We are implementing Authentication using keycloak. Specifically for forgot password option: When user clicks on Forgot password option, and provides user name, an email will be sent to their id with the link to reset password.
My Question is specifically on the link:
The link sent out in email looks like below:
https://:/auth/realms//login-actions/reset-credentials?code=
But the mentioned is really an internal physical host name that can be found in /etc/hosts, but it is not accessible to external users, so we need to replace this host:port number.
The code in .ftl file looks like below under themes/base/email/html/password-reset.ftl:
${msg("passwordResetBodyHtml",link, linkExpiration, realmName)}
While figured out from admin console on where the values for linkExpiration and realmName (They are under Realm Settings in admin console), I am unable to find out how and where the "link" is configured. Can someone please help with this?
I looked up other threads and did some findings, and found this link:(Keycloak - URL Reset Password email behind a proxy, but it really talks about NginX proxy, which we haven't configured.
Got this resolved after multiple discussion with Redhat team. Below are the steps followed
We were using RH SSO 7.0.x: Added proxy-address-forwarding=true as below.
The server didn't start because this tag is not available in Keycloak 7.0.x. as confirmed by Redhat.
Did upgrade to RH SSO 7.2.0 and the same flag addition worked. Forgot password email content has the https:///auth/realms/archcap-au/login-actions/action-token?key=
Before change:
header=x-forwarded-host= <External Host>
header=Host= <Internal host:8443>
After Change:
header=x-forwarded-host= <External Host>
header=Host= <External Host>
the tag would retain the forwarded host header.
Related
I am trying to configure JDBC but kept getting the same error I am getting using snowsql:
250001 (08001): Failed to connect to DB. Verify the account name is correct: JG3409.canada-central.azure.snowflakecomputing.com:443. 000403: 403: HTTP 403: Forbidden
If the error message is unclear, enable logging using -o log_level=DEBUG and see the log to find out the cause. Contact support for further help.
Goodbye!
I have configured the config file, and I have double checked the account, company, region, reset password to only use alphanumeric.
I have used both forms of the URL
The only possibility is that I am using a trial account, but I can't imagine that this would limit external non-browser connections?
I use a simple user/password, I have whitelisted my IP and I don't have a problem with a proxy or a firewall. I can successfully connect using a browser.. using:
https://app.snowflake.com/canada-central.azure/jg63409
Important contents of the config file:
[connections]
accountname=JG3409
#accountname=uegxydq-pz20606
region=canada-central.azure
username=ASHSNOWFLAKE
any ideas?
Your account is not JG3409 but JG63409 based on this link:
https://app.snowflake.com/canada-central.azure/jg63409
Try in your browser:
https://jg63409.canada-central.azure.snowflakecomputing.com
I found out using snowcd that my computer could not connect via my home router.
When I used my personal hotspot on my (5G) phone, snowcd passed all the tests immediately. The problem then arose how to adjust the network security policy to allow a CIDR block of network addresses through since my phone uses a new address every time I connect, and I can't edit the policy to allow my phone while connected via my phone (for obvious reasons)
Catch 22
123.45.0.0/16 is not accepted in the new Snowflake UI, and 0.0.0.0 doesn't work for me, but the documentation gave me a clue.. the new UI doesn't separate by commas, so I switched to the old UI and voila!
Incidentally the OLD UI uses the same URL as SnowSQL so I picked up my error in my account number there as well (although I should have seen it earlier).
Diabolical but thanks #Sergiu too!
Trying to have Jenkins send an email to a Gmail account upon every build. I get:
Failed to send out e-mail
com.sun.mail.smtp.SMTPSendFailedException: 530-5.5.1 Authentication Required. Learn more at
530 5.5.1 https://support.google.com/mail/?p=WantAuthError 9sm5733284oij.25 - gsm
Here's what I tried so far:
Made the gmail account accept emails from less secure apps
Generated an application password from gmail and used it in my Jenkins configuration - got the same error with and without the app password
Looked at at least a dozen answers (yeah) and all the screens showing the Jenkins gmail config look the same as mine
telnet smpt.gmail.com 465 responds as connected
My Jenkins install is localhost using this URL: http://192.168.0.1:8080/
My system admin email address exists and is entered in Jenkins
I've tried filling in the section on Extended E-mail notification and removing the entries - no difference
Turned off Windows Defender, thinking, just maybe???
Also tried to configure Outlook/Hotmail using those smpt parms but that gave different errors
Don't know if this matters but I have that 'It appears that your reverse proxy set up is broken' and I don't recall setting up a reverse proxy!
Any help would be greatly appreciated!
Set up Jenkins email notification as shown below:
To resolve this, create & use app passwords with 2-step verification turned on.
A less secure method is to allow less secure apps without 2-step verification.
How do I test the Google OAuth 2.0 on my app with localhost, since Google requires a top private domain as the authorized domain?
I tried to look up solutions, but all the solutions given have been a while ago, and I think Google has changed their service since then.
localhost is not a valid top-level domain, and it won't let you generate credentials without setting up a consent screen. You can add more than one authorized domain if you'd like, but you can't leave it empty. But you CAN delete the field if you have no domains / would not like to add domains for now. you just can't LEAVE it empty.
Notice the description -- "When a domain is used". so it's not an obligation to add authorized domain for consent screen. Moreover, the authorized domain here is only related with consent screen. Authorized origins and Authorized redirect URLs needs to be specified in the credentials part, which is all that matters; specifying the origin from which requests will be accepted and where it will be redirected. So just omit the authorized domain in the consent screen.
So how to delete it? Just in case if you haven't noticed, just hover over the field and this little man will pop up. delete it. that's all. Now you should be able to save and continue, where it might ask you to setup scopes.
I know it's really late, hoping it might help others..
After about an hour banging my head against the wall I found this article that has a step by step solution that works (as of July 2020).
Basically you need to create a service account, share the sheet with that account, and then it should work.
All of the other auth methods I tried either raised nonsense errors, or simply silently didn't work.
The list of authorized domains is required before you submit a request for app verification. If you want to configure a localhost redirect URI, that is configurable in your web OAuth client ID configuration.
In case anyone has struck out on the suggestions above, this answer did the trick for me. Set my authorized JavaScript origins URI to http://localhost:8080 in the google API console then emptied my Chrome cache.
Just add an OAuth-consent-screen from here without a domain or valid domain that's up to you, after that create Credentials from here, then select OAuth client ID and enter your from here you can add javascript origin url and there you go you've done.
You add your final domain for when you are ready to become verified. Until then you will generate an OAuth client ID and enable https://localhost:3000 in "Authorized JavaScript origins"
Simple screenshot of the field you can enter localhost
Not beautiful, but works!
I've made local website(domain) on Xampp like test1.com, added that domain in Authorized domains and started Chrome from separate shortcut with parameter --ignore-certificate-errors
Note, that when you start with this flag, Chrome must not be running!
It cause Chrome to open web site in the xampp\htdocs folder and I was forced to go to folder test1.git and then to public folder, where finally site opened and the url was: https://test1.com/test1.git/public
ps. Use port 80 in httpd-vhosts.conf and not 443!
I'm running GitLab on local address http://192.168.0.18/. Upsource is running on http://192.168.0.11/.
I've added Upsource application as admin on GitLab. I've set client id and secret token as GitLab said. Authorization is set to http://192.168.0.18/oauth/authorize, token to http://192.168.0.18/oauth/token and user data to http://192.168.0.18/api/v4/user (according to GitLab documentation). In field mappings, I've set User ID to "id" and both e-mails to "email".
Then, on logging page of Upsource, I've oath authentication icon. After clicking on it, GitLab requires logging and user has to authorize application for its account:
Authorization required
Authorize Upsource to use your account?
You are an admin, which means granting access to Upsource will allow them to interact with GitLab as an admin as well. Proceed with caution.
This application will be able to:
Access your API
Read user information
Hovewer, after clicking authorize button, Upsource displays info: Authentication failed. Check your credentials and try again.. What have I set wrong? Field mappings?
Oh, I've found the answer. As happens often, I was fighting with this a good amount of hours and just after I asked this question, I've got idea to run this on my own. Rubber duck method, I guess...
As I suspected, the problem was in field mappings.
I looked in Network tab in Chrome and there was this response:
http://192.168.0.11/hub/auth/login?response_type=token&client_id=[CLIENT_ID]&redirect_uri=[REDIRECT_URI]&message=hub-auth-failed&developer_message=getValueByPath%28json%2C+aut%E2%80%A6userIdPath%29%21%21.textValue%28%29+must+not+be+null
I've manually went through all Gitlab workflow and then I could log in - and after running http://192.168.0.18/api/v4/user endpoint, I've got user data:
{"name":"username","username":"username","id":3,"state":"active","avatar_url":"http://www.gravatar.com/avatar/94232f2d1f8bb2fe940de439a4df1014?s=80&d=identicon","web_url":"http://debian/username","created_at":"2017-03-25T22:28:21.375Z","is_admin":true,"bio":null,"location":null,"skype":"","linkedin":"","twitter":"","website_url":"","organization":null,"last_sign_in_at":"2017-03-25T22:28:21.487Z","confirmed_at":"2017-03-25T22:28:21.376Z","email":"username#username.username","color_scheme_id":1,"projects_limit":100000,"current_sign_in_at":"2017-03-25T22:36:31.853Z","identities":[],"can_create_group":true,"can_create_project":true,"two_factor_enabled":false,"external":false}
The problem was in setting ID field name. As we can see in above JSON data, id field should be mapped to name/username, not id itself.
After this change I could sucessfully login into Upsource.
I tried to set up username and password for Neo4j instance running on linux machine. I couldn't find any documentation.Please let me know how to do this.
After going to localhost:7474 in your browser, go to the :server connect prompt and enter the default login info:
user: neo4j
password: neo4j
it should then ask you to change your password. You're now connected.
The username used on install as a service by default is neo4j, group is also neo4j.
I think you can configure the used user in conf/neo4j-wrapper.conf
# Name of the service
wrapper.name=neo4j
# User account to be used for linux installs. Will default to current
# user if not set.
wrapper.user=
You change the password for an user on Linux with passwd, see man passwd for details.
start the Neo4j server.
- Open the url(http://127.0.0.1:7474/browser/) in browser.
- click on Database icon from left side menu.
- Find "Connected as" -> :server user add , click on and add your desire user name and password in right windows.
Open the url http://localhost:7474/db/data/
this will prompt the user name password authentication windows. enter the added user/password created above and click on OK.
Neo4j doesn't have the support for using a username and password for accessing the database (as you would do with MySQL for instance). So you have to rely on other security mechanisms, like for instance the security groups in AWS, or a firewall. You may want to check the documentation and the other stackoverflow questions on this matter:
http://docs.neo4j.org/chunked/stable/security-server.html#_server_authorization_rules
How to secure access to neo4j remote shell?