I have been trying to set my Ruby Rails App to be remotely accessed by a partner of mine which uses ADFS 2.0 for providing SSO possibilities. I have been using omniauth-wsfed gem but failed.
I have set omniauth.rb as below:
Rails.application.config.middleware.use OmniAuth::Builder do
provider :wsfed,
:issuer_name => "http://fs.sib.com.br/adfs/services/trust",
:issuer => "https://fs.sib.com.br/adfs/ls/",
:realm => "https://qa.wit.com",
:reply => "https://qa.wit.com/students/auth/wsfed/callback",
:saml_version => "2.0",
:id_claim => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
:idp_cert_fingerprint => "--94061be1aba531da005d5f22bf6796b7cd69b3---"
end
Error log is:
ERROR -- omniauth: (wsfed) Authentication failure! invalid_authn_token: OmniAuth::Strategies::WSFed::ValidationError, AuthN token (wresult) missing in callback.
Does anybody suspect what is wrong ?
I am assuming you have configured your omniauth.rb properly where:
Issuer Name: This should be in the format of the adfs sever domain followed by /adfs/services/trust
Issuer: This is where your login requests will be sent, normally it will be the path /adfs/ls on the ADFS server.
Realm: This should match the domain that you provide in your federation metadata document
Reply: This is where you want the response from ADFS to be returned to in your application. This is normally the path /auth/wsfed/callback when using Omniauth.
SAML Version: The version of SAML tokens. Defaults to 2
ID Claim: This is the name of the claim field that ADFS will return that should be used as the unique identifier.
IDP Cert Fingerprint: Your Windows Administrator should be able to tell you this, but if not a way to find it is to put in any string, do a test login to ADFS — this will fail when doing the callback as the certificate doesn’t match, however if you inspect the response in the Chrome Web Inspector you will be able to see the X509 Certificate in the response. You can then use OpenSSL tools, or this online tool to get the fingerprint of the certificate.
Also Setting up callback routes like below
match '/auth/:provider/callback' => 'sessions#create', via: [:get, :post]
match '/auth/failure' => 'sessions#failure', via: [:get]
The **controller#action** can differ depending on how your application is structured.
You can handle the callback in the same way you would any Omniauth provider.
def create
auth = request.env["omniauth.auth"]
auth.uid # Gets the UID value of the user that has just signed in
# Create a session, redirect etc
end
you can refer below repo for further reference.
https://blog.craig.io/using-microsoft-adfs-with-ruby-on-rails-and-omniauth-a26237c64f8d
https://github.com/kbeckman/omniauth-wsfed
Hope it helps.
Related
Im using this gem to add Omniauth OpenID with a provider.
I configured the gem in the Devise Initializer, everything seems to be correct:
config.omniauth :openid_connect,
{
name: :openid_connect,
scope: %i[openid profile groups_rewardops scope_rewardops],
issuer: ConfigSettings.desjardins.issuer_url,
response_type: :code,
uid_field: 'sub',
response_mode: :query,
discovery: true,
send_scope_to_token_endpoint: false,
client_options:
{
port: 443,
scheme: "https",
host: ConfigSettings.desjardins.host,
authorization_endpoint: "/affwebservices/CASSO/oidc/rewardops/authorize",
token_endpoint: "/affwebservices/CASSO/oidc/rewardops/token",
userinfo_endpoint: "/affwebservices/CASSO/oidc/rewardops/userinfo",
identifier: ConfigSettings.desjardins.client_id,
secret: ConfigSettings.desjardins.client_secret,
redirect_uri: "#{ConfigSettings.api.base_url}front_end/users/auth/openid_connect/callback",
},
}
The flow I have atm is that the user can log in and grant access from the provider, then the provider sends a request to my devise callback url with the nonce, code and state. At this point everything seems to be correct but that request ends in failure when trying to generate the access_token with the following error:
ERROR -- omniauth: (openid_connect) Authentication failure! invalid_request: Rack::OAuth2::Client::Error, invalid_request :: Client credentials are invalid.
Im sure the identifier and the secret are correct, don't understand what's going on.
Since Im using discovery mode all the configs of the provider are in the .well-known you can check it here
Im blocked without ideas about how to debug the error. Checking at Rack::OAuth2 to see where the error is comming from I found this that says:
invalid_request: "The request is missing a required parameter, includes an unsupported parameter or parameter value, repeats the same parameter, uses more than one method for including an access token, or is otherwise malformed.",
It seems for some reason the access token request is malformed, but not sure what else apart of identifier and secret should I have in mind? I have seen many other examples of configuration and mine seems to be correct.
Since you are sure your credentials are correct, I suspect there is mismatch between the authentication method being used and the methods supported by the provider. Checking the .well-known config, I see this provider only supports client_secret_post. In your omniauth config, I see no options being passed to specify the authentication method. When I dive down into the code, I see that the underlying oauth2 gem defaults to using basic auth, which uses the indentifier and secret to construct an Authentication header. See: source code here
client_auth_method = args.first || options.delete(:client_auth_method).try(:to_sym) || :basic
case client_auth_method
when :basic
cred = Base64.strict_encode64 [
Util.www_form_url_encode(identifier),
Util.www_form_url_encode(secret)
].join(':')
headers.merge!(
'Authorization' => "Basic #{cred}"
)
In the client_secret_post authentication method, instead of providing client secret in the header, the client authorizes itself providing the secret in the HTTP request body as a form parameter. So this provider is not seeing your credentials. You could verify this by looking at the logs of the token endpoint request, which won't be visible in the browser, but rather from your rails BE to the the provider's server.
Try passing a client_auth_method in the client_options hash in your omniauth config. If you look at the case statement in the code I linked to above, there doesn't seem to be a named option for client_secret_post, but it is the default case. Any value for client_auth_method looks like it would work, but I would still use client_secret_post.
I am new to authentication using Oauth2, and was hoping someone could provide some guidance on how to use the oauth2 gem to correctly perform authentication so as to get a token with Microsoft Dynamics.
I have been able to authorize and get a token with Postman, but as these types of applications greatly facilitate the overall process, it can be difficult to map these things to code, especially when the concepts are new.
For the access token, I have at my disposal:
The Auth URL, which is of the form "https://login.windows.net/<CUSTOMER_IDENTIFIER_HASH>/authorize?resource=https://api.businesscentral.dynamics.com
The Access Token URL, which is of the form "https://login.windows.net/<CUSTOMER_IDENTIFIER_HASH>/oauth2/token?resource=https://api.businesscentral.dynamics.com"
The client_id
The client_secret
I've tried the various examples online, but I either get a nondescript error from oauth2 such as:
OAuth2::Error ():
Or, in other cases, something more particular:
OAuth2::Error ({"code"=>"RequestDataInvalid", "message"=>"Request data is invalid."}:
{"error": {"code": "RequestDataInvalid","message": "Request data is invalid."}}):
Does anyone have any real, working examples on how to successfully obtain a token?
Finaly cracked it.
Had to respecitvely move the resource element out of the auth and the access token urls to:
https://login.windows.net/<CUSTOMER_IDENTIFIER_HASH>/authorize
https://login.windows.net/<CUSTOMER_IDENTIFIER_HASH>/oauth2/token
At that point, i set the client as:
client = OAuth2::Client.new(
client_id,
client_secret,
site: base_url,
grant_type: "client_credentials",
resource: "https://api.businesscentral.dynamics.com",
authorize_url: auth_url,
token_url: token_url,
)
Above, the base_url is:
https://api.businesscentral.dynamics.com/v2.0/<CUSTOMER_IDENTIFIER_HASH>
Then, i call the client to get an auth_code and had to explicitly pass the resource parameter:
client.auth_code.authorize_url(:redirect_uri => 'http://localhost:8080/oauth2/callback', resource: "https://api.businesscentral.dynamics.com")
I'm not sure if the resource is necessary when getting the token, but finally, I obtain it as follows:
token = client.password.get_token(<AUTHENTICATION_LOGIN>, <AUTHENTICATION_PASS>, resource: "https://api.businesscentral.dynamics.com")
then i can use the token to perform get commands:
token.get('https://api.businesscentral.dynamics.com/v2.0/Sandbox/api/v2.0/companies(<COMPANY_ID_HASH>)/customers', :headers => { 'Accept' => 'application/json' })
I have a feeling I have to do some cleanup on the url for the final get command, but it seems to work this way.
I am considerably new to OAuth authentication scheme. What pose a problem for me at the moment is getting access_token from server in Rails app.
So far I read few articles covering methods related to Resource Owner Password Credentials in OAuth 2.0, but still it got me nowhere.
To name a few Official documentation regarding ROPC / Introduction to OAuth2 / Description of OAuth2 gem from Intridea
Server that I want to connect with allows password grant. It's deployed by 3rd party, so I assume everything is ok with it. On manual page they defined example of authorization as follows:
curl -X POST -d
'grant_type=password&username=USER_EMAIL&password=YOUR_PASSWORD&client_id=CLIENT_ID&client_secret=CLIENT_SECRET'
'https://auth.example.com/oauth2/token'
I posses all data which is mentioned above. BTW, client_id and client_secret are generic values enclosed in documentation. Server uses Doorkeeper gem to implement OAuth2.
To retrieve access_token from server, I simply put advised by Doorkeeper's wiki code into one of my controllers. Testing ROPC for Doorkeeper
My code in Rails API app utilizing OAuth2 gem from Intridea:
def test
client = OAuth2::Client.new(CLIENT_ID, CLIENT_SECRET,
site: 'https://auth.example.com/oauth2/token')
access_token = client.password.get_token(username, password)
Rails.logger.info access_token.token
end
What I get after visiting localhost/test is Completed 500 Internal Server Error with OAuth2::Error saying that page that I look for doesn't exist.
When trying just use curl from command line with respective data, I recieve:
WWW-Authenticate: Bearer realm="Doorkeeper", error="invalid_grant", error_description="The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."
Please kindly advise what may cause problem in these set-up.
As it seems I overlooked one important thing, we should declare explicitly token_url in relation to site address and not treat site parameter as entire path.
So in order to request access_token my method should look like this:
def test
client = OAuth2::Client.new(client_id,
client_secret,
token_url: "/oauth2/token",
site: "https://www.example.com/" )
access_token = client.password.get_token(username, password)
Rails.logger.info access_token.token
end
Here you can find similar issue to mine.
If someone wants to get access token with password credentials using simple http method, here is example how to approach this thing:
def test
param = {
:client_id => client_id,
:client_secret => client_secret,
:grant_type => 'password',
:username => username,
:password => password
}
uri = URI.parse(service_url)
http = Net::HTTP.new(uri.host, uri.port)
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
http.use_ssl = true
request = Net::HTTP::Post.new(uri.request_uri)
request.body = param.to_query
response = http.request(request)
Rails.logger.info response.body()
end
I'm struggling to access the Google Contacts API.
First I tried the google-api-ruby-client gem but it turned out that it does not support the Contacts API.
Next shot was the google_contacts_api gem but I struggle to get a oauth_access_token_for_user with the oAuth2 gem. When following the oAuth2 instructions I don't know what to put in authorization_code_value and Basic some_password.
I tried the following:
require 'oauth2'
client = OAuth2::Client.new(ENV['GOOGLE_CLIENT_ID'], ENV['GOOGLE_CLIENT_SECRET'], :site => 'http://localhost:9292')
=> #<OAuth2::Client:0x007fcf88938758 #id="blabla.apps.googleusercontent.com", #secret="blabla", #site="http://localhost:9292", #options={:authorize_url=>"/oauth/authorize", :token_url=>"/oauth/token", :token_method=>:post, :connection_opts=>{}, :connection_build=>nil, :max_redirects=>5, :raise_errors=>true}>
client.auth_code.authorize_url(:redirect_uri => 'http://localhost:9292')
=> "http://localhost:9292/oauth/authorize?client_id=blabla.apps.googleusercontent.com&redirect_uri=http%3A%2F%2Flocalhost%3A9292&response_type=code"
token = client.auth_code.get_token('authorization_code_value', :redirect_uri => 'http://localhost:9292', :headers => {'Authorization' => 'Basic some_password'})
=> Faraday::ConnectionFailed: Connection refused - connect(2) for "localhost" port 9292
I would appreciate if someone could give me detailed step by step instructions how to access the API.
Make sure your app is set up properly and that you've enabled the Contacts API in the Google Developers Console. Then try this:
CLIENT_ID = '?????.apps.googleusercontent.com'
CLIENT_SECRET = 'your_secret'
REDIRECT_URI = 'your_redirect_uri'
client = OAuth2::Client.new(CLIENT_ID, CLIENT_SECRET,
site: 'https://accounts.google.com',
token_url: '/o/oauth2/token',
authorize_url: '/o/oauth2/auth')
url = client.auth_code.authorize_url(scope: "https://www.google.com/m8/feeds",
redirect_uri: REDIRECT_URI)
Visit url in your browser and log in to Google. The url you are redirected to afterwards will contain the token in the parameter code. It will look like this (this next line is not code you run):
actual_redirect_url = "#{REDIRECT_URI}?code=#{code}"
Parse the code from the redirect url, then
token = client.auth_code.get_token(code, :redirect_uri => REDIRECT_URI)
Edit
Someone asked in the comments how to pass the token to the google_contacts_api library. (I wrote the library, so I should know!)
token is an OAuth2::AccessToken object in this example. All you have to do is pass it to the constructor:
user = GoogleContactsApi::User.new(token)
To be extra clear, the constructor accepts the token object, not a string.
It looks like you're authenticating against localhost (should only be referring to localhost in the context of redirecting after authentication). You should be authenticating against Google's OAuth server somewhere in there.
See: https://github.com/google/google-api-ruby-client/blob/master/lib/google/api_client.rb#L165
I'm attempting to add Facebook connect to our web app, and I'm running into a problem with. Everything works fine locally (I can authenticate through Facebook), but when I push the code to our dev server (which lives in the wild), every time I try to authenticate it returns the following error code:
OAuth2::HTTPError: Received HTTP 400 during request
That's really the only explanation I'm getting. Again, this works on my local machine, and the gems and such match between boxes, so I'm a bit confused. Here's the code I'm executing.
def facebook_connect
#Set the scope we want to pull from Facebook, along with the callback URL
options = {
:redirect_uri => facebook_callback_url,
:scope => "email,publish_stream"
}
#Go out and fetch the url
client = OAuth2::Client.new(FACEBOOK_API_KEY, FACEBOOK_SECRET, {:site => FACEBOOK_API_URL, :access_token_method => :post})
#Redirect to the callback for processing
redirect_to client.web_server.authorize_url(options)
end
def facebook_callback
#Client URL
client = OAuth2::Client.new(FACEBOOK_API_KEY, FACEBOOK_SECRET, {:site => FACEBOOK_API_URL, :access_token_method => :post})
#Parse out the access token
access_token = client.web_server.get_access_token(params[:code], :redirect_uri => facebook_callback_url)
#Get the user
fb_user = JSON.parse(access_token.get('/me'))
#Do some authentication database stuff
end
def facebook_callback_url
uri = URI.parse(request.url)
uri.path = '/users/facebook_callback'
uri.query = nil
uri.to_s
end
I searched Google, but the solutions that show up aren't working. Also, if anyone knows how to parse and display OAuth2 errors, I would appreciate that, as well. Thanks
Assuming that Facebook OATH knows of your server's IP address(they are very strict about it), I would recommend that you use use 'rescue' to catch that exception, get the backtrace and then find where it is being raised and place a bunch of debug statements to check the state of both request and the response, as well as access tokens.
Or you can configure remote debugging with Rubymine or NetBeans which is not an easy task :)
The issue actually ended up being a problem with the "Faraday" gem. Our dev server wasn't set up to handle SSL, which was returning an error code. We patched it using the following answer:
OmniAuth & Facebook: certificate verify failed