I am developing the Single Sign-on (SSO) feature for a system (using OpenID Connect with a Gluu server as the OP). Details of the system are listed as follows:
Programming Language:
Ruby on Rails
Ruby Gem of OpenID Connect:
omniauth-openid-connect (https://github.com/jjbohn/omniauth-openid-connect)
Authorization Endpoint:
/oxauth/seam/resource/restv1/oxauth/authorize
Token Endpoint:
/oxauth/seam/resource/restv1/oxauth/token
However, the response (token) from the Gluu server causes a JSON::JWS::VerificationFailed exception at the system under development (raised by the Ruby Gem omniauth-openid-connect). Apparently, the default method of the Gluu server in signing the token is not compatible with the expectation of the Ruby Gem.
Anything I have missed (in the configuration of the Gluu server / in the settings of the Ruby Gem).
I just find the solution for my problem. The setting "discovery" of the Gem must be turned on (by default, it is turned off).
Related
My setup:
Rails 5.2 application
Amazon SES, using aws-sdk-rails gem
authenticated with IAM roles (not access key & secret)
Elastic Beanstalk
I have just switched my Elastic Beanstalk environment from Amazon Linux AMI (v1) to a new environment with Amazon Linux 2 (v2). I have kept my configuration as identical as possible to maintain application behaviour, although when sending emails with my Rails app, powered by Amazon Simple Email Service (SES), I get the following error:
Aws::Errors::MissingCredentialsError (unable to sign request without credentials set)
The documentation here describes a number of methods to authenticate the AWS SDK, and I'm using the "Setting Credentials Using IAM" approach:
https://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/setup-config.html
I'm using the Rails gem for AWS SES email sending here:
https://github.com/aws/aws-sdk-rails/tree/v2.1.0
and given I'm using IAM roles, I only need to set the region when initializing the mailer:
Aws::Rails.add_action_mailer_delivery_method(:aws_sdk, region: "us-west-2")
Both my old v1 EB environment and my new v2 EB environment create EC2 instances with the same role, i.e the aws-elasticbeanstalk-ec2-role, and I can see that it has the same Security Policy attached to it that I set up a while back called "MySendEmailPolicy". And this policy looks like it gives the right permissions access to send emails:
I can't think of any other reason why AWS would say my credentials are now failing. Any thoughts? Perhaps there's something different about Amazon Linux 2?
This isn't an IAM-roles solution to the problem, but a work-around I'm using which gets emails working at least for now.
I'm simply using my own AWS CLI credentials here, which I've added as environment variables via the Elastic Beanstalk web console:
creds = Aws::Credentials.new(ENV["AWS_ACCESS_KEY_ID"], ENV["AWS_SECRET_ACCESS_KEY"])
Aws::Rails.add_action_mailer_delivery_method(:aws_sdk, credentials: creds, region: "us-west-2")
After deploying above, I got this error: Aws::SES::Errors::AccessDenied (User 'arn:aws:iam::XXXXXXXXXXXX:user/<userName>' is not authorized to perform 'ses:SendRawEmail' on resource 'arn:aws:ses:us-west-2:XXXXXXXXXXXX:identity/<example.com>'), but that was resolved by attaching my "MySendEmailPolicy" policy to my IAM user directly.
Any suggestions on the IAM-roles solution though would be welcome.
I am trying to use the snowflake connector inside docker container. I want to use the externalbrowser authenticator so that I can make connection using Okta credentials but the connector is failing with below mentioned error.
DatabaseError: (snowflake.connector.errors.DatabaseError) 250008 (08001): None: Failed to connect to DB: xx.snowflakecomputing.com:443, Unable to open a browser in this environment.
(Background on this error at: http://sqlalche.me/e/13/4xp6)
As an aside, I'd recommend removing your account name from the question (shown in the error).
You are correct that the "externalbrowser" option is a browser-based SSO. It might be possible to get this running a docker container with some extended software and configuration, but I wouldn't recommend it as it doesn't seem worth the effort.
Instead, there's alternative SSO authentication methods you can look at such as Native SSO Okta, key-pair authentication, or external OAuth. These won't require the browser.
I am developing my first rails 6 app but when I try to serve it in development environment behind my nginx server, I find this message
I tried adding the configuration mentioned in the error in config/environments/development.rb and in config/application.rb but it didn't work.
I am using rails 6.0.0, ruby 2.6.5, nginx 1.10.3
If I go to http://localhost:3000 (the puma URL directly) it works fine. But I want to know why I am getting this error.
It was an issue on Rails side.
Upgrade to 6.0.4.4 or 6.1.4.4 like you can read in their blog post.
Host Authorization is added because of DNS rebinding attacks here are more details about and also link to more detailed explanation.
Introduce ActionDispatch::HostAuthorization Host Authorization is a
new middleware that guards against DNS rebinding attacks by explicitly
permitting the hosts a request can be sent to. More information about
the attack itself is available in this Medium post and in Daniel
Miessler’s DNS Rebinding attack explained. By default it’s set for all
Rails 6 applications and allows in development the following hosts
IPAddr.new(“0.0.0.0/0”), IPAddr.new(“::/0”), “localhost”] it supports
arrays of RegExp, Proc, IPAddr and String or a single String in the
configuration. What this means is that with Rails 6, we will need to
explicitly set our domains in the environments configuration files.
More information is available at the HostAuthoriation code and
HostAuthorization tests.
I have a server which does the federated authentication.
I have metadata for Federation environment and the signing certificate.
I will have to access this server from my ruby on rails application server.
As per my understanding I have to provide federation metadata so that a connection can be set up from my application server to the federation server.
I am new to federation authentication.
Any suggestions on how to proceed will be really helpful.
Regards,
Srikanth
I'm working on an app the requires a log-in by using oauth mechanisms from LinkedIn, Twitter, Google.
On the common meteor server this authentication method works fine.
However, I recently deployed the meteor server on my own server, and I get an authentication error when I try to log in. I tried linkedin and twitter and receive the same error, so I guess something is wrong on my server.
The error is in a browser window:
The requested URL /_oauth/linkedin was not found on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
Apache/2.2.22 (Ubuntu) Server at exomodal.com Port 80
The meteor server is at port 3000.
Any ideas how to resolve this issue?
Thanks in advance
As far as I know, in Google, it asks for a redirect url and an origin url. During development, you registered these as localhost:3000/. But when you deploy, you are not using localhost anymore. Update these URLs in your "API console" (That's what they call it in Google) if any exists. As far as I know, Google and Facebook requires some sort of url registered.
Also, API configurations (client/consumer id and secret) are usually stored in the DB. Upon deploy, you don't usually ship your development DB, leaving behind the configurations which were on your development machine. What we did was to hard-code these into the server code, so that every time the server is restarted or redeployed to a "clean server", it inserts those configs to the DB.