I am trying to make a webapp in java that is capable of posting to a users facebook status, and I am having some problems with the authorization process. Basically, I have a struts2 action that redirects the user to the facebook login page, which then redirects back to me with a "code". I then use this code to access another facebook URL (to trade it for an access token).
The problem is, and I'm likely just missing something simple, that this second facebook url doesn't redirect to an action, it instead just returns a page with the access token on it. So, my question is, how would I access that token to put into my database, preferably without showing the access token to the end user?
TLDR; Any idea how I could call a request from an action in struts2 to an external url and parse the response without showing it to the user? Thanks!
Cheers,
Lukas Rezek
So basically you would want 3 pieces:
Interceptor
authRequest action
authResponse action
So the flow is:
Interceptor would check if current user has auth token, if not - it will redirect to authRequest action
authRequest action will fill up your app details - create url graph.facebook.com/oauth/authorize?client_id=xxx&redirect_uri=yyy etc
Please note that redirect_uri is exactly is authResponse action. so after user authorizes your app - browser willo redirect to authResponse action
authResponse action is the plave where you retreive the token, save it to DB and probably set it to session. after you done with that - you are done with login and you can redirect to your application home action
To access an external web site within a struts action you have two choices. Create a socket and connect to the external site and send your request via the socket.outputstream and parse the reponse via the socket.inputStream or use a browser emulator such as Apache HttpComponents or HTMLUnit.
I wouldn't let the user of my web-app anywhere near the Facebook site - I would have my own page that asked for the FB login and would handle the interaction with the facebook site using one of the two methods above. I would favour using HTMLUnit as that is designed to look like a browser to the remote site.
Related
I have 2 JHipster apps running each on one subdomain (app1.domain.tld & app2.domain.tld).
In both apps, users login through Keycloak. The sequence is as such :
Angular app sends /authenticate request with credentials to Keycloak
In case of successful response returns a authentication cookie
POST request is is sent to Jhipster backend app that generates JSessionID cookie
JSessionID is then used for every request to backed app.
What would be the best way to automatically login user (without asking username & password) if they are already logged in one of the apps of the domain (*.domain.tld) ?
I tried to use the JSessionID as a global token before understanding it only works on the app it was generated on...
Maybe catching Keycloak authentication cookie (returned at step 2) and authenticating on second application would do the trick ?
From what I saw while testing, after being authenticated on first app, when I go to the second one, Angular 401 HTTP interceptor redirects to keycloak login page with a session token. Thus at that time Keycloak should see that I'm already logged in and should redirect me to home page of my second app.
Am I right ?
The javascript adapter solve this by creating an iframe that's loaded from the authentication server.
From the keycloak docs:
Session Status iframe
By default, the JavaScript adapter creates a hidden iframe that is used to detect if a Single-Sign Out has occurred. This does not require any network traffic, instead the status is retrieved by looking at a special status cookie. This feature can be disabled by setting checkLoginIframe: false in the options passed to the init method.You should not rely on looking at this cookie directly. Its format can change and it’s also associated with the URL of the Keycloak server, not your application.
The success callback of init function has a parameter that gives the authentication status of the user.
<script src="keycloak.js"></script>
<script>
var keycloak = Keycloak();
keycloak.init().success(function(authenticated) {
alert(authenticated ? 'authenticated' : 'not authenticated');
}).error(function() {
alert('failed to initialize');
});
</script>
If the user is authenticated redirect the user to the login page, since the user is already authenticated there is no need to input the login credentials again. The adapter can handle this automatically if it's initialized with the onload option check-sso
For more details on the inner workings of the javascript adapter, the source can be found here
I solved this problem by changing the cookie name generated on the client where token information is stored. In this way, using app2 will not invalidate the token of app1 because it will use a different name. Maybe there is a better way to accomplish this in a SSO environment but it works for me.
Change application.yaml by adding server.servlet.session.cookie.name entry with the new cookie name:
server:
servlet:
session:
cookie:
http-only: true
name: JSESSIONID_APP1
I have a web application that when user click on the a link it will generate security information and log on to an external application if the security information is authenticated.
At this point from security concern I don't want to expose the URL and request information on the web page, so instead I am seeking solutions to handle the process behind the scene
I know Apache Components can easily send post request within POJO, jersey client can do as well through web service. However the requirement here is also including to let browser automatically redirect to the 3rd app's front page if the login process succeeded.
My question is what could be the proper solution to handle the login process and go to the external application from web as well.
Say you have:
publicapp.com
secretapp.com
Set up an API in publicapp.com to POST the initial request to itself. When the user submits the initial login form it goes to say publicapp.com/login. This endpoint will pre-process the information then send a server to server request to secretapp.com/login.
If secretapp.com/login accepts the information it responds to publicapp.com with a success and publicapp.com redirects the client to secretapp.com/home, with a short term auth token encoded in a JWT. secretapp.com, swaps the short term token for a full auth token.
In the above scenario, the actual login endpoint is never made public. secretapp.com should also have IP whitelisting to only accepts login attempts from publicapp.com. You can also do a lot of filtering on publicapp.com to eliminate malicious requests without bothering secretapp.com.
I get code from this direct url with my client id and redirect uri;
https://foursquare.com/oauth2/authenticateclient_id=YOUR_CLIENT_ID&response_type=code&redirect_uri=YOUR_REGISTERED_REDIRECT_URI
But I can't do it with the rest service. I have to embed this service in my java application and then get access token. I can use that different option,if there is another way you know to get access token.Can you help me?
The Foursquare docs walk through the process in great detail. There are 2 options:
Web Applications Code Flow
Web Applications Token Flow
Both these options will require you to setup an app through the Foursquare Developer site. You'll need to setup a redirect URL for Foursquare to redirect back to. This is usually a publically accessible URL, but a locahost URL also works for testing purposes.
The first, the Code Flow, follows a standard OAuth process:
Direct users (generally done through a link or button) to
https://foursquare.com/oauth2/authenticate?client_id=YOUR_CLIENT_ID&response_type=code&redirect_uri=YOUR_REGISTERED_REDIRECT_URI`
If the user accepts, they will be redirected back to
https://YOUR_REGISTERED_REDIRECT_URI/?code=CODE
Your server should exchange the code it got in step 2 for an access token. Make a request for
https://foursquare.com/oauth2/access_token?client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&grant_type=authorization_code&redirect_uri=YOUR_REGISTERED_REDIRECT_URI&code=CODE
The response will be JSON
{ access_token: ACCESS_TOKEN }
This access token is what you're looking for.
The second method, the token flow is slightly easier:
Redirect users who wish to authenticate to
https://foursquare.com/oauth2/authenticate?client_id=CLIENT_ID&response_type=token&redirect_uri=YOUR_REGISTERED_REDIRECT_URI
If a user accepts, they will be redirected back to
https://YOUR_REGISTERED_REDIRECT_URI/#access_token=ACCESS_TOKEN
This access_token query param is what you're looking for.
Go to your "App Settings" page on the developer console of Foursquare.com
Set the "Redirect URL" under "Web Addresses" to https://www.google.com
Paste and enter the following url in your web browser (replace YOUR_CLIENT_ID with your actual client id):
https://foursquare.com/oauth2/authenticate?client_id=YOUR_CLIENT_ID&response_type=code&redirect_uri=https://www.google.com
This should redirect you to a google page requesting permission to make the connection.
Accept and then look at the url of your web browser (take note at the CODE part of the url to use in step 5)
It should look like https://www.google.com/?code=CODE
Copy the code value from the previous step.
Paste and enter the following into your web browser (replace placeholders with actual values):
https://foursquare.com/oauth2/access_token?client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&grant_type=authorization_code&redirect_uri=https://www.google.com&code=CODE.
When you paste the link , This should lead you to a page that gives you your access token.
Credit : IBM course intructor.
I need to solve a problem with POST redirect in Spring MVC application.
PayPal lets you to place a simple html form that can redirect to PayPal pages with post. But I need to perform some actions in application after user clicks the PayPal button, but before actual action is taken.
So i was thinking about doing it like this: place PayPal button on webpage, pointing to local controller. There i would need to make some actions like checking whether user is logged to application and if yes then put his email as custom field for PayPal request parameters. If not then log user in and do the previous. After all the information is gathered I need to make post. I know how I could make such a Post, but I need user's web browse to be redirected there. Is there any way to do this?
You canno't instruct the user's browser to do redirection and a post, but you can do that with javascript. The flow would be something like this :
User clicks the paypal button
The paypal button sends data to your controller using ajax
your controller returns a success message and any additional information needed
Java script on your page receives the message and redirects to paypal
I have website, that implements "Sign in with twitter".
This authorization process:
My site redirects user to twitter, then twitter asks user to allow my website access his account, he clicks "Allow", twitter redirects user back to my site, that gets access token.
Also I have an Android app, that needs to initialize this auth process and finally get result.
I can create intent, that opens url in browser, and all next steps go in browser, but can I hook somehow when browser is closed, or (that will be better) when browser gets final redirect, to check if authorization was OK and my website now can access user's twitter account, and close browser?
Do I need investigate about WebView, or this functionality can be implemented using regular Android browser?
I believe what you are looking for is setting up a custom scheme. With this you can set up a appname as a scheme and when you generate a request token from Twitter with an oauth_callback as appname://callback the user will be redirected back to that uri after authorizing and it will open your app.