I need to add a parameter '&onlyLock=true' in the in authorization URL. However, I could not find information about this property in the current documentation.
¡is it possible??
I am using
auth0-js": "9.8.2".
Configuration:
new Auth0.WebAuth(
{ domain: config.domain,
clientID: config.clientId,
redirectUri: config.redirect,
responseType: "id_token token",
scope: "openid profile email"
}
);
Execution
auth0.popup.authorize({}, (err, authResult)
Thanks
Related
The ultimate goal (which works if clientId is provided and scopes are clicked): Use Swagger UI to get the azure Auth to receive an accessToken for further requests.
Since the client_id and scopes are static I was hoping to bypass the popup and immediately trigger what happens when clicked on the Authorize button by pre setting the client_id and scopes, since I couldn't find anything there I am atleast trying to pre fill the form so the user only has to click Authorize in my organisation.
What I tried without success:
swagger options initOAuth
DocumentBuilder.components.requestBodies
The Code in main.ts of nestjs:
// Swagger
const config = new DocumentBuilder()
.setTitle('Auth Backend')
.setDescription('Azure PoC backend')
.setVersion('0.1')
.addTag('auth')
.addOAuth2({
type: "oauth2",
description: "description",
name: "AzureAD",
flows: {
implicit: {
scopes: { "User.Read": "Read user profile" },
authorizationUrl: `https://login.microsoftonline.com/${process.env.TENANT_ID}/oauth2/v2.0/authorize`,
}
}
}, "AzureAD")
.build()
const document = SwaggerModule.createDocument(app, config)
SwaggerModule.setup('swagger', app, document, {initOAuth: {clientId: process.env.CLIENT_ID, clientSecret: process.env.CLIENT_SECRET}});
Please try by including swaggerOptions in SwaggerModule.setup which can pass swaggerOptions into swaggerUi.generateHTML
SwaggerModule.setup('api', app, document, { customSiteTitle: 'Your API name', swaggerOptions: {
oauth: {
clientId: clientid",
clientSecret: "clientsecret",
realm: "your-realms",
appName: " ",
scopeSeparator: " ",
scopes: ["User.Read", "profile",”offline_access”],
…. },
persistAuthorization: true, }, });
For the latest versions: ( as given by #julianklumpers in Access swagger-ui after setup to initialize oauth2 -nest.js· Issue · GitHub)
SwaggerModule.setup('api', app, document, {
customSiteTitle: 'API',
swaggerOptions: {
persistAuthorization: true,
oauth2RedirectUrl: 'https://…….’,
initOAuth: {
ClientId,
ClientSecret,
scopes: ["User.Read", "profile",”offline_access”],
appName: ‘name of the app',
},
},
});
Reference: swagger-ui oauth2 · GitHub
I do authorization via next-auth
import NextAuth from 'next-auth';
export default NextAuth({
providers: [
{
id: 'reddit',
name: 'Reddit',
clientId: process.env.CLIENT_ID,
clientSecret: process.env.CLIENT_SECRET,
scope: 'read submit identity',
type: 'oauth',
version: '2.0',
params: { grant_type: 'authorization_code' },
accessTokenUrl: ' https://www.reddit.com/api/v1/access_token',
authorizationUrl: 'https://www.reddit.com/api/v1/authorize?response_type=code&duration=permanent',
profileUrl: 'https://oauth.reddit.com/api/v1/me',
profile: profile => {
return {
id: profile.id as string,
name: profile.name,
email: null,
};
},
},
],
});
And I am getting error from reddit
/you sent an invalid request
invalid redirect_uri parameter./
How am I supposed to pass this uri in next-auth?
NEXTAUTH_URL variable is also specified
This is how next-auth inserts it into Request URL
redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapi%2Fauth%2Fcallback%2Freddit
but I just need
http://localhost:8080
I solved it) u just need to set redirect_uri in your reddit app as
http://localhost:8080/api/auth/callback/reddit
We have two endpoints /auth and /token. The endpoint /auth returns the authorization code that can be used when calling /token to get an access token.
Using NuxtJS the auth module became the way to go. The login process this.$auth.loginWith("company") is working fine as far as I know. I get redirected to the Login Page. I can enter my credentials and when those are valid I get redirected to the configured URL.
Up to that point everything works as expected. The redirect is passing the authorization code as request parameters.
This is what the URL looks like:
http://localhost:3000/?state=Y6CWcCZanJ&session_state=2c966cd9-5834-4045-9bfb-6aa9f616f841&code=fbabf615-cd5e-4479-818a-6a7ba72de01b.2c966cd9-5834-4045-9bfb-6aa9f616f841.553d562b-c454-4681-83ae-98cd93dbfa90
However with this code I expect that the auth module is automatically calling the /token endpoint. But it does not. Why is that?
Do I need to call it explicitly after using this.$auth.loginWith("company")? Something like:
this.$auth.loginWith("company");
this.$auth.fetchToken();
Or is it done implictly?
This is the configuration in nuxt.config.js
...
auth: {
strategies: {
company: {
scheme: "oauth2",
endpoints: {
authorization:
"https://login.mycompany.com/auth/realms/apps/protocol/openid-connect/auth",
token:
"https://login.mycompany.com/auth/realms/apps/protocol/openid-connect/token",
userInfo:
"https://login.mycompany.com/auth/realms/apps/protocol/openid-connect/userinfo",
logout: "http://localhost:3000/logout"
},
token: {
name: "Authorization",
property: "access_token",
type: "Bearer",
maxAge: 1800
},
refreshToken: {
property: "refresh_token",
maxAge: 60 * 60 * 24 * 30
},
responseType: "code",
grantType: "authorization_code",
accessType: undefined,
redirectUri: "http://localhost:3000",
logoutRedirectUri: undefined,
clientId:
process.env.CLIENT_ID ||
"3004761-241-dab74c5e-ad70-11eb-bea4-4193bd361dc612123",
scope: ["all"],
codeChallengeMethod: "S256"
}
}
},
...
Is there any chance you forgot to setup #nuxtjs/axios or explicitly configure auth middleware?
// nuxt.config.js
modules: ['#nuxtjs/auth-next', '#nuxtjs/axios'],
router: {
middleware: ['auth'],
},
I try to set google authentication with Nuxt Auth module, but I got following error from google:
Error 400 : invalid_request
Parameter not allowed for this message type: nonce
Here is my config
// nuxt.config.js
modules: ["#nuxtjs/axios", "#nuxtjs/auth-next"],
auth: {
router: {
middleware: ["auth"],
},
redirect: {
login: "/login",
logout: "/",
callback: false,
home: "/",
},
strategies: {
google: { clientId: "MyClientID", codeChallengeMethod: "" }
}
}
And how i call the google auth in my component:
login(){
this.$auth.loginWith("google").then( result => console.log(result) )
}
I also try to run official demo from here:
https://github.com/nuxt-community/auth-module/tree/dev/demo
But I got the same error.
Had the same issue but setting responseType: 'code' worked for me.
EDIT: Set responseType: "id_token token" for an implicit grant flow and to get redirected to your Nuxt app with an access token by Google. This whole OAuth topic has always been quite confusing to me and there's so much misinformation out there on what to do and what not to do in terms of security. I have found the following article to be very helpful and demystify the various OAuth flows: https://itnext.io/an-oauth-2-0-introduction-for-beginners-6e386b19f7a9 However if you do not want to expose the access token on the front end and rather obtain it in your back end then you must use the code grant flow by setting responseType: "code" and set up your back end properly. I ended up using the code grant flow but I assume that most people find the implicit grant flow more convenient.
Here's the full snippet:
export default {
modules: ["#nuxtjs/axios", "#nuxtjs/auth-next"],
auth: {
strategies: {
google: {
clientId: process.env.GOOGLE_CLIENT_ID,
redirectUri: `${process.env.BASE_URL}/auth/google/callback`,
codeChallengeMethod: "",
responseType: "id_token token",
},
},
},
router: {
middleware: ["auth"],
},
};
Seems to be related with the version of Nuxt Auth.
Maybe this feature is not ready in #nuxtjs/auth-next
So i run
npm install #nuxtjs/auth#latest --save
Then update nuxt.config.json
replace #nuxtjs/auth-next with #nuxtjs/auth
replace clientId with client_id
// nuxt.config.js
modules: ["#nuxtjs/axios", "#nuxtjs/auth"],
auth: {
router: {
middleware: ["auth"],
},
redirect: {
login: "/login",
logout: "/",
callback: false,
home: "/",
},
strategies: {
google: { client_id: "MyClientID"}
}
}
in auth-next and auth0 the setting of responseType let me bypass the problem, my working config looks like:
auth0: {
logoutRedirectUri: process.env.BASE_URL,
domain: String(process.env.AUTH0_DOMAIN).replace(/(^\w+:|^)\/\//, ''),
clientId: process.env.AUTH0_CLIENT_ID,
scope: ['read:reports', 'read:roles', 'create:client_grants', 'offline_access'], // 'openid', 'profile', 'email' default added
audience: process.env.AUTH0_AUDIENCE,
responseType: 'token',
accessType: 'offline',
grantType: 'client_credentials',
redirectUri: process.env.BASE_URL + '/callback',
codeChallengeMethod: 'S256'
}
I am using hello.js to sign in Microsoft Graph.
First I initialized by
hello.init({
msft: {
id: myAppId,
oauth: {
version: 2,
auth: 'https://login.microsoftonline.com/common/oauth2/v2.0/authorize'
},
scope_delim: ' ',
form: false
},
},
{ redirect_uri: window.location.href }
);
Then I signed in successfully in my app
hello('msft').login({ scope: 'User.Read' })
This is what hello.js saved in localStorage after signing in.
{
"msft": {
"access_token":"aLongToken",
"token_type":"Bearer",
"expires_in":3599,
"scope":"basic,User.Read",
"state":"",
"session_state":"f034f785-f8d0-4cec-aab4-88559c9d93dd",
"client_id":"a91e6907-2b6e-4793-848d-633e960e809d",
"network":"msft",
"display":"popup",
"redirect_uri":"http://localhost:3006/login",
"expires":1501800737.361
}
}
However, when I try to refresh the access_token
hello('msft').login({
display: 'none',
response_type: 'id_token token',
response_mode: 'fragment',
nonce: 'my-app',
prompt: 'none',
scope: 'User.Read',
login_hint: 'Rose.Bukater#company.com',
domain_hint: 'organizations'
})
I got the error
AADSTS50058: A silent sign-in request was sent but no user is signed
in. The cookies used to represent the user's session were not sent in
the request to Azure AD. This can happen if the user is using Internet
Explorer or Edge, and the web app sending the silent sign-in request
is in different IE security zone than the Azure AD endpoint
(login.microsoftonline.com).
I am using Chrome.
Found this issue on GitHub. But still didn't figure out how to refresh correctly.
UPDATE:
After disable Allow Implicit Flow at https://apps.dev.microsoft.com, now I even failed to log in. So this is not the correct solution. hello.js saved this error in the localStorage:
{
"msft": {
"error": {
"code":"unsupported_response_type",
"message":"AADSTS70005: response_type 'token' is not enabled for the application\r\nTrace ID: 1dc20dd0-cab3-41b5-9849-2a7e35d60700\r\nCorrelation ID: caacce8f-6763-405d-a840-70c24d5306d4\r\nTimestamp: 2017-08-04 21:56:42Z"
},
"error_description":"AADSTS70005: response_type 'token' is not enabled for the application\r\nTrace ID: 1dc20dd0-cab3-41b5-9849-2a7e35d60700\r\nCorrelation ID: caacce8f-6763-405d-a840-70c24d5306d4\r\nTimestamp: 2017-08-04 21:56:42Z",
"state":"",
"client_id":"a91e6907-2b6e-4793-848d-633e960e809d",
"network":"msft",
"display":"popup",
"redirect_uri":"http://localhost:3006/login",
"scope":"basic,User.Read"
}
}
It happens when the cookie of the user currently connected for login.microsoftonline.com has expired. The way we handle it is we redirect the user to sign in page with current page as redirecturi parameter.
I found the issue. My code in the question is totally correct. The reason causing this issue is because in our company each person has two emails:
one is full name email Rose.Bukater#company.com
one is alias email rosebuk#company.com, which is the property userPrincipalName
For login_hint below, it has to be the alias email.
hello('msft').login({
display: 'none',
response_type: 'id_token token',
response_mode: 'fragment',
nonce: 'my-app',
prompt: 'none',
scope: 'User.Read',
login_hint: 'Rose.Bukater#company.com', // <- has to be rosebuk#company.com
domain_hint: 'organizations'
})