQ_OF84u-r9kfeoYML9_BUVJf5LCuzIBYBsQmbrNHBwiYKKHyo3MaUC_k2WRirhFk1mSPfWwwihw3U04hIxYX_KG6qSwZ1wmlp3mhYMdP4FuA2VYIg8i7WwZQxyYzonoDyuH6ZuYq_Rb6qi6
response error
message: "Error validating verification code. Please make sure your redirect_uri is identical to the one you used in the OAuth dialog request"
question
What problem in my url?
All param is getted facebook dev (my app).
I know maybe its too late but I just wanted to comment. If you still having this issue, make sure that you have same FacebookCallBack method name everywhere. I mean, for instance I have an External Login function which returns ;
https://www.facebook.com/dialog/oauth?client_id=" + FB_APP_ID + "&redirect_uri=" + System.Net.WebUtility.UrlEncode(pageUrl + "account/**FacebookLoginCallback**?returnUrl=%2F").Replace("%3F", "&") + "&scope=email&enforce_https=1
and also I have a FacebookLoginCallback method which has exactly the same name with I have above. ("account/FacebookLoginCallback?....")
[HttpGet("**FacebookLoginCallback**")]
public async Task<IActionResult> **FacebookLoginCallback**(string code, string returnUrl)
{
try
{
var myUrl = new Uri(HttpContext.Request.GetDisplayUrl()).GetLeftPart(UriPartial.Authority);
var pageUrl = new UriBuilder(myUrl);
var result = (IDictionary<string, object>)fb.Get("oauth/access_token", new
{
client_id = FB_APP_ID,
client_secret = FB_APP_SECRET,
redirect_uri = pageUrl.Uri.AbsoluteUri.TrimEnd('/') + Url.Action("**FacebookLoginCallback**", "Account", new { returnUrl = returnUrl }),
code = code
});
}
......
}
Please double check your variable/function names if you have those in your url.
Happy Coding
First, both redirect_uri paramaters to authorize and access_token must match.
I am using IdentityServer3 and would like it so that User.Identity.GetUserName() and User.Identity.GetUserId() return the values stored in the Claims. Right now I see them in the claims as "sub" and "email". Is it possible to either:
Make IdentityServer3 return these as Claims? I'm guessing they would be nameidentifier and name.
Add the claims once the client app authenticates so that the User.Identity methods are usable.
Hopefully this made some sense and I appreciate any feedback.
I think I figured it out.
I added a new Scope to the Scopes class:
new Scope
{
Name = "public",
DisplayName = "Public scope",
Type = ScopeType.Identity,
IncludeAllClaimsForUser = true
}
Then I modified my login url in the SignIn action of the AccountController:
var url = Settings.AuthorizeEndpoint +
"?client_id=" + Settings.ClientId +
"&response_type=id_token" +
"&scope=openid email profile public" +
"&redirect_uri=" + Settings.RedirectUri +
"&response_mode=form_post" +
"&state=" + state +
"&nonce=" + nonce;
That seemed to do the trick.
I'm trying to change Box folder collaboration type for user from salesforce Apex trigger. The first thoughts were to use box.Toolkit but it looks like this class does not have updateCollaboration or changeCollaboration method, only create. I guess my only option is to use Box's Rest API. Is there any way I can get service account token in Apex so I can use it in a callout?
I have created a special "Tokens" object in Salesforce with two fields: access token and refresh token. I then have a batch job that runs to update the access token every 55 minutes such that they never expired.
Here is a code snippet in APEX using the Tokens object.
#future(callout=true)
public static void updateTokens(){
//app info for authenticating
String clientID = 'MY_CLIENT_ID';
String clientSecret = 'MY_CLIENT_SECRET';
//look up value of existing refresh token
Token__c myToken = [SELECT Name, Value__c FROM Token__c WHERE Name='Refresh'];
Token__c myAccessToken = [SELECT Name, Value__c FROM Token__c WHERE Name='Access'];
String refreshToken = myToken.Value__c;
String accessToken = myAccessToken.Value__c;
//variables for storing data
String BoxJSON = '';
String debugTxt = '';
//callout to Box API to get new tokens
HttpRequest reqRefresh = new HttpRequest();
reqRefresh.setMethod('POST');
String endpointRefresh = 'https://www.box.com/api/oauth2/token';
reqRefresh.setEndpoint(endpointRefresh);
String requestBody = ('grant_type=refresh_token&refresh_token=' + refreshToken + '&client_id=' + clientID + '&client_secret=' + clientSecret);
reqRefresh.setBody(requestBody);
System.debug('Body of refresh request: ' + requestBody);
//Create Http, send request
Http httpRefresh = new Http();
Boolean successRefresh = false;
while (successRefresh == false){
try{
HTTPResponse resRefresh = httpRefresh.send(reqRefresh);
BoxJSON = resRefresh.getBody();
System.debug('Body of refresh response: ' + BoxJSON);
successRefresh = true;
}
catch (System.Exception e){
System.debug('Error refreshing: ' + string.valueof(e));
if (Test.isRunningTest()){
successRefresh = true;
}
}
}
Keep in mind that if you are using the Box for Salesforce integration your administrator can set the option for the permissions on the folders to sync with Salesforce permissions. This would reverse any changes you make to collaborations. Check out more about Box's Salesforce integration permissions here: https://support.box.com/hc/en-us/articles/202509066-Box-for-Salesforce-Administration#BfS_admin_perm