My user is already loggedin with a valid token, but in some important operations (like confirm or cancel of a paid subscription), I want it to send the password along the other data, so the server validate it.
By now, my application has the users in a database, and it was easy to develop this way.
How can I check that user sent password correctly? Will I need to try to login with the username and password in my backend?
Your backend should already be setup as a Keycloak Client so that it can pass tokens for validation / introspection.
If you enable "Direct Access Grants" it will allow the backend to directly pass and verify username and password credentials with Keycloak.
Related
I have an app running on Linux that needs to access a database via the end user's identity. Currently the user logs into the app by entering their email address and password in a form. The email address and password is validated against LDAP. The user's group memberships are retrieved from LDAP and used to set the security groups and roles in my application. I cache the password and can use it to connect to the database on behalf of that user as needed. This works since via the SSO integration the passwords that work with LDAP also work with the database.
The customer wants to move to SAML authentication. The problem is that my app will never get the password, so I never get a chance to cache it for later use. I need a way to authentication to the database on behalf of that user.
One possibility would be if the SAML provider could pass back a Kerberos token. I could then use that Kerberos identity to authenticate to the database on behalf of the user.
The customer is using Tivoli Federated Identity Manager 6.2.2 for SAML with Active Directory providing LDAP/Kerberos. My application is written in JRuby (Ruby on the JVM) so my Kerberos authentication would use Java's facilities, and my database connectivity would use JDBC.
All the examples are using admin username and password to initialize LDAP context and making using of that context to search for the given user. I need to know if there is any means by which I can check if user exits without any dependency with admin credentials. Available paramenters: serverIP, domain, port and given username to check.Please note that given user's password is not available also.
It is possible if your LDAP server allows anonymous access.
If your LDAP server does not allow anonymous access you will need to provide a principal and a password. Normally the principal does not need to be an LDAP administrator just to search and read data.
I am using Spring Security Oauth2 for generating access token. When I use password as grant type, I send a post request as
http://localhost:8085/oauth/token?grant_type=password&client_id=ws&client_secret=secret&scope=read+write&username=david#abc.com&password=abc#123
I don't want to send the username and password in the URL.
I checked source code of TokenEndPoint.java but couldn't find much. I know that we can use HTTPS and encrypt the username and password.
I just want to know if there is any way to send username and password in headers.
I hope this helps you and meets your requirement.
Source: https://github.com/spring-projects/spring-security-oauth/blob/master/docs/oauth2.md
As a general rule, a web application should not use password grants, so avoid using ResourceOwnerPasswordResourceDetails if you can in favour of AuthorizationCodeResourceDetails. If you desparately need password grants to work from a Java client, then use the same mechanism to configure your OAuth2RestTemplate and add the credentials to the AccessTokenRequest (which is a Map and is ephemeral) not the ResourceOwnerPasswordResourceDetails (which is shared between all access tokens).
OAuth2RestTemplate example in Git Hub
url: https://github.com/mariubog/oauth-client-sample
I have java ADF Web Application , and its in our company and we use secure network
so can i Authenticate the users depend on there login to windows ... if we can get the user Who login to the windows we can do this
i try some commands in java
like
String username = System.getProperty("user.name");
System.getenv("USERNAME");
but all give me server user not client
and i try
request.getRemoteUser() ... it always return null until i do SSO login
and i don't need SSO cause the user is login by his account to Windows
Can any one Help me
If you would like the user logged in to your application based on his logging into a windows workstation, then you are basically asking for Single Sign-on (SSO). In that case, request.getRemoteUser() would be the right method to call.
You could also inspect the request headers and find the header that is populated with the username and then fetch it's value via request.getHeader("USER_HEADER_NAME").
Is it possible to simulate user behaviour on some twitter service that use oauth autorization(you have to enter your twiter credentials and allow to application access to it)?
For example, I have some routine actions with couple of twitter accounts on some twitter service and wanted to write a program(java\python etc.) to make it automatically.
Is there any way to login in such services?
It is possible ton automatize application authorization using username and password. You need to "simulate" user acceptation (on the auth web page) and parse the PIN code on the resulting page.
You need username and password (or manual acceptation) one time only if you retrieve and save user tokens (key and secret).
Some OAuth libs already provide such features