I need help to make one change on gralis spring security facebook plugin. Default configuration allows to set an appId and secret facebook credentials in Config.groovy.
I need read it from my database because I need to login with many facebook apps from the same grails app.
What is the best way to do it?
Basically you need to make custom facebookAuthUtils. You can extend default FacebookAuthUtils class, and define it as a new Spring bean, that will replace default one.
I think all you need is to override refreshAccessToken, getAccessToken and prepareRedirectUrl methods. Maybe getAuthCookie also, if you're using cookie based auth. Current methods are using applicationId and secret from config file, but you can get them from db.
Related
I have added few custom attributes for my org's requirement to registration field. Have customized the theme and added validation as per the documentation. It works fine. I could add these attributes to account management page also by modifying the account template.
However, I want to add capability to edit these custom attributes under account management as well as custom validation logic for this edit action. I can't get any reference to the documentation.
Would appreciate any help. I am using Keycloak 12.0.2 on RHEL 7.9 OS with Java 11.
I know three options for this.
You can overwrite your Keycloak source code according to your needs but i did not suggest that because of if you update source code , Using new version of keycloak will be harder.
You can relocated your custom validations on your modifying the account template.
You can write completely new interface ,which is not using directly keycloak, and you can write new backend which is using admin rest api on keycloak.By the way you can find adaptors for keycloak admin api's for different languages(For Js : keycloak-admin)
I am answering it after long time, but newer version of Keycloak from 14.0 onwards, they have something called declarative user profile which can be enabled to have custom attributes. It allows to define custom attributes from admin console. One can configure permissions for admin and the user, additionally one can configure to use inbuilt basic validators. Keycloak renders registration form and update profile form dynamically based on these attributes. However, as far as I know, as of version 18.0.2, you still need to modify account template for allowing custom attributes visible and modifiable from account management. Same validators works with just modification of template, you need not do anything in code. I am referring to Keycloak WildFly distribution, which is rechristened as legacy distribution now.
Here are the links the same -
Github User Profile
Redhat issue or umbrella task for related work
Keycloak documentation - Defining User Profile
I want to use custom claims in my Firestore security rules but I read that they can apparently be overwritten by users:
However, if the same custom user claims are defined on a user signed
in via custom authentication, the overlapping claims defined in the
custom token have higher priority and always overwrite the custom user
claims defined on a user via this API.
[https://firebase.google.com/docs/auth/admin/custom-claims][1]
Which defeats the purpose, so I guess I must be missing something?
EDIT: moved extra question to another post
A user cannot set custom claims on their own account. The only way to set custom claims on a user profile is through the Admin SDK, which requires that you have access to the project credentials of the Firebase project, something only collaborators on that project do.
I want to create custom authentication in MVC4 and log by Facebook. Also how we can use MVC4 default authentication for role management. It create relevant tables when we create internet application but there are no way to manage roles. What is the best and flexible way to create log in?
If you're using ASP.NET MVC4, you can use OAuthWebSecurity. You don't even need to use the default user-role default management schema from ASP.NET.
I've been using for a while and it's flexible enough for me because my applications already had a user-role management, so I didn't need to change my code that already exists, I just needed to add features to allow external authentication by using OAuthWebSecurity.
There are some examples like this below
http://www.asp.net/mvc/tutorials/security/using-oauth-providers-with-mvc
http://galratner.com/blogs/net/archive/2012/09/27/use-mvc-4-and-oauthwebsecurity-to-post-into-your-users-facebook-timeline.aspx
http://brockallen.com/2012/09/04/using-oauthwebsecurity-without-simplemembership/
A customer of ours has just purchased CQ5 and would like to externalize all of its security. We'd like to use an STS server for SSO and then leverage a custom authorization/attribute provider instead of the CQ5 repository. Ultimately, we do not want to use LDAP in any way.
Here is how we envision this (some pieces already working):
User browses to CQ5 Dispatcher running in Apache
Apache filter redirects user to STS site where login is completed.
User is redirected back to Apache with SAML Claims.
User ID token is placed as cookie into browser. (everything is working up to here)
CQ5 captures that cookie based on the SSO configuration (working)
Problem starts here: From here, we want to call a custom authorization provider for the user's attributes, roles, groups etc...
We have tried to figure out how to do this and can't seem to find the missing link.
Do we need to create a custom login module? Do we need to create a custom principal provider? Do we somehow use the existing LDAP capability in CQ5 but have it call a custom class which leverages the external auth source?
If anyone here has any idea how to do this, their karma quotient would be full for the year if they could share it. I'm not sure if this is a basic thing you do with JAAS or even where to put my classes after I've created them.
We've worked really hard on this so far and seem to be close, but we keep hitting dead-ends.
Thanks so much if you have an idea where to begin!!
-joe
Recent versions of AEM now include the SAMLAuthenticationHandler which allows you to:
Redirect users to SSO to simulate IDP initiated login, or
Allow AEM to perform SP initiated login with IDP
Specify attributes to take from the SAML Assertion and add to the user's profile node (not sure if you can use this for groups)
Specify which groups users should be added to
Set a cookie called request-path that will store the URL the user arrived at, and then redirect them to that location when they're authenticated (ie. deep linking)
This makes relying on the SAMLAuthenticationHandler better than using Apache to redirect. The current version of the handler bundled with AEM 6.2 does not properly set the cookie when using the redirect method, but Adobe does have an updated version that they can provide that will fix that problem.
I normally recommend that clients do not have their own authentication handlers developed inside AEM.
When not using LDAP, this does create an issue where users will not exist until they've logged in. Additionally, when your architecture includes more than one load balanced publisher, it is possible that a user may exist on one server user synchronization.
Try searching the google group for SSO details. Here's one useful post:
http://groups.google.com/group/day-communique/browse_thread/thread/72c235c83a501252/fba4d08a90487156?lnk=gst&q=SSO#fba4d08a90487156
It seems that you will have to implement a custom LoginModule, more information here: http://dev.day.com/docs/en/crx/current/deploying/custom-login-modules.html
I'm building a Multi-Tenant application and I'm struggling incorporating a Facebook Login into the web application.
The tenants are using a sub-domain for example
http://tenant-1.domain.com/
http://tenant-2.domain.com/
http://tenant-3.domain.com/
So, I have created an application and when it comes to add the Website, how can I make it to be available in all tenants? Something like:
But of course, that does not work, and if I add just http://domain.com/ it does not work either on http://tenant-1.domain.com/ as soon I click in the <fb:button-login> I get:
How do I do this, without creating a specific FB App for each tenant?
I'm using this to help persons to subscribe their account, I just want the login to get name and email, or they need to fell that up in the name and email boxes...
This is not possible, but there are options to workaround. I think probably the best would be to use a single domain to perform the authentication, specified as the redirect_uri. On this redirect_uri you can append some query parameters, for example your redirect_uri could be:
http://auth.domain.com/auth.php?tenant=tenant-1
Then in the code for auth.php you would grab this tenant parameter from the query string, authenticate the user, store their access token and then immediately redirect them back to tenant-1.domain.com
I'm not sure if this solution will be something you prefer, but it is currently not possible to specify subdomains for authentication, so this or a similar workaround is necessary.