I am using AWS Cognito API, I trying to login using the code provided on this URL https://github.com/pmill/aws-cognito/blob/master/examples/login.php, and getting exception "Auth flow not enabled for this client" "InvalidParameterException", please let me know if I am missing something or doing something wrong, user was signed up and confirmed successfully but not able to login? If help would be appreciated.
Thanks
Sounds like there is some issue with your Userpool settings. In Cognito Userpool console, select your Userpool. Go to App Integration --> App client Settings . Select your App Client. Under OAuth2 --> Allowed OAuth flows, select the first 2 options (Authorization code grant & Implicit grant. Also, under Allowed scopes select the ones you want to allow. You can select all of them for testing. Save the changes. This should fix the error (atleast the first one - "Auth flow not enabled for this client). See if you get any errors.
If you still get the error, then may be ADMIN_NO_SRP_AUTH is not enabled for your client. In your Userpool settings, go to App Clients (and not App Client Settings). Click on Show Details for your app client. Select the ADMIN_NO_SRP_AUTH option i.e. Enable sign-in API for server-based authentication and save. See if this fixes your issue.
I published one article on fixing this error on Linkedin. Here's the link: https://www.linkedin.com/pulse/amazon-cognito-how-fix-error-auth-flow-enabled-client-malik/
My brief answer is: please check "Enable sign-in API for server-based authentication (ADMIN_NO_SRP_AUTH)" as shown in below picture.
Related
We are using Google to enable users to use their Google account to authenticate themselves (using AWS Cognito federated sign in) with our Mobile application (we only have mobile applications, no web). We are only using the non-sensitive scopes, but even with that it seems that we are required to go through the whole verification process.
Scopes used:
OAuth scopes
But when I try and publish the application I get a popup notifying me that the verification is required and even mentions sensitive and restricted scopes:
Google publish popup
Step 1 of the verification process is ok, but the other steps are what baffles me.
When I take a look at the documentation it mentions that only if you are using sensitive or restricted scopes that verification is required.
Is there any way to setup the application so verification is not required or at least not as extensive? Most likely we have configured something wrong, or didn't understand the documentation correctly, so any suggestion would be more than appreciated.
In addition to scopes, there a few more reasons why your consent screen might require verification:
You want to display an icon or display name for your project on the OAuth consent screen.
Your project's OAuth clients request authorization of any sensitive or restricted scopes.
The number of authorized domains for your project exceeds the domain count limit.
There are changes to your project's OAuth consent screen configuration after a previous published, verified configuration.
I'm trying to setup a VPN connection using a federated login with Google IdP following these instructions.
Previously, I had configured a saml-provider with Google and it worked fine to authenticate users to the AWS console through Google using ARN roles
WHen I setup the VPN connection, it successfully opens the browser and asks me to select my google account, but after selecting the account I'm getting an error message from Google
According to this help section
Verify that the value in the saml:Issuer tag in the SAMLRequest matches the Entity ID value configured in the SAML Service Provider Details section in the Admin console. This value is case-sensitive.
So this is a problem coming from AWS and not from me ? Is Google IdP compatible at all with VPN authentication ? (I found this doc that mentions compatibility with okta)
Edit
Thanks to some of the answers below, I managed to make it work with Google IdP. Here is a screenshot of relevant SAML Google app screens (note that for groups I ended up adding the employees department, but I guess anything else would have worked)
To be able to save an ACS URL starting with http:// in the G Suite interface, use the trick given by teknowlogist: open the inspector > network tab, perform the request to save an URL with https, then right-click copy it as cURL, replace https by http, paste in regular console, and you're good.
I found a workaround to not being able to input http://127.0.0.1:35001 as the ACS URL on the GSuite SAML app page. The Google admin console only does client-side validation for the https requirement, so you can use the Chrome console to monitor the network call made when modifying the ACS URL.
Then, you can copy this as a curl command and change https to http
#Ted Schroeder —
Previous approach (or, plain Google doesn't work)
I just used a reverse proxy:
mitmproxy \
--listen-port 35000 \
--mode 'reverse:http://127.0.0.1:35001' \
--set keep_host_header=true
If you change Google SAML's ACS URL to be https://127.0.0.1:35000 and click "Test SAML Login", Google will take you to https://127.0.0.1:35000, whose traffic will be redirected to http://127.0.0.1:35001. In the browser I get:
Authentication details received, processing details. You may close this window at any time.
However, using the SAML-tracer extension, I found that there was a URL mismatch (https://127.0.0.1:35000 vs. http://127.0.0.1:35001). Seems like the AWS VPN Client is broadcasting its expected URL as being http://127.0.0.1:35001. So this doesn't seem viable.
Current approach (or, Auth0+Google works)
I tried using Auth0 instead, and got it to work! There's a few hoops — for instance, create a new Auth0 application, go to Addons and enable SAML2 Web App, set Application Callback URL to http://127.0.0.1:35001, and then in Settings use the following:
{
"audience": "urn:amazon:webservices:clientvpn",
"mappings": {
"user_id": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
"email": "NameID",
"name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"given_name": "FirstName",
"family_name": "LastName",
"upn": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
"groups": "memberOf"
},
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
"signResponse": true
}
Then users, if they download the VPN config from AWS and use the AWS VPN Client app, will be taken to an Auth0 login screen where they can login via Google. Voila! (And then for security, you need to add Auth0 Rules to grant only certain users/groups authorization.)
I don't have a full answer yet, but I have the beginnings of one and I actually got past the 403 error above. The key to all this can be found in the AWS Client VPN information here: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html
Look for the section entitled "Service provider information for creating an app".
The key is that these are the ACS URL and the Entity ID that need to be used. Unfortunately, G Suite won't let you set the ACS URL to a non-https URL and apparently the AWS Client VPN app won't provide a secure URL for the ACS URL (where the SAML Authenticate response goes).
So, if you set the Entity ID to "urn:amazon:webservices:clientvpn" and have the G Suite SAML app in place according to the instructions, you'll get past the 403. However, since the ACS URL can't be specified you get whatever error message you're likely to get from the ACS URL that the authentication response goes to.
Example scenario
If you set it to https://signon.aws.amazon.com/saml" like you would for AWS Console SSO, you get an error from the AWS sign in that the SAML response was invalid.
And if you set it to https://127.0.0.1:35001 then you get a message from the browser that the "site can't provide a secure connection".
If anybody gets any further with this, I'd love to hear about it. In the meanwhile, I'm going to be looking into non-AWS OpenVPN clients that might actually support G Suite as a SAML IdP.
#alexandergunnarson
Since I don't have the ability to comment (thanks so much for making this easy stackOverflow) I had to edit my answer to get it past the censors.
Unfortunately, we don't have, and probably won't have for some time, G Suite Enterprise because it's too expensive for our startup environment. So OIDP is not a viable option for us now. I figured this would work. Good to know that it does.
I was too having the same issue. In my case, I needed to turn on the two-factor authentication for the account that I was trying to log in with.
I'm attempting to use Postman to "Get User Access Token" with Microsoft Graph API; however, my org recently enabled multi-factor auth and this call is now failing, stating:
"error": "invalid_grant",
"error_description": "AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access...
The Microsoft documentation for MS Graph API using Postman is very well written, but it is missing clear instructions how to pass in this second factor to the request.
The error points to https://login.microsoftonline.com/error?code=50076, but this just gives the same info.
I have the MS authenticator app which gives me this key/second factor; however, I don't know how to add this into the body/headers. I'm trying to find the specific key name for passing in the additional security token (I've tried things like 'token,' 'pcToken,' 'key,' etc.)
.
I was in the same predicament so here is what I did to solve it:
Firstly, I got the information from:
https://github.com/microsoftgraph/microsoftgraph-postman-collections/issues/4
You will need to use the OAuth 2.0 authorisation in Postman. Using the same GET request, go to Authorization -> Change the type to 'OAuth 2.0' then click 'Get New Access Token'.
From there, you can input your own details:
(replace [TenantID] with your own)
Callback URL: The redirect URL you stated in your app authentication.
Auth URL:
https://login.microsoftonline.com/[TenantID]/oauth2/v2.0/authorize
Access Token URL: https://login.microsoftonline.com/[TenantID]/oauth2/v2.0/token
Client ID: You're application's ID.
Client Secret: You're Applications secret that you set under the 'Certificates & secrets' section.
Screenshot
Username Password Authentication is not supported for MFA because MFA requires interaction. But there is no interaction if you need to use Username Password Authentication to sign in.
See Username Password Authentication:
users who need to do MFA won't be able to sign-in (as there is no
interaction)
The answers above do not describe anything related to MFA by-passing via code.
MFA auth you need to use broker authentication where MS Authenticator app behaves as a broker.
If you integrate the proper libraries (ADAL, MSAL) your code will be able to interact with broker properly.
On Android and iOS, brokers enable:
Single Sign On (SSO). Your users won't need to sign-in to each
application
Device identification (by accessing the device
certificate which was created on the device when it was workplace
joined). We use Intune-managed devices for this purpose.
Application identification verification (is it really outlook which
calls me?). The way it works is when an application calls the broker,
it passes its redirect url, and the broker verifies it:
On iOS, the redirect URL is, for instance, ms-word://com.msft.com, the broker
parses and gets the appId (after the //) and verifies it's the same
as the appId of the calling app, which it knows (by the OS).
On Android the redirect URLs have the following form msauth://com.msft.word/.
To enable one of these features, the application developers need to set the UseBroker Boolean to true in the platform parameters. They also need to implement a delegate to react to the broker calling back the application as described in Platform parameters properties specific to brokers on Android and iOS.
Please refer to the MS docs for broker auth examples:
https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/wiki/leveraging-brokers-on-Android-and-iOS
https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-net-use-brokers-with-xamarin-apps
https://learn.microsoft.com/en-us/azure/active-directory/develop/brokered-auth
I'm writing an Amazon Skill that I want hooked up with a google account via oauth2. In my edit skill page, I configured it with my client id, an authorization url and token url from the oauth playground, and made it an authoritative grant with my secret and authentication scheme of "http basic", which is recommended.
I tested my client id/secret in the oauth playground and it works as I expect it to, but when I go to sign in on the Alexa App, I get a "missing redirect_uri" error. Looking at the link in the popup, it looks like the following:
https://accounts.google.com/o/oauth2/auth?client_id=custom_client_id&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email
Why is it missing the redirect_uri parameter? I can't change it on the skills page, it's set, and I added it to my valid redirect_uri lists on the google console. Anyone else seen this issue before?
An easier version of what jking31cs is saying is to include ?redirect_uri= ...
In your base URL. So if you provide them Oath.com/auth as your authorization URL, instead try Oath.com/auth?redirect_uri=
The redirect URI is constant, so this is a good fix until amazon bothers fixing this. It's only an issue on custom skills.
They've fixed the issue with an update to the Alexa App :D
I have attached my Active Directory as a secondary user store and can see the list of users when i select "Users" however when accessing an APP through tomcat that is linked to SAML SSO i cannot login using an AD Account
can anyone suggest what i am missing?
the error in the system logs is
TID[-1234] [IS] [2014-02-13 13:49:02,321] DEBUG {org.wso2.carbon.identity.application.authenticator.basicauth.BasicAuthenticator} - user authentication failed due to invalid credentials.
however my login credentials are correct...
Because i was using email address as a login that was causing the issue!
the steps i took are as follows:
IS_HOME/repository/conf/carbon.xml file.
Open carbon.xml
Locate EnableEmailUserName element and uncomment it.
Finally, it should be similar to the following
true
Now, restart IS
You should be able to login using your user name
Could you check whether you can login to WSO2 management console using above credentials. If you can not, please go to Management Console -> Configure -> Users and Roles -> Roles and you can see the internal\everyone role. And configure "login" permission for everyone role. Then please try to login...
Also, if you enable the debug logs in org.wso2.carbon.user.core, you can see more debug logs about authentication failure.
I think your configuration is not ok.same login issue already solved here.cannot login to wso2 Identity server with the ldap credentials.
Make sure UserDNPattern property is correct