I have this GWT application which login/logout to a server.
The server side is ok as it can login/logout a connection.
However I need that when the application login in with a browser, the application will stay logged in for each new instance of the application.
Use cookies on the browser to store login details. When a new tab is opened, and requests the page from the server, the cookies will be passed along automatically and you can log the user in from there.
Make sure you understand the security implications of storing login details in cookies before deploying this strategy!
You could store the information if a user has been successfully authenticated in the http session on the server side and provide a service like
public boolean isAuthenticated();
which checks that property.
Before showing any sensitive information in the client, call that service to make sure, the current user is authenticated. I would recommend not to store login credentials in a cookie.
Related
We have a Keycloak 18.0.2 with realms integrated to external IdP (Okta / Ping / Azure). In one realm we started seeing lots of IDENTITY_PROVIDER_LOGIN_ERROR / cookie_not_found in login events. And had users reporting that they were only able to login if they cleared their browser’s cache and cookies.
We found some ways to reproduce this behaviour in dev environment:
Multiple browser tabs:
At the browser, tab 1, user opens application menu-navigator and is redirected to the External SSO login page (after Keycloak auth flow redirection). We see this login page being initialized with cookie KC_RESTART (auth endpoint).
At the same browser, tab 2, user opens application dashboard-frontend and follows a similar flow as previous app.
Both websites are written in Vue.JS and are using oidc-client-ts library. When initialized, OIDC lib loads the realm metadata, creates a user storage, and executes signin flow. After user is authenticated and has an active session KC_RESTART cookie is expired.
As a result, when user back to tab 1 which is opened at step and try to login, user encounters an error since system cannot find authentication session and then try to use KC_RESTART cookie to reset authentication session however the cookie is even not there since it is expired at step c.
Then user is redirected to Keycloak and sees the Cookie not found message.
Stale sessions:
User opens the application (menu-nav or dashboard), sign in, do some operations, and close the tab.
Users opens the application again in a moment between Session Idle and Session Max timeouts.
User is redirected to Keycloak and sees the Cookie not found message.
We’ve seen the message in other situations, but we couldn’t consistently reproduce.
While we were debugging this problem, we saw a Keycloak redirection to applications call-back endpoint with erro=login_required. So, we decided to handle this and other possible errors trying to make the client app do a silent signin or do a signin redirect if signin silent fails.
This seems to be effective to that error and now we see some IDENTITY_PROVIDER_LOGIN_ERROR / expired_code which we believe it’s OK and associated with the session max timeout and makes user go to the SSO login screen.
Any thoughts about this?
I'm trying to create a server side access to a user's Facebook resources (photos/albums/etc).
I want that the user will authenticate once using its native mobile application, and that the server will be able to access user's data without the user interaction.
I'm trying to understand the steps I need to take in order to make it work.
I've read Facebook's: Login for Server-side Apps but I can't understand how to use the scenario proposed in there - because my server has nothing to do with user interaction (I cannot redirect the user to some login dialog) - the server is performing its own operation in the background whether the user is using its mobile application or not. What should I do upon token expiration for example?
More then that, I want that the user will be able to perform direct Facebook operation on the mobile itself, without the server intervention.
As I see it, this is the flow I would expect:
User's launches a native mobile application.
The user authenticates using Facebook's SDK on the native mobile app.
The user received a special token, that can be converted at server side to an access-token.
The token will be sent to the server and stored there.
If the server needs to access user's Facebook data, it uses this special token and converts it to an access token.
When the token expires - the server can extend it, using the special token, without any user interaction.
What data should be sent to the server from the mobile application after authentication. And how should the server use this data to access user's Facebook resources anytime?
I'm using the C# Facebook SDK for the server. But I think it is not that important, I need to understand the mechanics.
Tokens expire if the user does not continue to use the application. This is by design--an application should not continue to access the user's account if the user stops using the application.
When a user logs into your application, a token is given to your application, along with an expiration date for that token. You can use that token from your client or your server until it expires. However, there is nothing your server can do to extend the token if the user does not continue to use your application.
If the user continues to use your application, you will have an opportunity to update your server token. For example, in the Android and iOS SDKs, tokens are automatically refreshed if the user uses your application to make a facebook request. At that time, you can transmit the refreshed token to your server.
My application uses Facebook connect server-side login (using o-auth).
This means that the user gives power to the server to do action on his behalf.
Once the server received the TOKEN from Facebook, it set a "SESSIONID" attribute on the users request.
On the client side, I implemented this using a WebView, i.e. When the user opens the application for the first time, theres a webview with a facebook connect button, when it clicks on the button he will go to my server, get redirect to facebook and start the whole server-side login chain.
What is the best way to move the SESSION ID from the WebView, onto the other controllers?
Where is the best way to store it (Android/iPhone)
How should I append this SESSION ID on each request? Do i need to add a new header each time i send a request to my servers? (Since the session was set on the WebView "browser" and then is moved to the native client i assume the session is closed. correct?)
I am trying to implement a oauth authentication in a gwt application.
In this, initially a login page is shown- here the user chooses his oauth provider, then some data is stored in session and user is redirected to the oauth provider. After login, he is sent back to another page within the same GWT application.
That is how I want the flow to be, but I am confused about the data stored in session- the data stored before the user went to oauth provider's website, will that still be accessible after the user is sent back, post successful login? Are there any conditions/catches in storing data in session, in a GWT application, that will affect the above scenario?
If your server side is java, everything in GWT is a servlet so there's really no difference in how GWT works. Session has an expiry time once session is created it will be visible within whole application.
If third party page to your site redirection performs within session provided time.All the data you have stored in the session will be visible to you.
I am creating a SaaS that will allow users to interact with it via their web applications. I would like to create a CAS type login mimicking Facebook connect so when you click the 'Login' button on the users website it will popup a window for you to login with my SaaS credentials.
I do not want the SaaS users site to be able to access the users login credentials so this is why I thought of CAS. However, it doesn't look like Facebook Connect redirects to the CAS server. It looks like they just popup a window to the facebook login then create a cookie once the user successfully logs into facebook. How then does the Facebook Connected site access that cookie?
I am wanting to basically be able to keep the end user on the current website without being redirected to my login application. I would like to mimic what facebook does with just popping up a little window and have them login then refresh the page after they login but I am not sure how to go about this.
Any ideas?
Facebook uses a third party cookie: they set a cookie on your domain that you can access to get the necessary credentials.
EDIT: the easiest example would be to look at PHP's setcookie function. Notice that there is a domain parameter. If you change the domain to match the domain of the actual website that initiated the authentication action then you'll be able to set a third-party cookie.
Note that on IE there are certain headers the domain that initiated the authentication action needs to set to allow your third-party cookie to be set. See http://www.spamcollect.com/archives/33 for a short writeup of how that works.
If you are working in a different language you'll need to use whatever cookie management functions they offer.
Another option may be to do this with CAS programmatically using the REST client.
https://wiki.jasig.org/display/CASUM/RESTful+API
In this way you could take the users details and login to CAS without being redirected.
Facebook uses Cross Domain communication which is what I will be using.