From various googling and reading https://www.jhipster.tech/security/#oauth2 , I gathered that in order to have mobile/social integration with JHipster generated app I should use OAuth2. Am I right to think this way? (I can't seem to find a clear cut answer to this)
I created a new application with JHipster v5.1.0 with OAuth2 enabled. I noticed a couple of features missing with regards to user management. Below are my questions.
How does a new user register a new account?
How does a user change password / reset forgotten password?
Hopefully someone with experience on the above can help clarify.
Thank you in advance.
For social login, yes your best option is OAuth 2.0. You can use JWT for mobile development with React Native (via JHipster Ignite) and Ionic (via Ionic for JHipster), so it's not necessarily required for mobile.
For user registration and change password, you'll need to enable those options in Keycloak or Okta. This blog post shows you how.
To summarize:
For Keycloak, you can enable registration by navigating to http://localhost:9080 and click on Administration Console. Login with admin/admin and click on the Login tab. This screen allows you to enable forgot password, remember me, and verify by email as well.
To enable self-service registration in Okta, you’ll need to navigate to the Classic UI from the Okta Developer Dashboard. There’s a link to toggle between the two in the top left corner of your screen.
Then navigate to Directory > Self-Registration and click Enable Registration. Set the default group to ROLE_USER, the Default redirect to a Custom URL with http://localhost:8080 as its value, and click Save.
NOTE: If you get an error that says 'http://localhost:8080' is not a valid redirect URI, it’s because you need to add http://localhost:8080 as a trusted redirect under Security > API > Trusted Origins. After making this change, navigate to Directory > Self-Service Registration and edit the settings to configure the custom URL again. It should work this time.
Related
I'm trying to connect to Freshdesk using OAuth 2.0, for single sign-on from my app. My app is serving as it's own OAuth identity provider. I've set up my Authorization url on Freshdesk -- let's call it https://www.myWebApp.com/auth:
So now for testing purposes I go to the URL that Freshdesk support provided for a user to initiate the single sign-on process:
https://myWebApp.freshdesk.com/login/normal
...and I see a nice sso-style login screen:
I enter a correct email and password for one of my site users and click "Login".
Now in the Chrome network tab, I would expect to see Freshdesk trying to ping my Authorization URL. But I don't. I see this:
When loaded, my auth page (https://myWebApp.com/auth) pings my server, which issues a console.log() message, and my server logs show no such console log message -- so Freshdesk doesn't seem to be pinging my auth page at all.
What is keeping Freshdesk from pinging my auth page as it should?
There is probably a fair bit here that you have in place already but I am just adding it in for completeness.
Logged into the backend and on the security page for contacts
https://stackoverflow.myfreshworks.com/security/contacts
[stackoverflow == your site :) ]
you will have to create a Custom Policy if you don't have one in place already (this is different to the one for Agents)
And for that configure your SSO with Oauth 2.0
Then , if you have at least one SSO configured your login (at https://stackoverflow.freshdesk.com/support/login ) should look like this:
Where (1) now appears. That will be the link to ping your server via the urls you set up for the SSO:
If you only have one SSO set up for your contacts that link (1) should complete the sign-in process directly and then you should end up logged into Freshdesk as the specific contact.
If you had two SSO options set up; for example:
..when you clicked the link (1) on the https://stackoverflow.freshdesk.com/support/login page, you should then be redirected to a page with those two options:
The url for that page is something like (parameters will be different for you):
https://stackoverflow.myfreshworks.com/login
?redirect_uri=https://stackoverflow.freshdesk.com/freshid/customer_authorize_callback
&client_id=14416083630394368&slug=6117145232763
I am imagining you could use that as a direct link to the portal on your main site.
If you only have one SSO option set up you should be able to navigate directly to the link as above and then see :
which is probably what you are aiming for.
I changed the name of that button (Sign in with contacts SSO) just to be sure I was using the right one and to differentiate from the login for agents. You can change the text under the Advanced Options when configuring the SSO:
Hope this helps you along the way - if you have any other questions on this post them as comments.
We are creating an app that has a feature to reset their password respectively, since we are using keycloak so that thing will be featured via keycloak page itself, but our client need the forgot password will be provided in the app, so i need to hit the forgot password api like below flow.
App Forgot Password Page > Fill email only and proceed > User receive reset password link > Open link > Keycloak reset password page
But seems that api is not existed in the keycloak.
As far i only found below apis
PUT /{realm}/users/{id}/reset-password (need bearer, not possible since we are unable to use realm account user)
PUT /{realm}/users/{id}/execute-actions-email (don't know how to use it and need bearer, not possible since we are unable to use realm account user)
Any suggestion?
Thank you in advance
Hi there, this is 2021, my solution at this time was by using keycloak library in java service, so the service working as aggregator between my web app to keycloak, and still we are using above apis mentioned that need realm access. Good luck.
You can set required action for the user to UPDATE_PASSWORD and when user tries to log in, they will be prompted with Setting up their password.
Keycloak Admin APIs - UserResource
You can update the user and in the UserRepresentation you can set that required action.
Using this page: https://developers.google.com/identity/sign-in/web/sign-in
It's really easy to add a button to a page for a client side only login with Google.
On Clicking the button, the user is presented with a screen like this:
There are 2 ux_mode for this button: "popup" and "redirect":
https://developers.google.com/identity/sign-in/web/reference
My question is about ux_mode=popup specifically, where the originating page doesn't change, and all the login flow is handled in a separate popup window.
Imagine a good app is published. It seems like an attacker could clone the app, present it to a user. The user thinking it's good app would login and the attacker would have a way to grab a valid token from the user for good app.
Now I understand that in that mode (popup), the IDP (Google) will reject anything that doesn't come from an Origin that is not part of the explicit list of redirect URIs set in the configuration of the project.
But is that the only thing that prevents this? I have read again and again that one should not rely on CORS for the security. Also I'm not sure but it seems that it can be circumvented with a little bit of crafting.
Is there another aspect of the security of this login flow I am missing?
I do not know google implementation but from OAuth 2 point of view:
1/ "The user thinking it's good app" user should check the address bar and a green lock in his browser. It is considered as a users responsibility.
2/ you registered redirect uris which are checked when client is trying to get access token. So google will reject to generate and redirect users browser to malicious app with the token.
3/ browser will reject any communication between popup window and other webpages since they are not same origin. This is called same origin policy and is considered as important security feature of a browser.
In general: app location/uri/origin/domain (as you want) is what identifys your app and security is based on that.
Hope it helped.
I am using LDAP mode of authentication and have written web service and clients to enable gerrit users to reset their passwords should they happen to forget it. For that, I added the following line into gerrit.config file:
[auth]
httpPasswordUrl = http://domain.com:port/Register/ChangePassword
However, this link is not visible anywhere on gerrit, either before login or post login. Can someone guide me on how to make this link "visible" to one and all (users)?
This link is displayed in the Settings -> HTTP Password screen. So this link cannot be used for users who forgot their password. I don't think there is an option to display such a link for non-logged-in users.
A possible solution would be displaying a custom footer / header which adds this link: https://gerrit-review.googlesource.com/Documentation/config-themes.html#_html_header_footer
I've been trying to use the Grails Spring Security OpenID plugin and while following the tutorial instructions https://grails-plugins.github.io/grails-spring-security-openid/docs/manual/guide/tutorials.html it just doesn't work at:
Navigate to http://localhost:8080/openidtest/secure/admins and you should be prompted with the login screen. Leave the Use OpenID checkbox checked and enter a valid OpenID. Don't check the remember-me checkbox yet (it doesn't work with the extended workflows where you create a new user or link an OpenID) and click the "Log in" button.
After authenticating at the OpenID provider, you'll be redirected to the registration page. Note that there's a link to just associate the current OpenID with a local account - for now click the "link this OpenID" link.
When I try to log in, I simply get:
Sorry, we were not able to find a user with that username and password.
The documentation is not recent, and last I saw in some other post was that Burt said he had some github issues and had not been able to updated it (I think it was a stackoverflow comment around October 2013).
Does anyone know if there is a configuration or setting that must be changed? or a new step perhaps?
Thanks in advance
So I have come to this conclusion from reading a few different sources and trying things out. I stand to be corrected, however, the current solution is working for me.
My humble understanding: The OpenID input in the plugin requests a link from the OpenID Account provider (e.g. google) with which the user will be authenticated.
Websites can just have a link for each provider they want to support instead of asking for a link, so that you would have a "Login with Google" button with the link prefilled (which by the way is https://www.google.com/accounts/o8/id).
It can help to just look at how other websites do it. You can also just google openid and your provider to find out their links.
Note that some providers have a static link, while it looks like others have user specific links. I'm not yet sure how to deal with user specific links yet.