External url to oauth2 login

[Carl Zeiss GOM Metrology]

Hi folks,

I have two different oAuth2 identity providers connected to my invision forum. Both of them working great.
Now, I have the order to link their sign ins vice versa on their sign in pages. But I have no idea how to trigger sign on for oauth2 login with http/javascript. I already tried to start some HTTP POST to url/index.php?/login/ with the correct processLogin ID, but I just get a 403 forbidden. Although I set CORS enabled for that domain on apache webserver.

setup:
Two oauth2 sources. Both linked in sign in / sign up windows in invision community. Both of them forwarding to external login sites. Now there should be link to other site (in case of clicking wrong button first). It is absolutely desired that this links are directly on the other sign in pages.

Some idea how to do this?

Best,

gom

[bfarber]

20 hours ago, GOM IT said:

I already tried to start some HTTP POST to url/index.php?/login/ with the correct processLogin ID, but I just get a 403 forbidden.

You also need the correct csrfKey value to be included in the request. If you are using javascript for this, you can obtain this value from ips.getSetting('csrfKey');

 

[Carl Zeiss GOM Metrology]

On 9/4/2020 at 3:53 PM, bfarber said:

You also need the correct csrfKey value to be included in the request. If you are using javascript for this, you can obtain this value from ips.getSetting('csrfKey');

 

Hi,

thank you for your response. I set the csfrKey now like the ref key. But I still got the 403 response with Error code: 2S119/1.
I read both keys from the URL of AuthorizePage1 and use them to create the request to the Invision login Endpoint. My request looks like:

URL:
https://forum.gom.com/index.php?/login

POST parameters:
csrfKey=42xxxxxxxxxxxxxxxxxxxxxxxxxxxxdb
ref=aHR0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxMQ==
auth
password
remember_me=1
_processLogin=2
_processLogin=2

Request header:
POST /index.php?/login/ HTTP/1.1
Host: contoso.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
Content-Length: 175
Origin: https://other.saml.login.com
Connection: keep-alive
Referer: https://contose.com/oauth2/v2.0/authorize?resource=https://contoso.user.com&response_type=code&client_id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx&redirect_uri=https://contoso.com/oauth/callback/&state=3-aHR0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxaW4v-42xxxxxxxxxxxxxxxxxxxxxxxxxxxxdb-aHR0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxMQ==&code_challenge=H9xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxUU&code_challenge_method=S256&scope=userlala			
Pragma: no-cache
Cache-Control: no-cache

I saw, that login will have the same csfrKey and ref are equal when using different login methods on same time. So I just tried to use the same values to connect to #2 method, like I got from system to login request to #3 method.

Best,
gom

Edited September 7, 2020 by GOM IT

[Carl Zeiss GOM Metrology]

I had a look for this again.
I am able to send the request 1:1 from our invision main site "forum.contoso.com", but not from external site "login.contoso.com". Althought I allowed my Apache reverse proxy to handle this URL with CORS.

Is there a need to add the URL to invision too for sending REST requests?

[bfarber]

If you are sending a request that requires the CSRF key then you need to fetch the valid CSRF key for the user. This is going to be difficult if processed from somewhere external to the software, because the user needs to hit the community to initiate a session on the backend and receive the session cookie (typically ips4_IPSSessionFront as I recall), and then this cookie will need to be sent with the request.