openidconnect | OpenId Connect Integration for ownCloud | Authentication library
kandi X-RAY | openidconnect Summary
kandi X-RAY | openidconnect Summary
OpenId Connect Integration for ownCloud
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
- Create a new user .
- Verify user session .
- Handles the login flow .
- Validate bearer token .
- Lookup a user based on its username .
- Verify a bearer token .
- Handle the login page .
- Bootstrap the application .
- Get OpenID config .
- Register auth event handler .
openidconnect Key Features
openidconnect Examples and Code Snippets
Community Discussions
Trending Discussions on openidconnect
QUESTION
I'm trying to figure out what the best option to solving this problem. I have an frontend application that will cater for both normal user and different company users. I want the normal user to only see the email and password fields while the company user see their respective IDP without seeing other company's IDPs.
At first, I was thinking of using a custom policy to achieve this. Basically I'll have a custom claim in the outputclaims that will specify the domain and inside my orchestration I'll have a precondition if it doesn't exist then use email and password step and skip everything but if it exist, then skip the email and password and match it to an idp selection step (if domain == companyX) use CompanyX's IDP (GSuite) or (if domain == companyY) use CompanyY's Idp (AAD). So when the company users gets to the selection page they can only see their IDP and not the others. I'm not sure how scalable that would be though.
The second option I thought was to have one ROPC policy for the normal users and use another policy for IDP selection but this time passing a domain_hint when user attempts to login in. The reason why I would go with ROPC on this option is to give user consistent user experience, normal user sees fields on the page while company user sees a single IDP button that directly sign through the domain_hint directly (Sign-Direct). Essentially having all the UI controlled by me instead of azure.
Example:
- domain_hint=CompanyX - I would have a TechnicalProfile with the domain CompanyX (GSuite)
- domain_hint=CompanyY - I would have a TechnicalProfile with the domain CompanyX (AAD)
Now this approach seem to be more intuitive but now my concern is that since ROPC uses Authorization Flow which contains refresh token while the Idp selection flow uses OpenIdConnect which doesn't contain refresh token (or at least managed by AzureB2C) it would screw up how I manage my tokens.
Is there a better way to implement this situation?
I feel like I'm missing something or I'm misinterpreting something.
...ANSWER
Answered 2021-Jun-15 at 14:23This sample shows how to implement your first option. The technique is called "home realm discovery". https://github.com/azure-ad-b2c/samples/tree/master/policies/home-realm-discovery-modern
QUESTION
this is my code and it is not working:
...ANSWER
Answered 2021-Jun-10 at 15:38The problem was simple, I was setting up oidc options twice, so I was taking the bad ones, solution is to remove { options.Prompt = "login consent"; // For sample purposes. }
and then set up everything in the other options
QUESTION
I am trying to integrate Azure AD for my web-app using OpenIDConnect approach. When I try to deploy the built ear file on weblogic I get NoClassDefFound for
com.nimbusds.openid.connect.sdk.AuthenticationSuccessResponse
. I have included oauth2-oidc-sdk-5.24.1.jar in the web-inf/lib folder, also verified that it is actually present within the ear file yet the application deployment fails complaining it is not able to find this class.
I found similar issue here. So I tried deploying both oauth2-oidc-sdk-5.24.1.jar and gson jar file as a library along with my java web app, but that did not help as well.
Much appreciated if I can get any pointers or suggestions to overcome this error.
The full stacktrace during deployment:
...ANSWER
Answered 2021-Jun-01 at 02:18This is usually caused by incompatible versions. You can try different versions of oauth2-oidc-sdk
until you find a compatible package.
Or you can also change the version of spring
to achieve the purpose of version compatibility as mentioned in the comments.
QUESTION
I am trying to create a login mvc application in .NET through which any identity provider that supports OpenIdConnect for authentication and Oauth2.0 for authorization should be able to communicate. The objective is all my microservices will then call the login service ( which will act as a proxy) to perform single login and single logout and authorization via different identity providers such as Ping Identity or Okta or perhaps Azure AD. Which Nuget package will be best to use in my login mvc application? Microsoft.AspNetCore.Authentication.OpenIdConnect or Microsoft.Owin.Security.OpenIdConnect. If there is any other library please shed some light. I am new in OpenIdConnect and IDP providers so please help me out here.
...ANSWER
Answered 2021-Jun-01 at 06:47I would use Microsoft.AspNetCore.Authentication.OpenIdConnect for ASP.NET Core projects and Microsoft.Owin.Security.OpenIdConnect if you are using .NET Framework.
QUESTION
I have a number of applications that authenticate users through single sign-on (SSO) with Auth0. One of these is an ASP.NET Core MVC application, which uses the ASP.NET Core OpenID Connect (OIDC) middleware. The single sign-on works fine. For single sign-out from the current app, I'm calling Auth0's /v2/logout
endpoint from the OnRedirectToIdentityProviderForSignOut
event, per Auth0's quickstart example. However, I don't know how to configure the app to clear the local session when there is an SSO session sign-out from another app. Auth0 mentions:
Redirecting users to the logout endpoint does not cover the scenario where users need to be signed out of all of the applications they used. If you need to provide this functionality you will have to handle this in one of two ways:
Have short timeouts on your local session and redirect to Auth0 at short intervals to re-authenticate. This can be done by calling
checkSession
from the client which does this redirect in a hidden iFrame. If you take the hidden iFrame approach you need to be aware of rate limits and third-party cookie issues.Handle this entirely at the application level by providing your applications a way to notify all other applications when a logout occurs.
I get the impression that the checkSession
suggestion is intended for SPAs. How does the ASP.NET Core OpenID Connect middleware handle such SSO session sign-outs? Does it automatically re-authenticate with the authentication server at regular intervals? If so, how can this frequency be configured?
ANSWER
Answered 2021-May-28 at 16:53The AddOpenIDConnect middleware module have a dedicated URL that it listens on and that the external provider can call after it has signed out the user.
The URL is defined in the source here and looks like this:
QUESTION
- I created a new Azure AD B2C.
- I created a new application.
- Accounts in any identity provider or organizational directory (for authenticating users with user flows)
- provided a redirect URL of my app (I also tried by giving external URL, https://jwt.ms)
- Generated secret key and cerificates.
- I enabled Implicit grant and hybrid flows.
- I created a new user flow for signup and signin, run this flow from azure portal and it successfully runs and show token on https://jwt.ms.
- I Cloned the sample app (WebApp-OpenIDConnect-DotNet), run it with default values which came in the sample app and everything works fine.
- I Added my client id, instance, domain etc. settings to appsettings.json file.
- When I run it, and click on login button, it generates the URL but it never takes me to the login page, instead it takes me to redirect url without any code or querystring in the URL.
I am expecting the azure AD B2C signin page to appear, and only after login , it will take me to the redirect URL.
Can you please guide me what I am missing here or let me know if more information is needed here ? I will try my best to provide as much information as possible.
...ANSWER
Answered 2021-May-25 at 06:32As stated by Jas Suri, it was due to URI mistmatch. I checked in Chrome dev tool and found the issue. Thanks for excellent community on stack overflow.
QUESTION
I'm trying to force password reset after the first logon (in Azure ADB2C) using the Custom Policies as explained in the "reset password" repo.
I'm using the custom policies, and a validation error accours while I'm trying to upload the "SignUpOrSignin.xml" custom policy. The message is:
A required Metadata item with key "ApplicationObjectId" was not found in the TechnicalProfile with id "AAD-UserRemoveMustResetPasswordUsingObjectId" in policy "B2C_1A_signup_signin" of tenant "resetpasswordtest.onmicrosoft.com"
These are the steps I followed:
- I downloaded the custom policies XMLs file from this GitHub example (as stated at the end of the readme.md file)
- I "substituted" the "yourtenant.onmicrosoft.com" and "facebook client"
- I "merged" the "SignUpOrSignin.xml" and "TrustFrameworkExtensions.xml" with the ones taken from the "reset password" repo.
- I created the "mustResetPassword" extension attribute (using the Azure portal)
- I created one user using the graph utilies (in that why I'm 100% sure that the user has been created in a safe way with the proper "mustResetPassword" extension attribute)
- Finally I uploaded the following xmls into the portal (in order):
TrustFrameworkBase.xml
TrustFrameworkExtensions.xml
PasswordReset.xml
ProfileEdit.xml
SignUpOrSignin.xml
The problem occur when I try to upload the last one (SignUpOrSignin.xml) What is wrong here? Here you can find the full implementation of the previous 5 xml files.
Please take a look to the following section where I pasted the "TrustFrameworkExtensions.xml" and "SignUpOrSignin.xml" custom policies.
Thanks for reading
...ANSWER
Answered 2021-May-24 at 21:10You missed out configuring the policy for extension attribute support. https://docs.microsoft.com/en-us/azure/active-directory-b2c/user-flow-custom-attributes?pivots=b2c-custom-policy#azure-ad-b2c-extensions-app
This entire process can be automated with my tool: https://aka.ms/iefsetup before starting to use the samples.
QUESTION
I know how SAML works and I know how OAuth and OPENIDConnect works. I know that SAML is for authentication and OAuth for authorization. but in certain articles it is mentioned that when in 2007 iPhone came in SAML lacked authentication in that case ( for mobile apps ), I am unable to understand that besides delegated authorization, why we needed OAuth to tackle mobile authentication problem ( now being done by OPENIDConnect ) Or how SAML was unable to deal with that issue. can someone help resolve this confusion. Thanks
...ANSWER
Answered 2021-May-18 at 08:26OAuth and OpenID Connect are JSON based and work well in any technology, including web and mobile.
SAML is an older (back end) standard based on XML. It is still widely used in Identity providers, for signing users in.
These days people write apps (UIs and APIs) in terms of OAuth and OpenID Connect - and never use SAML directly. This results in simpler code in mobile apps, single page apps and APIs.
This means the apps interact with an Authorization Server (AS). The AS can talk to identity providers (to support multiple ways to sign users in). This can include integration with SAML providers if required.
See also my recent answer on thinking of OAuth in terms of application capabilities.
QUESTION
I know this question has been asked before, and I've seen several of the SO responses and read the AWS docs on the subject... I have a terraform module that, in part, builds out an ECS service, cluster, task, and Fargate container:
...ANSWER
Answered 2021-May-14 at 13:54The whole problem had nothing to do with AWS, but the server I am running (weblogic) failed to start because I was trying to mount EFS in /, which cannot be done as it would overlay many critical startup and credential files. If I had the whole filesystem already on EFS (which I did not, I used a blank filesystem), then this likely would have been fine. I mounted it successfully to a lower subdirectory and the container spun up and is running.
QUESTION
- I am trying the JSON web token authentication in dot net core web api Below is the code in startup.cs
ANSWER
Answered 2021-May-14 at 03:25The exception message in your case does not reveal much details about exactly what happened. That is due to the PII being hidden.
PII is Personally Identifiable Information. Identity exceptions or any logging from Microsoft Identity hides that information by default for privacy reasons. You can choose to show it during development. That will help you get some insights into the exception. Enabling it only during development will make sure you don't accidentally throw some personal information about your users in production.
In your startup class, add the option to show PII.
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install openidconnect
The auto provisioning mode will create a user based on the provided user information as returned by the OpenID Connect provider. The config parameters 'mode' and 'search-attribute' will be used to create a unique user so that the lookup mechanism can find the user again.
loginButtonName - the name as displayed on the login screen which is used to redirect to the IdP
autoRedirectOnLoginPage - if set to true the login page will redirect to the Idp right away
provider-url - the url where the IdP is living. In some cases (KeyCloak, Azure AD) this holds more than just a domain but also a path
client-id & client-secret - self-explanatory
scopes - depending on the IdP setup, needs the list of required scopes to be entered here
insecure - boolean value (true/false), no ssl verification will take place when talking to the IdP - DON'T use in production
provider-params - additional config depending on the IdP is to be entered here - usually only necessary if the IdP does not support service discovery
auth-params - additional parameters which are sent to the IdP during the auth requests
redirect-url - the full url under which the ownCloud OpenId Connect redirect url is reachable - only needed in special setups
use-token-introspection-endpoint - if set to true the token introspection endpoint is used to verify a given access token - only needed if the access token is not a JWT
token-introspection-endpoint-client-id & token-introspection-endpoint-client-secret - client id and secret to be used with the token introspection endpoint
post_logout_redirect_uri - a given url where the IdP should redirect to after logout
mode - the mode to search for user in ownCloud - either userid or email
search-attribute - the attribute which is taken from the access token JWT or user info endpoint to identify the user
allowed-user-backends - limit the users which are allowed to login to a specific user backend - e.g. LDAP
use-access-token-payload-for-user-info - if set to true any user information will be read from the access token. If set to false the userinfo endpoint is used (starting app version 1.1.0)
When registering ownCloud as OpenId Client use https://cloud.example.net/index.php/apps/openidconnect/redirect as redirect url . In case OpenID Connect Front-Channel Logout 1.0 is supported please enter https://cloud.example.net/index.php/apps/openidconnect/logout as logout url within the client registration of the OpenId Provider. We require frontchannel_logout_session_required to be true.
In order to allow other clients to use OpenID Connect when talking to ownCloud please setup a redirect on the web server to point .well-known/openid-configuration to /index.php/apps/openidconnect/config. This is an .htaccess example. The Apache modules proxy and proxy_http need to be enabled. (Debian/Ubuntu: a2enmod proxy proxy_http).
There are various Open Source IdPs out there. The one with the most features implemented seems to be panva/node-oidc-provider. CAUTION: node-oidc-provider does not accept the redirect URLs we need for owncloud clients. For release testing, use kopano konnectd instead.
Clone panva/node-oidc-provider
yarn install
cd example
Add client config into https://github.com/panva/node-oidc-provider/blob/master/example/support/configuration.js#L14 module.exports.clients = [ { client_id: 'ownCloud', client_secret: 'ownCloud', grant_types: ['refresh_token', 'authorization_code'], redirect_uris: ['http://localhost:8080/index.php/apps/openidconnect/redirect'], frontchannel_logout_uri: 'http://localhost:8080/index.php/apps/openidconnect/logout' } ]; // Enable introspection module.exports.features: { devInteractions: { enabled: false }, introspection: { enabled: true }, deviceFlow: { enabled: true }, revocation: { enabled: true }, issAuthResp: { enabled: true }, },
Start the IdP via: node standalone.js
Open in browser: http://localhost:3000/.well-known/openid-configuration
ownCloud configuration looks as follows: $CONFIG = [ 'openid-connect' => [ 'provider-url' => 'http://localhost:3000', 'client-id' => 'ownCloud', 'client-secret' => 'ownCloud', 'loginButtonName' => 'node-oidc-provider', 'mode' => 'userid', 'search-attribute' => 'sub', 'use-token-introspection-endpoint' => true, // do not verify tls host or peer 'insecure' => true ], ];
Clients can now use http://localhost:3000/.well-known/openid-configuration to obtain all information which is necessary to initiate the OpenId Connect flow. Use the granted access token in any request to ownCloud within a bearer authentication header.
You can login with any credentials but you need to make sure that the user with the given user id exists. In a real world deployment the users will come from LDAP. Keep in mind that by default, oidc app will search for the email attribute - which is hardcoded to johndoe@example.com ref If you wish to map the login name on the oidc-provider with owncloud user ids, you can configure it as following:
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page