In a Sitecore integrated azure ad B2C application, while registering through Facebook, once the user is signed up in the application using a Facebook identity provider, the user is redirecting to the page where the user details are are displayed which are retrieved from the Facebook identity. But, the problem here is if the user refreshes the page or clicking on browser back button, then the "Bad request" screen is displaying.
The error message is showing like "{"status":"400","message":"Missing required element [Given Name]"}".
When you press browser back button from any idp, an authentication failed response is sent to the b2c application.
Are you using Owin middleware? If yes, you need to catch the exception in your 'AuthenticationFailed' event and handle it properly. Something like below.
if (notification.Exception.Message == "server_error")
{
// the error message might be different based on the IDP, facebook returns server_error as reponse message
notification.Response.Redirect("/");
}
Related
I have a web-app built with the AWS Amplify framework. I rely on Cognito Hosted UI w/ identity federation for registration and login. In reviewing the registrations for my app, I noticed that it got 70+ registrations, but of these only 12 went on to create user profiles. I tested creating an account and signing in through each identity provider (Amazon, Google, Facebook) as well as through standard signup with an email and password. I never had any issues.
I started testing more heavily on mobile and eventually I started to encounter the an error. I plugged my mobile device into my laptop, navigated to chrome//:inspect and checked the network tab and JS console. Only when my chosen identity provider required an OTP code, I noted that I was getting invalid_request and invalid_grant errors on after I input the code and continued with sign-in, even though registration seemed to work (I say registration seemed to work because I received AWS credentials in the initial response and amplify-signin-with-hostedUI was set to true in localStorage. Also, when I open the AWS Console and go to Cognito, I can see that I've been added as a user in my User_Pool).
If I refresh the browser at this point, it seems a new request is sent off to /token, but it comes back with a 400 error with the invalid_grant message.
I kept poking around and eventually found something interesting. There are three tabs involved in the login process, and I think this is somehow messing things up. On mobile, when I try to register or login with the Cognito Hosted UI, I am first met with the Federated Identity Provider buttons and email/password page.
First I got to my website (Tab One). Then I click sign-up and the Hosted UI page pops up (Tab Two). I select one of the login methods (Amazon, Google, Facebook, or Email/Password). If the selected method requires no OTP, I'm golden. I'm redirected to my web app and the app works fine. If my selected method requires an OTP, a new tab opens (Tab 3) which asks for the token. At this point, I can see in Chrome devtools that an error occurs on this tab (Tab 3).
After plugging in the OTP code and clicking sign-in, I'm redirected, as expected, back to the my web-app, but this redirect occurs in the original tab (Tab One), however with a query string added to the URL (/?code=). If I click the view tabs button, I see that the Hosted UI tab (Tab Two) is still open and still has the Cognito Hosted UI buttons/username+password page open. Not sure if that's important.
Now on Tab One with my web app, I don't immediately see any errors in Chrome devtools. But I can see that my app is unable to load. If I wait, it just loads and loads forever. If I refresh the page, then at this point I see a new request to /token fire off in the Network Tab of Chrome DevTools and it comes back with the 400 error invalid_grant response.
Has anyone else encountered this issue or found a resolution?
Thanks in advance!
I am using AD B2C custom policies with my own custom UI. For some purpose I'm adding some cookies. As the UI runs under B2C domain (eg: tenant.b2clogin.com) these custom cookies are created under this domain.I need to found a way to remove these customised cookies when we do the B2C logout. I know the B2C has a way to redirect to a logout URL, but, I'm not sure it will work because this URL is out of the B2C domain when the cookies are created. Do you have a suggestion about how to customise the logout to remove these custom cookies placed under B2C domain?
Currently we can not customize the sign out UI directly by using custom page layouts.
When you logout from your web app you should redirect to B2C's logout endpoint as described in the document.
When you want to sign the user out of the application, it isn't enough
to clear the application's cookies or otherwise end the session with
the user. Redirect the user to Azure AD B2C to sign out. If you fail
to do so, the user might be able to reauthenticate to your application
without entering their credentials again.
The logout endpoint can receive an optional post_logout_redirect_uri parameter in the query string, where you can specify another URL where your user will be finally redirected by B2C. That can be the address of any resource, e.g. you homepage or your own page showing a "You successfully logged out of our service" message to the user.
post_logout_redirect_uri - The URL that the user should be redirected
to after successful sign out. If it isn't included, Azure AD B2C shows
the user a generic message.
We have a Java based web application which uses SAML 2.0 for SSO. As part of the SSO we have also implemented Single Logout. Can anyone please share info on how to fix the below issue
User logs into IDP(app1)
User clicks on the link to the SP(app2)
User logs out of IDP. A logout request is received by SP and the session is invalidated
User refreshes the browser that has SP(app2) open and the the original IDP request is resubmitted. The SP processes this request as if it came from the IDP. With this the user is still able to navigate/use app2 even though he has logged out of the IDP.
I think the best solution is to go back to IDP and check if the session(based on SAML SessionIndex is valid) but not sure on how we can do it. Note the browser refresh only works within the window specified NotBefore and NotOnOrAfter. If the user tries to refresh out of this window we have logic that rejects the request/response.
The SP should also check for SAML assertion replay.
Every SAML assertion includes a unique ID.
Your SP should keep track of these until they expire (ie until NotOnOrAfter). When you receive a SAML assertion, if the ID has already been seen by your SP, the SAML assertion should be rejected.
Postman now has support for Oauth2.0. The nice thing is that if necessary, Postman will display a pop-up login modal for authentication if the Auth URL redirects to a login screen.
My question: is it possible to display this same modal for a request via a script? I would like to replicate the same Oauth flow via a script (instead of having to generate an access token via the button).
Thanks!
Yes, You can get this done. Instead of having a button create a modal dialog using javascript and get username and password from the dialog and poss them to the oauth request to get the token. I believe you are using password credentials grant where you need to send username and password while making a request.
I have an invite friends button, that creates a facebook request to the friends you select through facebook's javascript UI mechanism. The invitees can then click "Accept" and they'll be redirected to my facebook canvas app.
From there I want them to be redirected to my website but automatically logged in with their facebook credentials as if they clicked my Facebook Connect button and logged in that way. How can I do this? I guess somehow the same cookie FB Connect creates will need to be created? My website will need to be given some kind of access_token like FB Connect returns so I can verify who the user is on my system (or create a new one).
Or is this not possible and the user will have to be simply redirected back to my website and then login through Facebook Connect even though they're already "logged in" to my facebook canvas app?
Once the user gets redirected to your Canvas App (iframe) you are in control!
So let's assume the following:
The friend clicks "Accept" and get redirected to Your Canvas App
You receive a signed_request, and check if a user_id presents (i.e he is already a website user)
if yes then just set your own login sessions (or whatever mechanism you use) and redirect else
Follow the standard authentication flow (whether it's client side or server side)
If the user clicks cancel then just redirect
if he authorizes your app then register user (insert to DB) and follow step #3