First time posting, long time reading.
I want to perform a silent authentication against Azure AD but I can't seem to get it to work.
Please find image below which outlines steps and overall solution approach.
This is the current approach I have set up and it is working quite well:
User logs in and is authenticated against a SaaS solution via Azure AD.
On the front page within the SaaS solution, user clicks on a widget which opens up a modal window.
Ajax call (POST) (bootstrap-table) is made which calls a php-script from another domain.
PHP script receives ajax request (CORS settings are ok). Here is where I would like the script to perform a silent user authentication against Azure AD and return user's email. It should not in any way display any login-screens or account selection screens. If the authentication fails it should just exit... perhaps with a error message.
Once authenticated, php-script performs API call(s)
On successfull call, JSON data is returned
And JSON returned from PHP-script is displayed on front page (bootstrap-table).
I've been trying with various examples/libraries (thephpleague/oauth2-client, magium/active-directory, ...) and I'm able to authenticate fine via Azure AD App but there is always a login-screen present or select account screen is displayed.
The reason for this approach is that I believe CORS are not secure or perhaps should not be used as a security measure. And also, because some browser does not seem to return Origin I am experiencing some issues...
Now, I'm more of a hobby-developer and perhaps this is in no way possible to achieve but I would like to believe it is and would appreciate any tips/hints on how to perform this silent activity/authentication.
Thank you!
Related
I have a problem setting up simple single sign on with Azure AD for our pHp website. The app is registered in azure and I have all the necessary details like Client ID, secret, tenant.
My requirement is to get authorized and also pull back the user's employee id, name and email id. I am working on single sign on for the first time, and need some help on this.
While creating the authorization URL, I am requesting for code, which is right according to the Azure documentation. I am successfully able to retrieve the code after authorization. However, I am not able to request id_token along with code as response_type=code+id_token, which should be possible. I could trace the URL flow and extract the id_token field manually. If I do this, I am prompted with the logon and MFA. But the response goes into infinite loop by just prompting with infinite number of MFA pings on my phone. This is weird, my program has a check to redirect on code response, which doesn't seem to work. I have tried using session_id cookie too, which has the same behavior.
If I just choose code as response type and request for id_token using token granting URL, I don't get any response back. Its blank or null but no errors.
Can you please help suggest if I am making a mistake. Is my method right or wrong to request code first and token next. How can I successfully retrieve id_token.
Just summary the comment into reply to help others who have the same problem.
response_mode: Specifies the method that should be used to send the resulting authorization code back to your app. Can be form_post or fragment. For web applications, we recommend using response_mode=form_post, to ensure the most secure transfer of tokens to your application.
If you want to use code + id_token in the response_type,you should be using OIDC Hybrid Flow.
However, if you just use code in the response_type, you should be using Authorization Code flow.
For more details, you could refer to this SO thread.
I'm doing a soap request to an external API using Laravel & Guzzle. All other calls have succeeded to get the actual response but for the redirecting user to the external page has failed because the external API web service only allows my server IP to access that page.
I have tried:
windows.location (javascript)
location header (PHP)
return redirect URL (PHP)
This is their documentation on how to redirect in VB language :
redirection code in VB
All of these methods only use the browser redirection which is using user IP not the server IP.
Any method that I can use to redirect user using my server IP that you guys can recommend?
Thanks in advance.
Extra context/information:
Example screenshot for the fourth call which include get the quotation number and generate the url parameter
That is the code for VB that they provided in API documentation. So why I want to bring the user to the page? It is because when the GetQuotation (fourth call) is already submitted to their database and it will return QuoNo that will be used in the URL parameter. When the user gets redirected to the external page with parameter QuoNo=12412194149124, their backend will query for the quotation details that the user fills in my side (mydomain.com/form) and auto filled it on their side (otherdomain.com/form).
If you see from the screenshot, the System.Diagnostics.Process.Start will execute the url once the Quotation number (QuoNo) is generated. So once the user click on the 'buy now' button on our end (mydomain.com/form), it will call the fourth call (GetQuotation guzzle function) and generate a Quotation Number (QuoNo) then it will be populated in http://otherdomain.com/main.a5w?tokenid=wm-9Kj-14e-Fa4-I1adlXrQ00weqwe3S&QuoNo=QUO022348921312301623. Based on what my understanding on VB code, System.Diagnostics.Process.Start will force the url to be opened.
I'm sorry if it's still lacked of info given. Feel free to ask more. Thank you
What you want can not be achieved sadly. The only thing you can do with the redirect is tell the browser where to go, you have no control over the IP here since this would pose all kinds of issues regarding security and identification. The only way to achieve what you want is to wrap the html of the resulting webpage in your website or remove the restriction of the ip addresses. Another solution could be to build a simple page which is accessible to everyone and limit the API routes to specific IP addresses. For example:
Let's assume the payment gateway is at: example.com/checkout, this one would be accessible to everyone and would contain a form to which you can perform the redirect and fill this form with the passed data.
This form would then post the information to example.com/api/v1/checkout which will process your form data and return if the transaction was succesful. Based on this return the user will be redirected to another page. This is assuming you have control over the other domain since only with your server IP you can access this site.
If this is not the case there is no other way than to post the data to an endpoint via guzzle and use these return values to provide feedback to the user.
I hope this answers your question, if anything is unclear please let me know.
So I've start building an application for a website in Swift. The main goal is to have an iOS App which can receive notifications (in JSON from website) and can show all the features of the website.
So I can login and sign-up from the app to my database but the thing is I don't understand how to take out my session login and display it in an UIWebView. So the user has just to log-in and he can see the website with his account. The only thing I can make is to show the website as a guest.
Can someone help me please ?
As far as I know UIWebView does not store/send any cookie(session) for your web site. That means you're always not authenticated.
In order to complete your task you need to create your own cookie handling mechanism.
You need to save auth cookies sent to you by the server in response HTTP header, e.g.
Set-Cookie: JSESSIONID=ABAD1D;
Then you need to make any required request and MANUALLY put cookie header filed in your request header e.g.
Cookie: JSESSIONID=ABAD1D
Save response somewhere and render HTML in a WebView
BOTTOM LINE: All this stuff is a huge overhead to your app. Instead you need to write API of your web-site specifically for iOS(and other) apps, using different authentication approach and data transfer (well known).
What you want to do is basically create a little browser, I don't think it is a good idea.
I have developed a website with my friend. For the front-end we are using AngularJS, and for the backend we're using Laravel.
Whenever data has to be fetched, an API call is made from front-end to PHP.
My concern is that this API call is clearly visible in network panel. Then some bad guy can easily abuse this API. How can I avoid this?
In most cases exposing your API is not bad thing, but you need to think about this:
1. You should design your API, so only legitimate operations can be made. In example: person shouldn't be able to delete whole database using API.
2. You could provide some authentication mechanism if needed, so the person trying to call your API will have to be logged in (authentication token should be stored in session and verified in server-side with every API call).
If you want to hide POST/GET Params form console. Try to make JSONP call in angular . JSONP calls are not real ajax requests and won't be shown in Firebug. You can also clear the console using clearconsole() after you receive the response and you can also authenticate the requesting IP in your laravel backend.
It's just like regular routing. For example: Everybody knows that they can access a user's profile on Facebook on the /:username route, but Facebook prevents unauthorized clients from viewing that data. The same concept is used for REST routes.
Just like regular page requests, AJAX calls and the data passed / received can be seen by the user. JSONP can be used to prevent the API requests from being logged by regular developer tools, but that is not a good security solution your API can still be discerned by a malicious user.
Even if you encrypt the request payload and the response, it can be intercepted by a malicious user before encryption and after decryption.
You mentioned using proper authentication on your API, which is usually good enough for most cases.
I am trying to make a dashboard application, that among others will retrieve information from a xing account and store it in our database. Right now, we the default oauth implementation, if the user is not logged in, it asks for his permission, and then returns back to the webpage that all the information is shown.
We need to automate the login process, so that every day for example, our php script will run and copy our xing contacts in the database. But we need that happening without manually loging in to Xing.
I have read/tried a lot of the curl/php scripts for logging in a website, but none of them actually worked for xing.
Can someone please provide me with the php script that would just login to xing.com?
Thanks a lot for your time...
Xing seem to have an API. That would be the vastly superior way to fetch data from them.
Scraping the web site is prone to breaking, and probably against their Terms and Conditions, too.