webfinger | A crate to help you fetch and serve WebFinger resources | REST library
kandi X-RAY | webfinger Summary
kandi X-RAY | webfinger Summary
A crate to help you fetch and serve WebFinger resources.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of webfinger
webfinger Key Features
webfinger Examples and Code Snippets
Community Discussions
Trending Discussions on webfinger
QUESTION
I'm using OpenID Connect to control access to my REST API. One of the things I need to do when servicing a request is get the OIDC UserInfo based on the access token in request's Authorization: Bearer ... header.
To this point I've been working with JWTs and this works fine. I'm looking at expanding this to work with opaque tokens as well.
My strategy has been based on my understanding of the OpenID Connect Discovery spec, section 4:
- Extract the
issfrom the access token. - Discover the userinfo endpoint by getting
${iss}/.well-known/openid-configurationand querying the JSON foruserinfo_endpoint. - HTTP GET the
userinfo_endpoint, passing the access token as anAuthorization: Bearer ...header.
This works fine for opaque tokens... except for step 1. Currently, I have to know who the issuer is via an out-of-band mechanism because I don't know how to get the issuer from the opaque token (which, to be honest, makes sense given that it's opaque). I see a few possibilities:
- Maybe I'm just supposed to know who issued it and my question is misguided.
- Maybe the best thing to do is try a list of known issuers and see if one of them works.
- Maybe there's a mechanism for discovering the issuer of the opaque token. (The spec refers to WebFinger, but that doesn't seem like it fits my use case.)
- Maybe there's something I haven't considered...
Thanks all for any help.
...ANSWER
Answered 2021-May-27 at 17:32The standard mechanism for dealing with opaque tokens is via introspection. Also the preferred option is for there to only be a single type of access token - issued by your Authorization Server (AS), which sits alongside your APIs.
The introspection result can be a claims payload or a JWT. It is common to plug in an API gateway, as in this article, so that the gateway makes the actual introspection call. The gateway should then cache results for subsequent calls made with the same access token.
An opaque token is typically a GUID or something similar, and the issuer value is not stored in the token - it is instead stored in the issuing Authorization Server's back end state. The only way to determine the issuer is to try to introspect the token.
FOREIGN ACCESS TOKENS
Aim to avoid using foreign access tokens in your APIs as in the following examples. This can make it difficult to control data added to tokens and token lifetimes:
- User signs in with Google - then API uses Google access tokens
- User signs in with Microsoft - then API uses Microsoft access tokens
It is preferred instead to use 'federated login capabilities' of your Authorization Server, leading to the following cleaner result, and fewer issues:
- User signs in with Google - then API uses your AS access tokens
- User signs in with Microsoft - then API uses your AS access tokens
QUESTION
I have a test which simulates a request from a remote server which does not exist:
...ANSWER
Answered 2020-Aug-01 at 15:33HTTPretty uses a thread to simulate socket timeouts but are not handling exceptions correctly, see issue #334. The latter proposes a method for handling exceptions, but that hasn't been picked up by the maintainers (yet).
However, the message you see is printed by the default threading.excepthook() implementation. You can set your own hook; a no-op lambda would silence the errors:
QUESTION
I'm following the instructions to install Nextcloud on an nginx server. I copy the configuration from the offical documentation, i set my server name and my ssl certificate path, and when i try to reach nextcloud from my browser i get
"500 Internal server error".
When i check in the error.log i get
rewrite or internal redirection cycle while processing "/index.php"
This is my configuration file:
...ANSWER
Answered 2020-Apr-27 at 15:05I solved the issue by re-uploading the configuration file via ftp, pasting it in nano on the ssh shell was a bad idea!
QUESTION
I've searched for this problem, but haven't get solution yet.
I have Nextcloud installed on https://example.com/nextcloud.
Yesterday I installed Seafile, that works on https://example.com (I simply don't know, how to make it accessible from, for example, https://example.com/seafile)
While I was setting it, Nextcloud was switched off by deleting link to corresponding file in sites-enabled directory. Seafile worked. But when I enabled Nextcloud, I got error 403 forbidden trying to access Seafile. I also enabled info level in Nginx and there I got next message:
ANSWER
Answered 2020-Feb-02 at 11:18As said Lars Stegelitz, I have to run these services on different ports. I did that and now Nextcloud runs on 445 port, at the same time Seafile on 443. I've added location /nextcloud and there is directive proxy_pass https://192.168.1.134:445;
Here are my updated configs.
seafile.conf:
QUESTION
I am working with Gluu Server and trying to get the OpenID Connect configuration from the /.well-known/openid-configuration endpoint through a CORS/AJAX request (for use with an Angular app). However, when I try to request the endpoint from a locally hosted app/HTML file with XHR requesting the endpoint, I receive a 403 Forbidden error.
This only seems to happen when the request stems from a local context, i.e. Angular's development server or a local HTML file requesting the endpoint. If I open the same HTML file that performs the AJAX request, hosted on a server, it works.
The testing HTML file looks like the following
...ANSWER
Answered 2019-Mar-13 at 14:30Turns out this problem was an amalgamation of two unrelated things.
First, and this is mostly conjecture, it seems that Chrome blocks requests from a local file (the HTML file) and simply provides output that is, to me, very confusing. I.e. the 403 error might be because Chrome blocks the CORS request somehow. I tried running Chrome with various flags, e.g. --disable-web-security and --allow-file-access-from-files, but this did not change the output from the local HTML file. So, the local file request still fails and I don't really know the exact reason. But, since this was just for testing it is not that relevant, for me, currently.
Secondly, an erroneous implementation in an interceptor in the Angular project overwrote all headers for requests. After fixing this, the local server was able to request the endpoint.
It just so happened that the output from the two different issues looked pretty much identical which threw me off.
QUESTION
I am using the Spring Boot MitreID OIDC application from here. This runs OK and I can login but there are no other options available to me:
I am trying to access it using simple-web-app. In simple-web-app I try to login using URI: http://localhost:8080/openid-connect-server-webapp/. This gives:
...ANSWER
Answered 2018-Dec-19 at 12:48MitreID is serving on root but sample app is calling on /openid-connect-server-webapp/ You'll want to change your sample app to point to the proper issuer....http://localhost:8080/ (maybe in the application.properties of your sample app?) Or your MitreID server is not configured properly (possibly for issuer property)
See http://localhost:8080/.well-known/openid-configuration for all the endpoints your sample app would hit
QUESTION
I'm trying to add the route /.well-known/webfinger to WordPress in a plugin, e.g. http://exampleblog.com/.well-known/webfinger. I'm using the generate_rewrite_rules, parse_request, and query_vars hooks to load up some code that should run when the URL is matched. Here's what I've got:
ANSWER
Answered 2018-Oct-10 at 13:20It turns out the problem was that I was running WordPress via php -S localhost:8080. When I ran a proper Apache webserver locally generate_rewrite_rules worked as it was supposed to.
QUESTION
In this question the example answer starts with:
Suppose Carol wishes to authenticate with a web site she visits using OpenID Connect. She would provide the web site with her OpenID Connect identifier, say carol@example.com. The visited web site would perform a WebFinger query looking for the OpenID Connect provider.
So it sounds like example.com does not yet know which OpenID connect provider can authenticate Carol? It has to use Carol's email address as a lookup key to find out which OpenID Connect providers can authenticate her?
A lot of sites have Authenticate with Github or Authenticate with Google, but in this case it looks like the sites just figures out the authentication provider based on the email address of the person who wishes to authenticate. So instead of the person selecting the authentication provider, the site asks for the email address, and then figures out which authentication provider the user can use. So the sequence is something like:
- 1) User enters email address (Or userid)
- 2) Server looks up authentication providers using the email address / userid
3) Server displays a list of authentication providers that the user can select from
Did I understand this correctly?
ANSWER
Answered 2017-Nov-05 at 14:33OpenID Provider Issuer Discovery is an OPTIONAL discovery service Relying Party knows the OP's Issuer location through an out-of-band mechanism. Or use webfinger which requires the Website to be provided
resource = Identifier for the target End-User that is the subject of the discovery request.
host = Server where a WebFinger service is hosted.
rel = URI identifying the type of service whose location is being requested.
IMHO, the example from RFC 7033 supplied is misleading. Determining the issuer from and "carol@example.com" is not well implemented by many of the providers. (At least what I could find)
I tried a few email addresses and could only get on to send a response. (Further the example shows a simple http get and yet the OpenID Connect Discovery requires https)
I did get "will@willnorris.com" to send a response. (See https://indieweb.org/WebFinger where Will Norris contributes)
I am also of the using OpenID Connect webfinger discovery which is convenient is also a security concern.
I was able to do some discovery on an bradfitz@gmail.com based on an entry dated 2010 but is was not as simple as a webfinger query as described in the example.
Perhaps some others will respond.
Generally the website must register (a Client ID), this may be performed dynamically, with each the OpenID connect provider they wish to work with.
QUESTION
Reading the description here it says:
WebFinger — Enables dynamic discovery of the OpenID Connect provider for a given user, based on their email address or some other information.
Can someone give an example of how this works (Description is somewhat abstract)?
...ANSWER
Answered 2017-Nov-04 at 19:17WebFinger is a protocol defined in RFC7033. There is a complete example in section 3.1:
3.1. Identity Provider Discovery for OpenID Connect
Suppose Carol wishes to authenticate with a web site she visits using OpenID Connect. She would provide the web site with her OpenID Connect identifier, say carol@example.com. The visited web site would perform a WebFinger query looking for the OpenID Connect provider. Since the site is interested in only one particular link relation, the WebFinger resource might utilize the "rel" parameter as described in Section 4.3:
QUESTION
I have a web application that runs on WSGI server. The application has OpenID Connect identity provider endpoints, for instance:
ANSWER
Answered 2017-May-18 at 18:37The problem is the setting location ~ /\.well-known { allow all; }.
This should be removed. Additionally, the setting include /etc/nginx/default.d/*.conf; includes a default config file which also has the setting location ~ /\.well-known { allow all; }. This setting should be removed from that file too.
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install webfinger
Rust is installed and managed by the rustup tool. Rust has a 6-week rapid release process and supports a great number of platforms, so there are many builds of Rust available at any time. Please refer rust-lang.org for more information.
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page
