I have set up a application named "UserCenter" here is the .yo-rc.json
{
"generator-jhipster": {
"jhipsterVersion": "3.12.0",
"baseName": "UserCenter",
"packageName": "com.company.test.user",
"packageFolder": "com/company/test/user",
"serverPort": "19090",
"authenticationType": "oauth2",
"hibernateCache": "hazelcast",
"clusteredHttpSession": false,
"websocket": false,
"databaseType": "sql",
"devDatabaseType": "mysql",
"prodDatabaseType": "mysql",
"searchEngine": false,
"messageBroker": false,
"buildTool": "maven",
"enableSocialSignIn": false,
"useSass": true,
"applicationType": "monolith",
"testFrameworks": [
"gatling"
],
"jhiPrefix": "jhi",
"enableTranslation": true,
"nativeLanguage": "zh-cn",
"languages": [
"zh-cn",
"en"
],
"serviceDiscoveryType": false
}
}
and another application named "MsgCenter" here is the .yo-rc.json
{
"generator-jhipster": {
"jhipsterVersion": "3.12.0",
"baseName": "MsgCenter",
"packageName": "com.company.test.msg",
"packageFolder": "com/company/test/msg",
"serverPort": "19002",
"authenticationType": "session-based",
"hibernateCache": "hazelcast",
"clusteredHttpSession": false,
"websocket": false,
"databaseType": "sql",
"devDatabaseType": "mysql",
"prodDatabaseType": "mysql",
"searchEngine": false,
"messageBroker": false,
"buildTool": "maven",
"enableSocialSignIn": true,
"useSass": true,
"applicationType": "monolith",
"testFrameworks": [
"gatling"
],
"jhiPrefix": "jhi",
"enableTranslation": true,
"nativeLanguage": "zh-cn",
"languages": [
"zh-cn",
"en"
],
"serviceDiscoveryType": false,
"skipUserManagement": true
}
}
I want to make MsgCenter to login via UserCenter Oauth2. How can I go?
Add information:
I had found this page How to perform actions on successful login via OAuth2 in jhipster
I'am not sure for this.
with your current setup, your second application, named "MsgCenter", is initially configured to have a own user management. For the moment, there is no automatically generated counter part for an oauth2 authserver for monoliths (the default option of JHipster).
How ever you can turn your MsgCenter into a oauth2 resource server by doing the following steps:
First, you change your WebSecurityConfiguration into a ResourceServerConfiguration (use #EnableResourceServer). There are samples how to do this if you generate a JHipster microservice with UAA scenario. But instead of JWT, you do the "normal" way via user info URI, and configure it like this
security:
oauth2:
client:
clientId: jhipsterOauth2SampleApplicationapp
clientSecret: my-secret-token-to-change-in-production # if still default
accessTokenUri: http://UserCenterUrl/oauth/access_token
userAuthorizationUri: http://UserCenterUrl/dialog/oauth
resource:
userInfoUri: http://UserCenterUrl/account
Refer to https://spring.io/blog/2015/02/03/sso-with-oauth2-angular-js-and-spring-security-part-v and the links following from that
In your second step, you then should remove the user management from MsgCenter, as it is no longer needed anymore.
This approach is using the authorization flow, where the resource server is retrieving the users details by a user info uri.
The other approach is to use JWT tokens. JHipster provide a full oauth2 setup with authorization and resource servers connected to each other in the microservice UAA setup, which might help you as sample code to look for correct implementation.
Related
I tried to use the currently recommended Authorization Code Flow with PKCE to gather an access token from Active Directory. The client will be a public Angular SPA which is the reason for the chosen flow.
Gathering the openid-configuration form AD as well as the Authorization Code for a user worked well.
But I fail requesting the access token from the following endpoint:
https://login.microsoftonline.com/{tenantId}/oauth2/token.
I tried to reconstruct the request in Postman:
POST /7e8c2868-7490-4dd7-82b7-f5ec29222d30/oauth2/token HTTP/1.1
Host: login.microsoftonline.com
Accept: application/json, text/plain, */*
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
grant_type=authorization_code
code=...
code_verifier=...
client_id=...
redirect_uri=...
...and end up with the following message:
{
"error": "invalid_client",
"error_description": "AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.\r\nTrace ID: ed0413ad-89f1-4a2b-8d68-e23498701800\r\nCorrelation ID: deb53b0d-5398-4f72-a9a5-6c0863547b99\r\nTimestamp: 2020-03-06 09:30:36Z",
"error_codes": [
7000218
],
"timestamp": "2020-03-06 09:30:36Z",
"trace_id": "ed0413ad-89f1-4a2b-8d68-e23498701800",
"correlation_id": "deb53b0d-5398-4f72-a9a5-6c0863547b99",
"error_uri": "https://login.microsoftonline.com/error?code=7000218"
}
This seems odd, since the official specification of the Authentication Flow with PKCE doesn't require a client_secret or client_assertion. This is only required for the default Authentication Flow.
Is there something wrong with the AD implementation or have i misconfigured it?
The manifest of the web client looks like this:
{
"id": "...",
"acceptMappedClaims": null,
"accessTokenAcceptedVersion": null,
"addIns": [],
"allowPublicClient": true,
"appId": "...",
"appRoles": [],
"oauth2AllowUrlPathMatching": false,
"createdDateTime": "...",
"groupMembershipClaims": null,
"identifierUris": [],
"informationalUrls": {
"termsOfService": null,
"support": null,
"privacy": null,
"marketing": null
},
"keyCredentials": [],
"knownClientApplications": [],
"logoUrl": null,
"logoutUrl": null,
"name": "...",
"oauth2AllowIdTokenImplicitFlow": false,
"oauth2AllowImplicitFlow": false,
"oauth2Permissions": [],
"oauth2RequirePostResponse": false,
"optionalClaims": null,
"orgRestrictions": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [],
"preAuthorizedApplications": [],
"publisherDomain": "...",
"replyUrlsWithType": [
{
"url": "http://localhost:4200",
"type": "Web"
}
],
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "...",
"type": "Scope"
}
]
}
],
"samlMetadataUrl": null,
"signInUrl": null,
"signInAudience": "AzureADMyOrg",
"tags": [],
"tokenEncryptionKeyId": null
}
And my application is registered as a public app in AD.
The Authentication request that was sent prior to that looked like this:
GET /.../oauth2/authorize
response_type=code
&client_id=...
&state=...
&redirect_uri=http%3A%2F%2Flocalhost%3A4200
&scope=openid%20user_impersonation%20offline_access
&code_challenge=...
&code_challenge_method=...
&nonce=...
Host: login.microsoftonline.com
Update 2021
Microsoft finally updated their portal, so we now have a UI to properly configure the Authorization Code Flow with PKCE.
All you have to do is open the Authentication-page of your registered AAD Application. There you can add a new Platform by clicking the button on the left:
Select the new Single-page application tile and enter your redirect urls.
Previous Answer (Manifest)
I just found the answer in the #azure/msal-browser package. At the moment Azure AD seems to be working on supporting this auth flow. To activate it you must set a new type for the redirection urls, that they just recently added.
To use the Authorization Code Flow with PKCE with Azure Active Directory you need to:
Set add a web plattform to your azure ad application and add your redirect urls.
Change the type of those redirect urls from 'Web' to 'Spa'. This must be done in the Manifest. Changing it will make the urls disappear from the Authentication Page. But that's ok, since it's still present in the Manifest.
Treat the web app as a public client (Authentication > Advanded settings > Default client type - 'Yes').
Now the token endpoint doesn't require a client_secret or client_assertion anymore.
I want to integrate authentication with local passport in hyperledger.
When I use google and GitHub passport it works.But when I tried to use it with local passport it does not work:
export COMPOSER_PROVIDERS='{
"local": {
"provider": "local",
"module": "passport-local",
"usernameField": "username",
"passwordField": "password",
"authPath": "/auth/local",
"callbackURL":"/auth/local/callback",
"successRedirect": "/",
"failureRedirect": "/",
"setAccessToken": false,
"callbackHTTPMethod": "post"
}
}'
Thanks.
I configured Chronograph to use generic OAuth 2.0 (using cloud foundry UAA). Users authentication works fine but the problem is that the default influxdb connection is not taken into consideration. In fact this configuration works:
chronograf --log-level="debug" --resources-path="/usr/share/chronograf/resources" --influxdb-url="http://influxDB.log.database:8086" --influxdb-username="usename" --influxdb-password="pass"
here is the content of /usr/share/chronograf/resources folder:
influxdb.src:
{
"id": "9999",
"name": "MyInfluxDB",
"username": "user1,
"password": "password1",
"url": "http://influxDB.log.database:8086",
"type": "influx",
"insecureSkipVerify": true,
"default": true,
"telegraf": "telegraf.autogen",
"organization": "Default"
}
Both connections are automatically created when chronoraf starts :
MyInfluxDB
http://influxDB.log.database:8086
but When I run chronograf with the following options (To use OAuth 2.0 and create an influxdb connection) :
export TOKEN_SECRET="token_secret"; export JWKS_URL="https://uaa/token_keys"; export PUBLIC_URL="http://chronograf:8888"; chronograf --log-level="debug" --resources-path="/usr/share/chronograf/resources" --generic-name="generic" --generic-client-id="id" --generic-client-secret="secret" --generic-scopes="openid" --generic-auth-url="https://uaa/oauth/authorize" --generic-token-url="https://uaa/oauth/token" --generic-api-url="https://uaa/userinfo"
The OAuth 2.0 works fine but once redirected to the chronograf dashboard I cannot see the connections and even when I created a connection manually and I log in I cannot found any connection that is created automatically on startup as wanted.
the field organization needs an id. The id for the Default orginization uses a lower case d. If you change your src file to,
{
"id": "9999",
"name": "MyInfluxDB",
"username": "user1,
"password": "password1",
"url": "http://influxDB.log.database:8086",
"type": "influx",
"insecureSkipVerify": true,
"default": true,
"telegraf": "telegraf.autogen",
"organization": "default"
}
It should now work.
you can see where the id is defined in their source here https://github.com/influxdata/chronograf/blob/9d8a49ba0ef8131cdce22d73718859f55f434db2/bolt/organizations.go#L20
I'm having issue authenticating with Azure Active Directory which is linked to a power BI service. I'm trying to get an access token so that I can access the power bi rest API.
If i use postman, I'm able to successfully use their OAuth2 login to retrieve a token that has the correct credentials to communicate with the power bi rest API.
However, when I try to do this with the adal.js the token is invalid. To simplify this to be able to reproduced, I based my project off
https://github.com/Azure-Samples/active-directory-angularjs-singlepageapp-dotnet-webapi
You need to update window config in : \active-directory-javascript-singlepageapp-dotnet-webapi\TodoSPA\App\Scripts\app.js
window.config = {
instance: 'https://login.microsoftonline.com/',
tenant: <insert tenant>,
clientId: <insert clientid>,
postLogoutRedirectUri: window.location.origin,
cacheLocation: 'localStorage', // enable this for IE, as sessionStorage does not work for localhost.
endpoints: {
"https://api.powerbi.com": "https://analysis.windows.net/powerbi/api",
}
};
Workaround
I'm able to get the token via silent authentication where you have to hard code the username and password.
I followed this http://community.powerbi.com/t5/Developer/How-to-use-Power-BI-Rest-API-without-GUI-authentication-redirect/m-p/14218#M119 to create the request for silent authentication:
Post Url: https://login.windows.net/<tenant>/oauth2/token
Body:
password: <password>
username: <username>
client_id: <clientid>
client_secret: <secret>
grant_type: password
scope: openId
resource: https://analysis.windows.net/powerbi/api
I also validated that the account I used had the correct permission by using postman and authorization with OAuth2. The token I received had the correct permission for PowerBI.
Post Man Configuration
On postman, click on Authorization Tab -> Set Type to OAuth2.0 -> Get New Access Token:
The configuration you would use:
AuthUrl: https://login.microsoftonline.com//oauth2/authorize?resource=https://analysis.windows.net/powerbi/api
Access Token URL: https://login.microsoftonline.com//oauth2/token
Grant Type: Authorization Code:
Client ID:
Client Secret:
Go to https://dev.powerbi.com/apps to generate the clientID/ClientSecret and set the Redirect URL: https://www.getpostman.com/oauth2/callback
postman generated token:
{
"aud": "https://analysis.windows.net/powerbi/api",
"iss": "https://sts.windows.net/<id>/",
"iat": 1500464096,
"nbf": 1500464096,
"exp": 1500467996,
"acr": "1",
"aio": <value>,
"amr": [
"pwd"
],
"appid": <app_id>,
"appidacr": "1",
"family_name": "Sunderam",
"given_name": <userName>,
"ipaddr": "23.252.49.99",
"name": <name>,
"oid": <oid_id>,
"platf": "3",
"puid": <puid_id>,
"scp": "Content.Create Dashboard.Read.All Data.Alter_Any Dataset.Read.All Dataset.ReadWrite.All Group.Read Group.Read.All Metadata.View_Any Report.Read.All Report.ReadWrite.All",
"sub": <sub_id>,
"tid": <tid_id>,
"unique_name": <user_email>,
"upn": <user_email>,
"ver": "1.0",
"wids": [
<wid_id>
]
}
adal.js token
{
"aud": <aud_id>,
"iss": "https://sts.windows.net/<id>/",
"iat": 1501037728,
"nbf": 1501037728,
"exp": 1501041628,
"aio": <aio_id>",
"amr": [
"pwd"
],
"family_name": <name>,
"given_name": <name>,
"ipaddr": "23.252.49.99",
"name": ,"name"
"nonce": "b21969c3-ae73-4928-bcd0-e9c501f791e4",
"oid": <oid_id>,
"platf": "5",
"sub": <sub_id>,
"tid": <tid_id>,
"unique_name": <user_email>,
"upn": <user_email>,
"ver": "1.0"
}
Notice that the postman token has the scp, appid, and wids.
Any Advice appreciated,
Thanks,
Derek
You need to check the token via the request. For example, you can check it via the developer tools-Network tab(Chrome, F12).
And based on the token and code, the config seems incorrect. For the endpoints is the collection of {Endpoint-ResourceId} used for automatically attaching tokens in webApi calls.
You can use the config like below:
window.config = {
instance: 'https://login.microsoftonline.com/',
tenant: <insert tenant>,
clientId: <insert clientid>,
postLogoutRedirectUri: window.location.origin,
cacheLocation: 'localStorage', // enable this for IE, as sessionStorage does not work for localhost.
endpoints: {
"https://analysis.windows.net/powerbi/api": "https://api.powerbi.com",
}
};
More detail about this library, you can refer this link.
my aim is to create an oDataModel and consume my services. I can see my all entities under this url : https://s12hanaxs.hanatrial.ondemand.com/account_name/schema_name/service_name.xsodata/ with my trial account. I followed these steps to create oData service but I got Internal Server Error at 13th steps when I click the run button to load service metadata. The only difference that I made is to use Basic Authentication when I create the destination. And here my destination configuration :
Edit 1:
I wanted to show my.xsaccess file for my services :
{
"exposed": true,
"authentication": [{
"method": "Basic"
}],
"authorization" : [ "account_name.schema_name::Basic" ],
"mime_mapping": [{
"extension": "jpg",
"mimetype": "image/jpeg"
}],
"force_ssl": false,
"enable_etags": true,
"prevent_xsrf": true,
"anonymous_connection": null,
"cors": [{
"enabled": false
}],
"cache_control": "no-cache, no-store",
"default_file": "index.html"
}
I also can't send a http request via Postman. Any help would be appreciated.
Local sap Web Ide should work for you.