I have a REST service that is running on https://localhost:9090.
In order to provide token based authentication with Oauth2.0 for consumers of my REST service, I have cloned the 4.2 version of CAS from repository https://github.com/leleuj/cas-pac4j-oauth-demo and deployed only cas2.war (cas server) on tomcat 7. From the browser, I hit this URL :
https://localhost:8443/cas2/login?response_type=code&client_id=this_is_the_key&redirect_uri=https%3A%2F%2Flocalhost%3A9090%2Fv1%2Ffiles%2Fafb2265b-39e9-4172-bccc-e3f43700874e
I got the cas login page and after the successful login with valid credentials (leleuj::leleuj), I was not redirected to my service api as mentioned in the URL. Instead, the browser still shows the success cas login page. Is there something wrong in what I am doing? Sorry if this is a basic question, I am somewhat new to CAS.
As I'm leleuj on github, it feels a question for me ;-) Indeed, this doesn't work running mvn jetty:run, but if you run the webapps in Tomcat, it works, I haven't investigated more as CAS 5 is out now!
Related
I have created an app using ASP.NET Core 6 MVC application. I am using the Microsoft.Identity platform for authentication (Azure AD authentication). It worked fine locally. User is able to sign-in and sign-out and able to navigate. When signing in with wrong password or username then user getting an error.
But when hosted the same code on Azure App Service and when accessing the app the 401 error occured. HOw I fix that issue. As I mentioned everything works fine locally so no issue with registration clientId or any other registration level info.
WebConfig file
AppService configuration
As mentioned in the question, if you enabled Azure Active Directory, there is no need to you to login and logout explicitly. As you are trying to do those operations locally, it must be they are not configured perfectly locally also. The same error it is causing while moving and accessing in Azure App Service.
Kindly check the following things in configuration:
1. Configuration of IIS before deployment
2. Configuration of AAD
These two steps could solve the issue.
Say a SPA hosted in spa.com is loaded by user in user.com and uses oauth2 server oauth2.com for authentication through auth code flow (optional with PKCE). after user authenticated, oauth2.com would send the auth code back to the web browser and instructs it to redirect to the "redirect URI" registered with the app. now since SPA runs entirely inside the web browser, which can be anywhere, what the redirect URI should the SPA sent to oauth2.com to start with?
http://localhost : suppose to be just for local testing
its own address (user.com) : will not work since it is not registered
spa.com : SPA runs entirely in browser, not connected to spa.com
i know #1 and #3 do work but can't figure out why (#3). please advise what is wrong or missing with my understanding. thanks in advance!
The redirect URI for an SPA is usually the public URL of the app itself, so in your case this will be a value similar to one of these. On a developer PC this might be a localhost URL but I would think of it as a deployed URL and try to use proper domain names:
https://myspa.com
https://myspa.com/myapp
The technique for an SPA is then to see if you are receiving a login response as part of the main page load. See the call to handleLoginResponse in this source file of mine.
Im trying to setup a groovy app where I'm trying to integrate a third party service. They have an OAUTH process where the user clicks on a button and is redirected to their site to login and "grant" my app access to their service (somewhat like facebook). BUT - They are then redirected back to the app with a user "code" in the url as a parameter, which is then used to get an OAUTH token on the user's behalf through a different endpoint. I'm having an issue getting the "code" on the redirect. can anyone help?
wwww.someurl.com?code=2l314jhlk13...2134lkj23h4==
how can groovy listen for the redirect? I don't know where to go from here and the service i am using dosn't have any documentation.
Depending on what service would you like to integrate.
In some of them you can skip redirect. Some of them provides SDK with ready to use solutions.
If nothing - you need to http server.
If you app is a plain groovy without any web frameworks, probably the simplest solution is to use JDK built in http server.
Example - http://glaforge.appspot.com/article/the-jdk-built-in-web-server-with-apache-groovy
I am using a grails application that has the spring security core and spring security CAS plugins. I have setup a jasig CAS server with a database authentication. So far if I login directly through CAS with the users in the database, it works fine.
The problem I have is when I try to login from the grails application. I successfully get redirected to the CAS page, where after login, I get sent back to my grails app with an error of bad credentials.
In the tomcat logs of the CAS server, I have this trace:
2015-01-21 10:55:59,182 WARN [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <Cannot find authentication handler that supports http://localhost:8080/myGrailsApp/secure/receptor, which suggests a configuration problem.>
Below are my settings in grails:
grails.plugin.springsecurity.cas.serverUrlPrefix = 'https://localhost:8443/cas'
grails.plugin.springsecurity.cas.loginUri = '/login'
grails.plugin.springsecurity.cas.proxyReceptorUrl = '/secure/receptor'
grails.plugin.springsecurity.cas.serviceUrl = 'http://localhost:8080/myGrailsApp/j_spring_cas_security_check'
grails.plugin.springsecurity.cas.proxyCallbackUrl = 'http://localhost:8080/myGrailsApp/secure/receptor'
This is an existing project with a valid spring security that we've been using for a while, now trying to move it into single sign-on.
What setting am I missing in my CAS server or grails application? I have followed the default setup for database auth handler in setting up my CAS server.
Thanks for your help!
Do you really need to use the CAS proxy feature? Because the CAS error says that the CAS server is not configured to handle proxy callbacks while your CAS client is configured to use proxy (I guess: proxyReceptorUrl and proxyCallbackUrl properties)
Any way to test OAuth integration to google without having to have a port forwarding rule in my router back to my development Mac?
Background:
Developing Ruby on Rails web app that will request data from Google Calendar API via OAuth
Using Rails "OAuth Plugin" for this purpose
Developing on MacBook which is running my dev environment
Google needs (as part of OAuth) to make a callback back to my local dev environment
Can't seem to think of a way to test with Google without having to set a Port forwarding rule in my site's router back to my Macbook?
This threw me for a loop too. I actually went through the work of setting it up on a public IP even though I didn't have to in the end.
But yes, your comment is correct. The callback URL is passed on to Google during the redirect then after you've been authenticated with Google, Google will redirect you back to the callback URL providing an authorization code as a parameter.
The only server to server communication that happens is exchanging the authorization code for access and refresh tokens. This typically happens on the callback page. But since it's initiated by your server and not Google, no special open ports are required.