We are developing an TYPO3 extension that is in charge of managing the social network profiles. We used the extension "ps_social" as a guide for understand the social media network APIs could work with TYPO3 through Adapter Pattern.
I have the proof of concept of the implementation to authenticate a profile and publish in it but through only in PHP, now we want to take it to the TYPO3 extension.
My question is about the callback when authenticating a profile. Our extension sends us to the social network and when we return to our web page, with the token in the url, this does not change and shows the same screen of the plugin before redirect to the authentication in the social network. The callback url in manage app in Twitter has the id of our plugin's page. I check url for change the plugin action but doesn't work.
We see that this step is fundamental to be able to later make publications to the authenticated profiles in the application.
The problem could be that your authentication service is not triggered when returning to the TYPO3 site. Whether or not your service will trigger depends on several configuration options. By default, your service will only trigger when a POST login action is taking place - but there are options to define that, for example, the authentication service must always attempt to fetch (and thus authenticate) the user even if there is no POST login data (instead, GET parameters may be used to determine if authentication should be attempted).
There is also a caveat if you intend to log in BE users using this method. I've noticed that if you attempt to log in a BE user in the FE, then no action or configuration will be respected unless an existing BE user cookie exists (which it will if you've ever been logged into the BE). If you use the authentication service to log in to the BE normally there isn't this problem - it only applies if you try to do it in FE.
TL;DR: I'm guessing you need to configure the "always auth user" setting for the targeted BE/FE context, using parameters described in the "advanced" section of this link: https://docs.typo3.org/typo3cms/Typo3ServicesReference/Authentication/Index.html
The problem was resolved creating a new plugin. In the configuration of application in Twitter I can not set parameters as controller and actions, for example; only the page id. I had to create a plugin in my TYPO3 extension that execute in one page the action for get information of callback, process and return the page with the list of social profiles. This We did it in each one social networks (Facebook, Google+ and Instagram) for their callback URL to be correct.
Related
My app has an embedded WKWebView that we use to show custom user content served from the users organization. A few organizations are using HTTP authentication (NTLM) so I am working on supporting this. I've implemented the necessary delegate function (webView didReceive: completionHandler:) and create a UIAlertController with two text fields to allow the user to input their username and password. Functionally, this works and allows the users to log in to their organizations site.
However, because I'm creating the alert controller in my app, usernames and passwords are saved and suggested using the apps associated domain. While technically this makes sense, it is confusing for our users to be logging in to their website but seeing a password suggestion coming from our domain.
I haven't found any way to get the WKWebView to display its own username and password prompt. I've considered trying to inject some javascript to show the prompt, but I'm far from a javascript expert and I'm concerned about causing issues with existing javascript on our customers sites (and I don't know if it will still use the app domain anyway). Edit - tested this, the app domain is still used.
https://developer.apple.com/documentation/security/password_autofill/ seems to say that there's no way to use a different url.
Is there anyway for the username and password to be saved using the url that is being loaded in the web view instead of the apps associated domain?
I'm trying to connect to Freshdesk using OAuth 2.0, for single sign-on from my app. My app is serving as it's own OAuth identity provider. I've set up my Authorization url on Freshdesk -- let's call it https://www.myWebApp.com/auth:
So now for testing purposes I go to the URL that Freshdesk support provided for a user to initiate the single sign-on process:
https://myWebApp.freshdesk.com/login/normal
...and I see a nice sso-style login screen:
I enter a correct email and password for one of my site users and click "Login".
Now in the Chrome network tab, I would expect to see Freshdesk trying to ping my Authorization URL. But I don't. I see this:
When loaded, my auth page (https://myWebApp.com/auth) pings my server, which issues a console.log() message, and my server logs show no such console log message -- so Freshdesk doesn't seem to be pinging my auth page at all.
What is keeping Freshdesk from pinging my auth page as it should?
There is probably a fair bit here that you have in place already but I am just adding it in for completeness.
Logged into the backend and on the security page for contacts
https://stackoverflow.myfreshworks.com/security/contacts
[stackoverflow == your site :) ]
you will have to create a Custom Policy if you don't have one in place already (this is different to the one for Agents)
And for that configure your SSO with Oauth 2.0
Then , if you have at least one SSO configured your login (at https://stackoverflow.freshdesk.com/support/login ) should look like this:
Where (1) now appears. That will be the link to ping your server via the urls you set up for the SSO:
If you only have one SSO set up for your contacts that link (1) should complete the sign-in process directly and then you should end up logged into Freshdesk as the specific contact.
If you had two SSO options set up; for example:
..when you clicked the link (1) on the https://stackoverflow.freshdesk.com/support/login page, you should then be redirected to a page with those two options:
The url for that page is something like (parameters will be different for you):
https://stackoverflow.myfreshworks.com/login
?redirect_uri=https://stackoverflow.freshdesk.com/freshid/customer_authorize_callback
&client_id=14416083630394368&slug=6117145232763
I am imagining you could use that as a direct link to the portal on your main site.
If you only have one SSO option set up you should be able to navigate directly to the link as above and then see :
which is probably what you are aiming for.
I changed the name of that button (Sign in with contacts SSO) just to be sure I was using the right one and to differentiate from the login for agents. You can change the text under the Advanced Options when configuring the SSO:
Hope this helps you along the way - if you have any other questions on this post them as comments.
I am writing a Reddit client that uses OAuth to authenticate the user. One of the features I would like to implement is the ability to use multiple accounts simultaneously. This requires the user to authorize my client on each account they want to use. The problem I'm running into is that if the user is already logged into Reddit in their browser, when I pop a browser to perform the auth, it will have them authenticate my client against their currently logged in user.
Is there a way to force the user to re-enter their credentials? I would rather not have to put some kind of disclaimer on my Add Account screen that says "Please log out of Reddit in any open browser windows".
I tried opening the Reddit login page in a WebView so the request is sandboxed, and while that worked, it gives the user access to the entire login page (including all the links that navigate to elsewhere on the site). I don't mind that experience when I'm popping an external browser, but in an embedded WebView I really just want to present a username and password box along with the OAuth validation prompt.
Note: I do kind of prefer the embedded experience because it doesn't interfere with the users existing browser cookies, I just don't like how cluttered the login page is this way and I'm not sure how to prevent the user from navigating away from login. Also, for completeness, this is a UWP app, though this problem is largely technology independent.
The problem I'm running into is that if the user is already logged into Reddit in their browser, when I pop a browser to perform the auth, it will have them authenticate my client against their currently logged in user.
It may be caused by the authorization server. If so, we can not do anything in our client app.
But if it is not the server issue, in UWP, there is a WebAuthenticationBroker class witch can help you to authorize your app to access the user info from Resource server by getting a token. You can try to use the class to implement OAuth authorization. You don't need to use the in a WebView so that you can authorize your app with multiple users if you can manage all the user with the token properly in your code logic.
See the Web authentication broker topic and the sample to learn more details.
I have an upload application that will be accessible by multiple other applications. I want user security from those applications to be federated to this upload hub. I'm doing it with HTTP tokens that are shared between the applications.
I have read 5 different articles on how to secure an API in Rails. I have everything set up properly in the upload hub app. I have keys set up in my User table, and I have shared this key with the user table in the other apps. I have the code in place to check for this key, and to locate the appropriate subscription. Upon failure, the user is redirected to the login page of the source application.
There's just one thing. I can't find anywhere how to create the actual request! I want the users in the other applications to click an "upload" link that will take them to this application. No problem creating the link, of course. The problem is, how do I add the token to the request?
See, I'm not making programmatic requests to an API... The user is actually going from one app to another. I want the upload hub app to check the request and say "Oh, there's this big long key. Let me see if I can find a user associated with that. I'm obviously not going to put it in a query string.
The only thing I've come up with on my own is to have a bit of jQuery code that constructs a form with a hidden item containing the key in it, which it would get from a hidden field on the current page, then do a POST against the upload hub app. That's not really a token, but it's doable. Surely there's a better way?
UPDATE
I went the jQuery "postGo" route where I construct a form with a hidden field and send it as a parameter to the other app. I had forgotten about protect_from_forgery though. However, even after turning protect_from_forgery off, Rails somehow still strips all parameters except for controller and action from outside requests. Undocumented feature? Or maybe I missed the documentation.
Really, I just want SSO on a couple of apps. It looks like I'm going to have to create an Oath provider. Sure are a lot of hoops to jump through to federate a simple session on some apps that I own.
Here's a possible way of doing this.
In the upload controller method of the app, instead of redirecting the user directly, make a request to the upload hub app.
In the upload hub app, add a controller method and generate a token, store it and a user's credential in redis, or other storage of your choice, then response the app with the token.
Your app's upload controller method receive the response from upload hub, then give 302 response back to the client, with the token included in the redirect url.
The client redirects to the upload hub
The upload hub router accepts this format, the token can be in a query string.
Check in redis and find it by the token and match the user's credential
All,
Here is the scenario;
Our website uses APPID-1 for auth and extended permissions (MainSite)
Our Page Tab App uses APPID-1 for auth & extended permission
(TabApp-1), and this adds the auth_token to our DB on MainSite
However we want to add another tab that uses APPID-1 for auth_token acquisition, is this possible?
Proposed scenario;
MainSite - APPID-1 acquire auth_token
TabApp-1 - APPID-1 acquire auth_token
TabApp-2 - APPID-1 acquire auth_token
I should note that non of our TabApps actually need the auth_token, its our MainSite backend app that uses the auth_token to perform actions for the user. However we want to make it easier for our users to use the site, and many come via our Fan Page.
So can we have TabApp-2 pop the Auth Dialog for APPID-1 with is not TabApp-2's APPID?
Specs:
Ruby on Rails 3.1 and using Graph API & Javascript Fb API
I guess you would have to initiate the JS SDK in TabApp-2 with APPID-1. Server-side you would receive a signed_request with TabApp-2 credentials but you can just it that if you work only with the JS API.
I guess you could validate the assumption with a prototype in less than 30 minutes. Have you done that yet? If so, what were the results?
You don't need different apps for this (but i think you're aware of that) the same app can be installed onto multiple pages, and you can show different content on each page by checking the page parameter in the signed_request which is POSTed to your server when the page tab is loaded by a user.
As far as authorisation goes, you may have issues when getting the user to log in directly from a page tab (issues = it may not be allowed to redirect the user back to the tab after login because the full URL to the tab (http://www.facebook.com/pages/somepage/12345?sk=app_{app id here}) isn't 'owned' by your app)
If that happens you can send them to your main site after login with an additional parameter that you use to detect that the user started login on a page tab, and redirect them back to it
Seems you will have to make a few apps, then just use php-sdk to authenticate, since the auth will be server side it will not matter what iframe or page tab it appears in, it will be able to auth to a single app.