Here are my pages:
Login Page: if user login info is valid, redirect to destination URL(ex: https://int63.xyz.co.uk/base/page/mydetails.jsp) else display login page
LoginServlet Page: if user has an open session, redirect to the proper resource else redirect to login page
Destination URL: It redirect the request back to the Login Url which then makes it a repetitive call.
In the above scenario when I clear my browser history and cache and then hit the target page it gives me the login page as expected. But when I enter correct details it goes into an infinite loop(That's what I can capture in logs).
The request is getting successfully authenticated on login page and sent across loginservlet page well. But I am unsure about what processing is made at the application end and why it redirects back to the login page.
Any ideas how I can solve this problem?
We dont use any .htaccess file instead we follow the mechanism of Identity and Access management wherein we create junctions and control the access to them through ACLs.
Thanks all for the help provided on this issue.
I figured out what was the problem with this.
When I said it was making a redirection loop it was because of cross domain request forwarding. It was authenticating the users on abs.com and was sending the request to some abs.co.uk so the page on abs.co.uk was not able to recognize and was sending the request back to abs.com which again forwarded the request to the same page as it has already authenticated this user.
So this cross domain forwarding of request was a reason of this loop which I then made changes to get it worked in same domains.
Related
So i'm building a website that requires the user to be github authenticated in order to create and publish blog posts via the netify cms.
so in github i've added the application.
the homepage is set as:
https://example.netlify.com
in order to reach the admin area of the site to post blogs and such the user must navigate to
https://example.netlify.com/admin/ and authenticate via github.
now the authentication part is working, i am logging into my github account but it loops back to the oauth page but with a weird url:
https://example.netlify.com/admin/?error=redirect_uri_mismatch&error_description=The+redirect_uri+MUST+match+the+registered+callback+URL+for+this+application.&error_uri=https%3A%2F%2Fdeveloper.github.com%2Fapps%2Fmanaging-oauth-apps%2Ftroubleshooting-authorization-request-errors%2F%23redirect-uri-mismatch&state=5d971eb88a5073cf804e90d5#/collections/blog
I've set my Authorization callback URL to:
https://example.netlify.com/admin/#/collections/blog
which is where the user should log in to, in order to post blogs and articles
so why does it keep looping? i've obviously set up a field incorrectly, i'm assuming that my Authorization callback URL to is incorrect?
Error = redirect_uri_mismatch
error_description=The+redirect_uri+MUST+match+the+registered+callback+URL+for+this+application.
error_uri=https%3A%2F%2Fdeveloper.github.com%2Fapps%2Fmanaging-oauth-apps%2Ftroubleshooting-authorization-request-errors%2F%23redirect-uri-mismatch
The main clue in this error message is redirect_uri_mismatch if you take that and google it you will begin to understand the problem. Part of the security with Identity servers is that the Redirct uri, that being the redirect uri that the Identity server returns your authorization to must be registered on the idnetiy server itself. Someone cant just send a request on behalf of your application and get the authorization back on their own site.
So what ever redirect uri you are sending in your application needs to be registered over on Github for the authorization to work. Its currently not.
You can read more about it here Troubleshooting OAuth App access token request errors
I am using Spring Boot with Spring Security and authentication is OAuth2.I have separated authentication, resource and front server.
My problem is after logged in system can not redirect to main page or home page. its going to random image page like (localhost:7080/app/img/search.png)
But after logged in and than system redirect to random page, if i make request directly to main page localhost:7080/app/#/platform, its ok. it can open main page.
Access token and refresh token is exist and valid on MongoDB. I am not sure but it looks after logged in, front server or resource server can not redirect the user to the main page.
I dont know who is the responsible this redirection, Front-end configuration or front-end code ? Resource server config/code or authentication server ?
what should i see on DB when i check the access token and refresh token.
There is too much config code and file, i dont know how can I show all of them. I hope someone can help me.
In such situation browser network logs will help you.
After login check while redirecting from authentication server whether it has proper location in Location header.
If location is right as per the configuration then problem will be in client server else need to check in Authentication server.
Hope it will give proper direction to investigation.
This page says when a user finishes an OAuth 2 login, and are redirected to your site with the access code, #_=_ is appended to the redirect URL.
According to the site:
The hash fragment is appended to your URL to prevent a security vulnerability.
Can anyone explain this? I can't see how it would affect anything.
This is done to remove any fragments that might already be present in the url, as the behavior during redirects is not specified in any specs.
This is in turn to prevent information passed in the url to an endpoint on Facebook's domain to leak to the page that is redirected to.
Information on a URL presented after the # mark won't be sent to, for instance, proxy servers, and won't be logged on the web server log file.
The reason is that this information won't be sent to the server, however, will be available for the website to access (through JavaScript, for instance).
With the new Authenticated Referrals in the new FB auth system, the user logs in before even hitting my app.
My question is, is there any way to detect when a user has just come from one of these authenticated referrel dialogs? For example, by specifying the redirect_uri on them and appending some GET params.
If you go to https://developers.facebook.com/apps/YOUR_APP_ID/summary you can set the domain and the website of your application.
Facebook, for security reason will only redirect to the website you set here passing you some parameters in the HTTP GET url (for example the access token just generated for that user), to decide which of these parameter you want to receive you have to go to settings -> auth dialog then at the bottom of the page Authenticated Referrals -> Auth Token Parameter.
EDIT:
If you want to be sure that an user just used the auth dialog you can use a simple workaround: read the access token from the url, then check if this is the 1st time you see this token, if so you can test the validity of the token by performing a simple operation that the particular user accepted you (or better your facebook app) can do with his profile.. The easiest way is probably to send a request to:
https://graph.facebook.com/me?access_token=...
If token is valid then it IS reliable.
I've been working on this problem myself. It would have been a lot better if Facebook just passed auth_ref=true or something. Anyway, I came up with a system that seems to work for me using cookies.
I already have a page that I use as the redirect url for the fb auth dilaog. This page initializes the user and sets a cookie. If that cookie is not present and the signed request has a token, then I redirect to this page. I can't tell if the user either came from an authenticated referral or some other path like a bookmark, but it doesn't matter for my purposes.
You can see the details at:
http://developsocialapps.com/authenticated-referrals-facebook-apps/
Basically something like this:
// on somepage.php
if (signed request has token && url is not redirect page && user doesn't have cookie) {
redirect to redirect.php;
}
// on redirect.php
set cookie;
redirect back to somepage.php
just to recap the process:
I call https//graph.facebook.com/oauth/authorize?client_id=.. to get a code.
This redirects the user to the facebook login page. They login. A FB session is created in their browser.
The browser redirects to http//www.mysite.com/connect/callback?code=..
I take that code and exchange it for a token: https//graph.facebook.com/oauth/access … ent_id=...
I use that token to call the Graph and REST APIs, doing stuff on the users behalf like querying on me.
To clarify, I know the token works as I can request information on /me.
My problem is that when I access facebook.com in another tab, I get told that I need to log in and it kicks me out.
I've added in functionality to curl to save cookies and I get:
# Netscape HTTP Cookie File
# http://curl.haxx.se/rfc/cookie_spec.html
# This file was generated by libcurl! Edit at your own risk.
.facebook.com TRUE / FALSE 1134567810 datr 1121456789-111cabef6e8b649338941b9ab289739a38803ec932211a0bec3ee8
Is this correct? Is there anything more that should be there?
Should I be able to authenticate to FB with my external site and then access FB without getting kicked out?
Thanks for any help, I will appreciate it.
Ignore this, as I was always using 1 tab for the facebook page and refreshing it. Apparently theres something in the links of facebook that carry session data. Once I started closing the link when I logged out of facebook and then opening either a new window or tab and then logging into facebook, its fine.