I'm trying out the authentication and authorization example from yesodweb.
The login works fine now with BrowserId and Google but when I want to logout I get a:
Permission denied
A valid CSRF token wasn't present in HTTP headers or POST parameters. >Check the Yesod.Core.Handler docs of the yesod-core package for details >on CSRF protection.
This is the form send from the auth subsite after clicking on the logout link: http://lpaste.net/150405.
It's obvious that the token is not in the form, but the token is in the cookie my browser is sending in the POST with the form: http://lpaste.net/150406.
What I'm doing wrong here? I don't want to be logged in forever :)
Related
Wso2 IS 5.10.0 I have configured basic auth and sms otp. I wanted to trigger basic auth using url like below without login page(skipping login page with authentication at backend with the username and password provided).
https://192.168.1.10:9448/oauth2/authorize?client_id=USER_PORTAL&code_challenge=KmuKeL_V3Gc5rRp9zEQeK0SFMrHZU25lLyrtnr8uekE&code_challenge_method=S256&commonAuthCallerPath=/oauth2/authorize&forceAuth=false&passiveAuth=false&redirect_uri=https://192.168.1.10:9448/user-portal/login&response_type=code&scope=internal_login+internal_humantask_view+openid&relyingParty=USER_PORTAL&type=oidc&sp=User+Portal&isSaaSApp=false&username=test&password=test#123
The login is successful but after that smsotp page is throwing 401 error even after authentication. But same thing is working if I am login with login page(mobile sms otp page will be shown successfully). I am not getting what is wrong.
EDIT:
After login it is routing to sms otp page like below.
https://192.168.1.10:9448/oauth2/smsotpauthenticationendpoint/smsotp.jsp?client_id=USER_PORTAL&code_challenge=KmuKeL_V3Gc5rRp9zEQeK0SFMrHZU25lLyrtnr8uekE&code_challenge_method=S256&commonAuthCallerPath=%2Foauth2%2Fauthorize&forceAuth=false&isSaaSApp=false&passiveAuth=false&redirect_uri=https%3A%2F%2F192.168.1.10%3A9448%2Fuser-portal%2Flogin&response_type=code&scope=internal_login+internal_humantask_view+openid&sp=User+Portal&tenantDomain=carbon.super&sessionDataKey=c23b62da-3031-44fd-892c-5cff2e62db58&relyingParty=USER_PORTAL&type=oidc&sp=User+Portal&isSaaSApp=false&authenticators=SMSOTP
This invalid URL (/oauth2/smsotpauthenticationendpoint/..) is generated due to relative URLs configured for the following properties (in deployment.toml). To address it, you can update them with a slash at the beginning as below.
[authentication.authenticator.sms_otp.parameters]
SMSOTPAuthenticationEndpointURL= "/smsotpauthenticationendpoint/smsotp.jsp"
SMSOTPAuthenticationEndpointErrorPage= "/smsotpauthenticationendpoint/smsotpError.jsp"
MobileNumberRegPage = "/smsotpauthenticationendpoint/mobile.jsp"
I have an API from which users can login to get a token so they can make requests, etc and I have also made a a session login as there are a few scenarios where I need the user session token. Now if a user logs in to the API and afterwards they need to login using the session Auth its all good however the reverse does not work. If you are logged in using session Auth and then want to login via the API to release a token I get a response of Forbidden. Could someone please offer some insight?
I have to introduce SAML2 authentication in my Django Project.
My base app use CSRF Token that is provided by #ensure_csrf_cookie decorator in the main page.
For implementing SAML, I've added a new "login" button on main page (the one that set se csrf token cookie). The button send the SAML request to IDP. When I return from IDP to a landing page (a view in saml2 sub-app that reads the response) I got a 403 Forbidden error about CSRF Token.
I'm using OneLogin python Library (python3-saml). https://github.com/onelogin/python3-saml
The landing page is the one that ends with: ?acs
What I want to know is if its a problem of my landing page or the IDP Response has to be binded with csrf token in some way.
Thanks.
NOTE: I've also tryed to add IDP domain in CSRF_TRUSTED_ORIGINS setting
You will probably need to mark the SAML return view as #csrf_exempt as the IDP wouldn't know how to pass the Django-specific CSRF token.
I am getting this error please haldle the csrf token in django project.When I first made an AJAX call with a POST request, I got a HTTP 403 Forbidden error. A quick debug led me to the CSRF authorisation problem. The backend refused to authorise the request because there is no accompanying CSRF token to prove that the request is not from a foreign site.
From the documentation:
"The CSRF middleware and template tag provides easy-to-use
protection against Cross Site Request Forgeries. This type of attack occurs when a malicious website contains a link, a form button
or some JavaScript that is intended to perform some action on your
website, using the credentials of a logged-in user who visits the
malicious site in their browser."
Therefore, when making a POST request, you should always include a CSRF token.
For more information, including how to use it with AJAX calls, please refer to the documentation:
https://docs.djangoproject.com/en/3.0/ref/csrf/
I'm trying to test my web server's login with Postman. First, I send a GET request to my login url, and I get a CSRF token as a cookie. Then, I make a POST request to that login page, with my username, password, and CSRF token.
My problem is, when I do this in Postman, I get a 403 forbidden error when I try to make that POST request to login. I'm copying the CSRF token received and putting it as one of the POST parameters, and I'm using a valid username and password. Is there anything I'm overlooking here?
You need to set it as a header in the request, not in the body. X-CSRFToken is the key and the value is CSRF token from the cookie. This will work if you are using an API framework like Tastypie or Django Rest Framework.
If you are authenticating without an API layer you would need to actually attach the cookie or create one with the CSRF token. This post explains it.
Try installing the Postman Interceptor Extension on GoogleChrome. It worked for me.
Works for me :
Set in Postman Header :
KEY : Authorization
Value : Token "Your token"