OpenAM as single sign-on in Redmine is working for me, but I can't sign out from Redmine. This is the error I get:
HTTP Status 400 - Error processing LogoutRequest. Single Logout Response Service location not found.
The config file is:
Redmine::OmniAuthSAML::Base.configure do |config|
config.saml = {
:assertion_consumer_service_url => "http://xxxxx/redmine/auth/saml/callback", # The redmine application hostname
:issuer => "Redmine", # The issuer name
:idp_sso_target_url => "http://xxxxxx:8080/openam/SSORedirect/metaAlias/idp1", # SSO login endpoint
:idp_cert_fingerprint => "DE:xxxx", # SSO ssl certificate fingerprint
:name_identifier_format => "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
:signout_url => "http://oxxxx:8080/openam/IDPSloPOST/metaAlias/idp1",
:idp_slo_target_url => "http://xxxxxx:8080/openam/IDPSloRedirect/metaAlias/idp1",
:name_identifier_value => "mail", # Which redmine field is used as name_identifier_value for SAML logout
:attribute_mapping => {
# How will we map attributes from SSO to redmine attributes
:login => 'extra.raw_info.username',
:firstname => 'extra.raw_info.first_name',
:lastname => 'extra.raw_info.last_name',
:mail => 'extra.raw_info.email'
}
Please help me fix it.
Your ruby app protected by omniauth is not defining any Single Logout Service URL so if there is any SLO flow, the IdP doesn't know where to send the LogoutRequest / LogoutResponse.
ruby-saml defines it as 'assertion_consumer_logout_service_url' or 'single_logout_service_url', and here is how the ruby-saml toolkit process a SLO
Sadly omniauth does not support yet this feature, but there is a PR that you can apply.
Related
I'm trying to upgrade my APEX application (APEX 20.2.0.00.20) with a Keycloak authorization procedure.
What I am doing:
A - On Keycloak:
Realm: we already have a realm configured, which is used by other apps, in other development technologies.
1 - Client configuration - first attempt:
Root URL: ${authBaseUrl}
Valid Redirect URIs: /realms/[realm]/[client]/*
Base URL: /realms/[realm]/[client]/
Web Origins: *
2 - Client configuration - second attempt:
Root URL: empty
Valid Redirect URIs: http://[APEX app IP]:7020/*
Base URL: http://[APEX app IP]:7020/ords/[workspace]/r/[app_name]/
Web Origins: *
APEX configuration:
Authentication Scheme:
Credential Store: [APEX webcredential configured to keycloak client]
Authentication Provider: generic oauth2 provider.
Authorization Endpoint URL:
https://[keycloak address]/auth/realms/[realm]/protocol/openid-connect/auth
Token Endpoint URL:
https://[keycloak address]/auth/realms/[realm]/protocol/openid-connect/token
User Info Endpoint URL:
https://[keycloak address]/auth/realms/[realm]/protocol/openid-connect/userinfo
Token Authentication Method: basic authentication and client id in body
Scope: email
Authentication URI Parameters: empty
Username: #sub# (#APEX_AUTH_NAME#)
Convert Username To Upper Case: no
Verify Attributes: yes
** Tests **
I run my APEX app URL in workspace.
Test result of Client configuration nr. 1:
The following URL is shown as result:
https://[keycloak host]/auth/realms/[realm]/protocol/openid-connect/auth?response_type=code&client_id=[client_name]&scope=email&redirect_uri=http://[APEX address]:7020/ords/apex_authentication.callback&state=[A TOKEN/HASH]
And on the screen, the keycloak background image with the message:
Invalid parameter: redirect_uri. and a return to application link.
Test result of Client configuration nr. 2:
The keycloak login URL is activated and the login form is shown.
I type my user and password (keycloak user, configured on the client) and submit.
The following URL is shown as result:
https://[keycloak host]:7020/ords/apex_authentication.callback?state=[A TOKEN/HASH]
And on the screen, a APEX grey background (I know is a apex screen because a error with the icon is shown here) with the message:
Error processing request.
Contact your application administrator.
Question:
I think the second configuration is better, because I can do the Login on keycloak, but the redirect by keycloak to APEX fails, I think I APEX side.
Maybe any information sent by keycloak is wrong or it is missed.
Anyone knows what is the right configuration in APEX and keycloak?
For the last few days I’ve struggled getting AM6(Forgerock Access Management) to work with the same config as AM5. I’m trying to validate a session, after an user performed the OpenID Connect Authorization Code Flow.
My setup:
I’ve deployed an AM instance
Configured OpenID Connect from the Common tasks.
Added an OAuth2 client, from Applications -> OAuth 2.0. Setup all configs: redirect uris, scopes lifetimes etc and set “Token Endpoint Authentication Method” to client_secret_post
(OPTIONAL) Added implied consent to OAuth 2.0 Client, and then set Services -> Oauth2 Provider -> Consent -> Allow clients to skip consent = true
My token usage:
After redirecting the user to the login screen(and receiving the code), I make a POST to the token endpoint (/oauth2/access_token) with form_params
(
[client_id] => my_client
[client_secret] => my_client_pass
[code] => a5867a21-4d5a-4285-ba07-dcbe46d53bc6
[redirect_uri] => http://localhost:3000/auth/callback
[grant_type] => authorization_code
)
The redirect_uri endpoint receives access_token and id_token
(
[access_token] => e78569fb-e162-4e4f-ab5e-79ebeaf2ba94
[scope] => openid offline_access profile email
[id_token] => eyJ0eXAiOiJKV1QiLCJraWQiOiJiL.......
[token_type] => Bearer
[expires_in] => 35999
)
(HERE’S THE PROBLEM) I then check to see if the user’s session, with the given id_token, is still valid (he has logged out or not)
I make a POST to the sessions endpoint(/json/sessions) with
(
'headers' => [
'Accept-API-Version' => 'resource=1.2'
],
'query' => [
'_action' => 'validate',
'tokenId' => eyJ0eXAiOiJKV1QiLCJraWQiOiJiL082T.......
],
)
When tried against AM5 I get
{"valid":true,"uid":"my-user-here","realm":"/"}
When tried against AM6.0.0.4 I always get:
{"valid":false}
Am I missing something which prevents the generated openid id_token to be available in the sessions endpoint?
If anyone stumbles across the same issue, I've found that I missed an important setting that was added in AM6: Authorized OIDC SSO Clients.
This forces your session id to be the same as your id_token from OpenID Connect.
Another solution would be to look into using the /oauth2/connect/checkSession endpoint for validating the token
I am new to Uber API, I just started exploring the Uber API's.
I have downloaded the complete Uber API repository from https://github.com/stevenmaguire/uber-php/issues/17
I have downloaded the complete repository using the composer. It shows that all dependencies were downloaded successfully. but when I am using the API, I am getting this error
Blockquote"SSL certificate problem: self signed certificate in certificate chain"
Please help me in this, I have raised this issue 8 days back on the Github no one is replied.
Here is my code
Thanks in Advance.
Rakesh
Here is my code`
<?php
require __DIR__ . '/vendor/autoload.php';
$client = new Stevenmaguire\Uber\Client(array(
'access_token' => '********',
'server_token' => '********',
'use_sandbox' => false, // optional, default false
'version' => 'v1.2', // optional, default 'v1.2'
'locale' => 'en_US', // optional, default 'en_US'
));
$products = $client->getProducts(array(
'latitude' => '41.85582993',
'longitude' => '-87.62730337'
));
var_dump($products);
?>
`
I'm looking for a codeception configuration to use the Codeception REST Module to make calls against a secured https url.
For example I want to check the online status of our slack bot:
$slackApiUrl = 'https://slack.com/api/users.getPresence';
$params = [
'token' => $apiToken,
'user' => $botUserId,
];
$I->sendPOST($slackApiUrl, $params);
When I execute the test, I'll get a guzzle error like
[GuzzleHttp\Exception\ConnectException] cURL error 35: SSL: CA certificate set, but certificate verification is disabled (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)
I knew, that the default of codeception switch off https secured urls but how can I activate https, when I need it?
My suite.yml:
class_name: AcceptanceTester
modules:
enabled:
- REST:
url: *****
depends: PhpBrowser
- PhpBrowser
- Asserts
- \Helper\Acceptance
I could answer myself. It`s the codeception version. After updating to Codeception v2.2, the same test works like expected.
Codeception PHP Testing Framework v2.2.8
Powered by PHPUnit 5.7.15 by Sebastian Bergmann and contributors.
[Groups] slack
Acceptance (live) Tests (1) --------------------------------------------------------------------------
Modules: REST, PhpBrowser, Asserts, \Helper\Acceptance
------------------------------------------------------------------------------------------------------
slackCest: Check slack bot online status
I send post "https://slack.com/api/users.getPresence"
[...]
[Response] {"ok":true,"presence":"active"}
I am going to Check SlackBot online status
I see response contains json {"ok":true,"presence":"active"}
PASSED
Im' trying to use facebook api with perl module Facebook::Graph
First step, get che code:
my $fb = Facebook::Graph->new(
app_id => 'xxxx',
secret => 'xxxx',
postback => 'http://xxxxx/fb_postback',
);
my $uri = $fb
->authorize
->uri_as_string;
Now I have the code param and I try to get the auth token:
$fb->request_access_token($RETURNED_PARAM_CODE);
The server log this error:
Could not fetch access token: TLS support not available on this system at perl5/site_perl/5.10.0/Facebook/Graph/AccessToken/Response.pm line 26.
Any ideas?
Install Net::SSLeay and AnyEvent::TLS, or better upgrade Facebook::Graph to >= 1.0502.