Tried to login via microsoft provider but after providing my email in the popup I m getting following error:
error_description=The request is not valid for the application's 'userAudience' configuration. In order to use /common/ endpoint, the application must not be configured with 'Consumer' as the user audience. The userAudience should be configured with 'All' to use /common/ endpoint.
I m not sure where exactly I need to set it as consumer. Here is my code
const provider = new OAuthProvider("microsoft.com");
signInWithPopup(auth, provider)
.then((result) => {
console.log("doLogin then section");
// User is signed in.
// IdP data available in result.additionalUserInfo.profile.
// Get the OAuth access token and ID Token
const credential = OAuthProvider.credentialFromResult(result);
const accessToken = credential.accessToken;
const idToken = credential.idToken;
})
.catch((error) => {
console.log("doLogin", error);
});
it's common error
Create a new App Registration with supported account type as "All Microsoft account users" works with any errors.
Related
I was trying to acquire token from our Microsoft tenant. I have no knowledge about the Azure AD or whatsoever, because I only tasked to develop front end for our Microsoft Dynamics App in React. I only got some of the credential like tenant id, client id, client secret and resource.
I used MSAL Node library and function ConfidentialClientApplication() to acquire the token
But when I check it in the Ms. Edge's console log it throw an error
{"errorCode":"endpoints_resolution_error","errorMessage":"Error: could
not resolve endpoints. Please check network and try again. Detail:
ClientAuthError: openid_config_error: Could not retrieve endpoints.
Check your authority and verify the .well-known/openid-configuration
endpoint returns the required endpoints. Attempted to retrieve
endpoints from: verify
url","subError":"","name":"ClientAuthError","correlationId":""}
When I click the veryfy url (Cannot show you the url because it might contain sensitive information)
It shows all the metadata of the open id so I thought maybe it's normal.
But why is the error endpoints_resolution_error throwed when everything is normal?
Here is some snapshot of my code
const config = {
auth: {
clientId: clientID
authority: "https://login.microsoftonline.com/{tenantID}/",
clientSecret: clientSecret,
knownAuthorities: ["login.microsoftonline.com"],
protocolMode: "OIDC"
}
};
// Create msal application object
const cca = new msal.ConfidentialClientApplication(config);
// With client credentials flows permissions need to be granted in the portal by a tenant administrator.
// The scope is always in the format "<resource>/.default"
const clientCredentialRequest = {
scopes: ["resource/.default"], // replace with your resource
};
cca.acquireTokenByClientCredential(clientCredentialRequest).then((response) => {
console.log("Response: ", response);
}).catch((error) => {
console.log(JSON.stringify(error));
});
I've tried changing the authority and the protocol mode several times, but same result
I have linked my domain in the firebase authentication, and I have allowed access for auth too.
If you would like to try it, here is the link
https://colesprojects.ml/signin/
signInWithPopup(auth, provider)
.then((result) => {
// This gives you a Google Access Token. You can use it to access the Google API.
const credential = GoogleAuthProvider.credentialFromResult(result);
const token = credential.accessToken;
// The signed-in user info.
const user = result.user;
alert(user.displayName);
// ...
}).catch((error) => {
// Handle Errors here.
const errorCode = error.code;
const errorMessage = error.message;
// The email of the user's account used.
const email = error.email;
// The AuthCredential type that was used.
const credential = GoogleAuthProvider.credentialFromError(error);
// ...
alert(errorMessage);
});
});
Here is my code if I am doing something wrong.
Looking at the error, it seems to me you didn't add your domain to your Authorized redirect URIs.
Go to the GCP console Credentials configuration, in the OAuth 2.0 Client IDs section select your app and add your redirect url to the Authorized redirect URIs section at the bottom (here your redirect URI would be https://colesprojects.ml/__/auth/handler as stated in the error).
I am trying to verify a JWT token sent from a frontend app using the #okta/jwt-verifier package.I keep getting the below error
JwtParseError: Error while resolving signing key for kid "kp2hms0pqlMsflp34dc"
innerError: Error: unable to get local issuer certificate
The credentials I am using are similar to the below
OKTA_AUDIENCE = 'api://default'
OKTA_CLIENT_ID = '0psnmdjeuti34spl8'
OKTA_ISSUER = 'https://dev-04567220.okta.com/oauth2/default'
const OktaJwtVerifier = require('#okta/jwt-verifier');
const oktaJwtVerifier = new OktaJwtVerifier({
issuer: OKTA_ISSUER ,
clientId: OKTA_CLIENT_ID
});
oktaJwtVerifier.verifyAccessToken(token, OKTA_AUDIENCE )
.then(jwt => {
// the token is valid (per definition of 'valid' above)
console.log(jwt.claims);
})
.catch(err => {
// a validation failed, inspect the error
});
What exactly am I doing wrong ?
Here's the developer documentation on how to verify a token from Okta.
Some things to double-check
Your Audience, Client ID, and Issuer are correct and matches how the front-end gets the token
You are only verifying the token (so the Bearer text is removed)
The front-end is sending you the correct token, the Access token
My application makes a fetch request to my Next.js API route that generates a custom Firebase token, which the user then is signed in with back on the client.
const res = await fetch('/api/firebase_token');
const token = await res.text();
await signInWithCustomToken(firebaseAuth, token);
When I use 'npm run dev' and test this functionality, the program generates valid tokens and users are authenticated with Firebase. In my deployed website, the same exact code generates "invalid signatures" on my custom tokens according to jwt.io and the following error message: "FirebaseError: Firebase: Error (auth/invalid-custom-token)."
Here is the token generation:
export default withApiAuthRequired(async function handler(req, res) {
const session = getSession(req, res);
// gets the Auth0 user from the session (?)
const user = session.user;
// sets the firebase uid equal to the auth0 Id.
const firebaseUid = user.sub;
const customClaims = {
email: user.email
}
// create custom firebase token
try {
const firebaseToken = await firebaseAdmin.auth().createCustomToken(firebaseUid, customClaims);
res.status(200).send(firebaseToken);
} catch(error) {
console.error(error);
res.status(500).send({
message: 'Failed to create and send a custom Firebase auth token.',
error: error
});
}
For some reason, the tokens from the dev server are valid (localhost:3000), but NOT the tokens from my live website.
I need some help understanding if I am handling the authentication/authorization correctly with Firebase Auth, JS and Python.
Once the user has signed in, I capture the idToken and create a cookie in the browser:
firebase.auth().signInWithEmailAndPassword(email, pass)
.then(({user}) => {
return user.getIdToken().then((idToken) => {
if (idToken) {
document.cookie = "token=" + idToken;
window.location.assign('/profile');
} else {
document.cookie = "token="
}
})
})
.catch((error) => {
//handle error here
});
The route /profile should be protected so I created a decorator and I retrieve the cookie and verify it:
id_token = request.cookies.get("token")
if not id_token:
return redirect(url_for('login'))
try:
decoded_token = auth.verify_id_token(id_token)
uid = decoded_token['uid']
except Exception as e:
print("Exception: {}".format(e))
return redirect(url_for('login'))
This is working so far but I want to see if this is the ideal situation from a security perspective. Also, what about the onAuthStateChanged? How should I handle it in the case above?
Firebase SDKs send the ID token with each request in the Authorization header, so sending it in a cookie is not going to more or less dangerous than that.
Instead of determining the token in signInWithEmailAndPassword though, I'd instead monitor ID token generation by listening to onIdTokenChanged events and using that moment to update your cookie.