I hope someone can help me with this.
Scenario:
1) A user goes to our website /customer-area/ and gets logged in using the following Django code:
account = authenticate(email=email, password=password)
login(request, account)
2) Angular then sets a cookie to say she is logged in.
3) She then goes to /admin/ and is presented with the message:
You are authenticated as user#user.com, but are not authorized to access this page. Would you like to login to a different account?
She chooses to log in as an administrator.
4) She then goes back to /customer-area/.
Problem:
Angular checks a cookie to make sure she's authenticated but gets confused. The cookie says she's authenticated using the account she used in step (1) above, but Django thinks she's authenticated using the account she used in step (3) above. (Django is correct). This is causing all sorts of confusion for Angular.
So I guess I need to add some functionality to the login view to destroy the Angular cookie when an admin logs in.
Do any of you know how I can override the Admin login view?
Or perhaps there is an easier way to deal with this problem which I cannot think of.
Thanks for your help!
Related
I want to make a rest call to my Keycloak server.
According to doc it should be easy: https://www.keycloak.org/docs-api/10.0/rest-api/index.html#_executeactionsemail
So before I'll start codeing I want to prepare Postman call, so my url is
http://localhost:8080/auth/admin/realms/test/users/12345/execute-actions-email
in raw body I'm providing ['UPDATE_PASSWORD']
and what I get is 401 Unauthorized and I can't get what I'm doing wrong?
Body:
Headers are default:
For accessing the Admin Rest API you need to pass on the admin token to REST CALLS:
You would have been prompted to create an admin account as soon as you would have opened {keycloak-url}/auth.
You can use this admin account to obtain the admin token as shown below.
Note that only change you have to do in below call is your keycloak server address and value of admin username and password.
You can pass the token obtain above on to the REST aPIs with Authroization header.
Please refer to my other SO post for a step by step guide to do this.
#tryingToLearn thank You so much!
I'll post what I did.
Get token for master realm admin account:
Call reset password service in test realm
I've had wrong body so correct body for this request is ["UPDATE_PASSWORD"] and You can notice 204 in the right bottom corner.
The second question is, is it possible to have special user in any realm, not master realm admin for getting a token?
Is there a way, when hitting Django admin site, it redirects to a 3rd party authentication page. User logs in there, then gets redirected back to Admin site without having to log in again?
Basically I want to replace Django admin login by another authentication, so I can insert a link to my web app and admins can access admin page right away.
EDIT:
did a bit more research and will refine my problem.
Say I want to login from http://localhost:8000/admin/login/, I assume I need to redirect the user/admin to the 3rd party login page, then once the auth is successful, I should redirect him back to the next page after login. Where/what should I modify?
EDIT2:
I'm following this example
https://auth0.com/docs/sso/current/single-page-apps
Could get the server to run on 5000 but the auth still fails and returns 400
How do I get from my React app in localhost:3000 to my django admin page in localhost:8000 without needing to log in again?
Yes, its possible, you can use authenticate functions to authenticate your request, so when your come back from your 3rd party authentication page you get your response being success or failed and run authenticate function and now your user will be logged... this is kinda a dirty way to do that...
You can also write your own Authentication method and setup at your settings
https://docs.djangoproject.com/en/2.0/topics/auth/customizing/
I'm using python-social-auth to allow users to login via SAML; everything's working correctly, except for the fact that if a logged-in user opens the SAML login page and logs in again as a different user, they'll get an association with both of the SAML users, rather than switch login.
I understand the purpose behind this (since it's what you can normally do to associate the user with different auth services) but in this case I need to enforce a single association (ie. if you're logged in with a given SAML IdP, you cannot add another association for the same user with the same provider).
Is there any python-social-auth solution for this, or should I cobble together something (for instance, preventing logged-in users from accessing the login page)?
There's no standard way to do it in python-social-auth, there are a few alternatives:
Override the login page and if there's a user authenticated, then log them out first, or show an error, whatever fits your projects.
Add a pipeline function and set it in the top that will act if user is not None, you can raise an error, logout the user, etc.
Override the backend and extend the auth_allowed method in it return False if there's a valid user instance at self.strategy.request.user. This will halt the auth flow and AuthForbidden will be raised.
Here at my company, we started using Ping Federate as our Identity provider, this is linked with the AD for user info and so on.
The login works via the OAuth page, and this works great, I can login, do things, then when my access_tokenexpires this get's refreshed and I can continue without the user even noticing it.
But now I got the request of one of the users if he could switch logins.
but this isn't possible, because when I click login, the popup of PingFederate that get's fired doesn't asks for the credentials, it just continues and uses the last credentials.
However when i clean my cookies and I login it asks for the credentials again, but I can't ask the users to clear all it's cookies whenever he wants to switch users.
I tried clearing the cookies of the PingFederate Domain when I logout, but no luck:
me.$cookies.remove('PF', {domain: 'federation.xxx.com'});
any body else has an idea what I can do to make this work?
You should be able to use PingFederate's logout features to achieve what you're after.
If you're using just the HTML Form Adapter to log in users, then you can configure a logout path in your adapter instance that you can ask users to go to to logout. See "Logout Path" here: https://support.pingidentity.com/s/document-item?bundleId=pingfederate-93&topicId=ttq1564003023121.html
Alternatively you could enable single logout (SLO) which will trigger a logout at all adapters or other authentication sources the user may have logged in to. For more details, see:
https://support.pingidentity.com/s/document-item?bundleId=pingfederate-93&topicId=php1564002958041.html
https://support.pingidentity.com/s/document-item?bundleId=pingfederate-93&topicId=pqn1564002990312.html
I would like to use django-rest-framework token to authenticate users. My workflow would be:
User requests a page
If auth token is present, respond with the requested data.
If auth token is not present, redirect to the login page (with the request page).
Inside the login page, user submit their credentials
If credentials were correctly authenticated, get or create a token for that user and redirect back to the requested page with the token.
Else, respond with error.
Lastly,
When the user logs out, delete the token for that user.
So my question is, is it okay to delete and create a new token for every login if the user has already logged out? Also I assume the token will be unique, am I correct? Your help and guidance is very much appreciated. Thank you.
A REST API should be stateless, that means that there should not be a "session" hence no login and no logout, and no redirections to a login page.
If the request doesn't have a token then the API should return (probably) a 401 Unauthorized HTTP status code and not a redirection. You're making an API so there won't be human interaction. Django rest framework offers a human-friendly interface that does have sessions, login/logout, and if that's all you need the go for it, you can do whatever you want. But It'd be hard for another program to use your API.
why not using tokens with expiration dates or using another well known authentication method ?? :P
Hope this helps :)