wso2 identity server Identify a particular session in browser - wso2

I'm Developing a Oauth Authentication based Web Application Where the user is logged in chrome, Edge and Firefox browsers. I get the list of active sessions(chrome,edge and firefox using agent parser) in Active session API response. But my requirement here is i want to display the current session in my web application as chrome only if the user's current session is in chrome and simultaneously i have to display current session as edge only if the user has logged in Edge and same for firefox. how will i be able to differentiate between the user's current browser session in the response. Any help would be highly Appreciated.

If i got you correctly, you want to obtain users browser name right? if yes, you can get it from the user-agent header.

Related

Cookies filtered out only in chrome

I have a chrome extension which use Oauth to authenticate users. This authentication create cookies which are shared to detect authentication on my other applications.
So when i'm authenticated by oAuth on my extension, i can go on another app and then if i refresh i'm connected without getting login process. This because cookies created by my OAuth process are shared and detected on others app.
This works fine on browser like Mozilla or Opera but don't works on Chrome cause cookies are filtered out with that info message :
this cookie was blocked because its path was not an exact match for or a super directory of the request url's path.(shown on screen by cookies with question mark (AUTH and KEYCLOAK prefixes)
Cookies with AUTH and KEYCLOAK on yellow are filtered out
How could i manage Chrome to accept those cookies ? But more, how could i manage this programmatically on request which have created cookies cause i can't tell my users to modify their Chrome configuration ?

How to implement QR code cross login from mobile app as authentication method for website or webapp in a vendor agnostic way?

I am using Django 2.2 for my webapp.
And I have been looking for tutorials that cater for QR code cross login to webapp using mobile app.
Basically the workflow is like this:
expected workflow
User arrives at website on desktop
Given a choice of username/password or QR code login (We assume user is registered)
User chooses QR code to login
User is prompted to install mobile app (can be android or iOS)
User installs mobile app and logins using username/password.
On mobile app, user then agrees to future login using QR code as alternative (this is done once)
After this, in future logins, when User chooses QR code to login as per step 3. They use the mobile app to scan QR code generated on the website login page.
The mobile app then uses FaceID or FingerPrint ID (assuming iOS) to then allow login. The user presses a Yes button on the mobile app to confirm login.
Somehow the webapp is notified dynamically and allows login on the desktop browser.
I don't quite get how the mobile and the web app at the backend all work with one another to achieve this seamlessly.
What I did find
I did find this library https://github.com/aruseni/django-qrauth which seems no longer maintained. But I still cannot quite get how the flow works between mobile app and webapp backend.
I also found this https://medium.com/#ksarthak4ever/django-two-factor-authentication-2ece42748610 which seems to use the mobile phone as a 2FA device. Not exactly the use case I am looking for unless I misunderstood.
I did find this article https://backendless.com/how-to-implement-mobile-to-web-cross-login-using-a-qr-code/ which is what gave me the term "cross login". However, the article is tilted heavily towards this particular vendor.
I am looking for an "understanding" of the concept without being reliant on the specifics of the vendor implementation.
What I am not looking for
In case, my question is poorly phrased and gets misunderstood, I have included this section to make clear what I am not looking for.
I am not looking for the use case where the QR code serves as a 2FA confirmation for the authenticator app.
I am also not looking at code examples yet. I just want a clear understanding first of how things work between the mobile and web app. I believe JWT is needed though I am guessing.
A workflow is more appreciated than actual code because I want to gain an understanding first of how this works.
The key concept is that login occurs when a user and browser are matched. A user means a user(or a user device) already recognized(authenticated) by the server.
user's PC browser requests QR login to server (without any account information)
server makes login request key and send the key to the user's browser. the key is displayed as QR code. (the role of this key is to identify the browser)
user's already logged-in device(user) read the key(QR) and sends a login acceptance request to the server with the key.
At this point, the server knows who both the user and the browser are.
The server allows the browser to log in as the user.
The key to identify browser could be session or web socket channel or any other form of information.
The server must store the key until the login process is complete.
If a valid login acceptance request is received, the server should prompt the browser to log in.(server->client, push). there are several techniques for accomplishing this.(polling via AJAX, Web socket, push notification services, etc..)
I'll explain it with Django-channels web socket framework. (In this case login request key and channel name is same. but different key and channel name is also okay.)
browser: user chooses QR login. (without any account information)
Backend: web socket channel is made. name of the channel is securely randomly generated string(FOO). key(FOO) is stored in redis as Django-channels[redis] made a channel named that string(FOO). send the key(FOO) to user's browser.
browser: get the key(=channel name=FOO) and open the web socket channel(FOO). and also displays QR code(FOO).
user(smart phone): user launch smart phone app(already logged in). and scan the QR code(FOO). user smart phone app send a login acceptance request to the server with QR code's information(FOO)
Backend: server send securely generated login key(BAR) via web socket channel(FOO).
browser: get login key(BAR) via web socket channel(name is FOO) and redirect to login url with login key(BAR).
server: get the login key(BAR) and let the browser to log in as the user
login request key(FOO) could be a JWT(contains key, url, expire, etc..) or just secure string(varies depending on the scenario). it doesn't contains account information and server must store it.
login key(BAR) is usually a JWT. with JWT, it contains account information and server does not have to store the key.(stateless)
I think you wanna do something like WhatsApp’s web where the users log to the web app by QR code, if I was doing such implementation I’ll do it as follows.
When the user arrives to the login page, we create a logInSession with a random token and we save it to the database.
we send that random token to the browser, which will render QR code based on the random token. We start a pooling for ‘log_me_in’ view to check if the user scanned the barcode.
The user goes to the mobile app and select log-on browser activity which will launch the camera.
Once QR is read on the phone, make a request to the backend with the scanned token and update the logInSession with the username.
With the next call to ‘log_me_in’ view, log the user in based on the username and tell js to redirect to homepage.
Hope this is clear enough.

ADFS 4.0 Disable browser cookies

I am using ADFS 4.0 for authenticating into my mobile application using OpenId Connect / OAuth2 flow. Basically when I sign in to my application, my mobile appliaction opens a browser to start the flow. Whenever I sign out from the application, I need to fire the ADFS sign out page to clear the cookies and redirect back to the application.
The problem I have is that when I successfully authenticate through ADFS, I need to perform some user validation in my API for the user which sometimes can fail. If the validation fails, the session cookies stays in the mobile devices browser, so the user is not prompted for credentials anymore, so hes stuck in a loop where he cannot sign in to the application again. I really don't even need the session cookies stored into the mobile devices browser because I am using the access and refresh tokens to handle the flow after the authentication.
I have configurated my application as native application / Web API in ADFS. Is there any way I could disable the cookies to be saved in the mobile devices browser or is there any other approaches for this problem?
Are you using authorization code grant flow?
If yes, you can use prompt parameter in authorization request. As explaining in this document about prompt , with prompt=select_account, user will be forced to choose current signing account or choose to login in another account, or with prompt=login, user has to reauthentication...With those values of prompt, you will not be "stuck in a loop where he cannot sign in to the application again"

How to test if browser supports cookies in a Django app?

I am building a django app which requires user authentication for users to surf the web site. I read through many docs and tutorials which say to use set_test_cookie(), test_cookie_worked() and delete_test_cookie() functionality to test whether client's browser supports cookie management.
However this approach requires two requests and views to verify if cookie management is supported in client's browser or not. My question is how to implement Facebook like functionality in cookie management here. Here's how FB handles cookie check -
1) If I am not logged in and I have disabled cookie support then I am not allowed to log in prompting that I must enable cookie support to access my page.
2) Suppose I was logged in before and cookie was set up but I now disable cookie support then if I access facebook.com then it logs me out in just one request and asking me log in again. But if I log in again then it is same as the first case.
3) If I am on my timeline and browsing facebook then without closing that tab if I disable cookie support in browser, I get automatically logged out prompting that cookie support should be enabled.
How does Facebook (same as gmail) know without my sending request that cookie support is disabled in the mid and I get logged out? Does it continuously make Ajax calls to the server? How do I implement this functionality in my django app?

WSO2 Identity Server Basics - Making it Work

I'm new to the SSO world and I've recently installed WSO2 Identity Server 5.0 and done my best to hook in a service provider but I just can't seem to figure out how to make SSO happen.
Here is my current situation and goal:
I have a MojoPortal website where a user can log in. From there, the user can click a link to our FTP site powered by GoAnywhere. We want the user to be logged into the FTP site just by clicking the link instead of having to log in to it as well. The FTP site is SAML2 enabled so I chose the WSO2 ID Server to give SSO capabality between my mojoPortal and goAnywhere sites.
Here is what I think needs to happen - sanity checks welcome:
1. User clicks to access the FTP website and my mojoPortal website needs to create a SAML request and send it to the ID server. I can't seem to get a grip on doing this from an ASP.NET page.
2. ID server gets the request and validates it (you can test the request in the "SAML Request Validator" tool in the WSO2 console, right?)
3. ID server sends a response to the GoAnywhere FTP site which can be simulated with the SAML Response Builder tool in the ID server console.
4. The FTP sites says either OK or NO to access.
5. Not sure what happens next - how does the user get redirected to the FTP site.
So I have big issues: I don't understand the flow in great enough detail and I'm also having difficulties in getting the technologies to work together.
Any comments / help at all are greatly apprciated!
MojoPortal website - is this SAML2 Web Browser based SSO supported? If yes, then the solutions is clear.
You just have to register your 2 sites in WSO2 IS as SPs.
Then what will happen is , once the user log-in to the MojoPortal website, he user will have a live login session, therefore once he clicks on the FTP site, he will be able to access it without having to log-in again.
Hope this clarifies your doubts.