Carl Zeiss GOM Metrology Posted September 3, 2020 Posted September 3, 2020 Hi folks, I have two different oAuth2 identity providers connected to my invision forum. Both of them working great. Now, I have the order to link their sign ins vice versa on their sign in pages. But I have no idea how to trigger sign on for oauth2 login with http/javascript. I already tried to start some HTTP POST to url/index.php?/login/ with the correct processLogin ID, but I just get a 403 forbidden. Although I set CORS enabled for that domain on apache webserver. setup: Two oauth2 sources. Both linked in sign in / sign up windows in invision community. Both of them forwarding to external login sites. Now there should be link to other site (in case of clicking wrong button first). It is absolutely desired that this links are directly on the other sign in pages. Some idea how to do this? Best, gom
bfarber Posted September 4, 2020 Posted September 4, 2020 20 hours ago, GOM IT said: I already tried to start some HTTP POST to url/index.php?/login/ with the correct processLogin ID, but I just get a 403 forbidden. You also need the correct csrfKey value to be included in the request. If you are using javascript for this, you can obtain this value from ips.getSetting('csrfKey');
Carl Zeiss GOM Metrology Posted September 7, 2020 Author Posted September 7, 2020 (edited) On 9/4/2020 at 3:53 PM, bfarber said: You also need the correct csrfKey value to be included in the request. If you are using javascript for this, you can obtain this value from ips.getSetting('csrfKey'); Hi, thank you for your response. I set the csfrKey now like the ref key. But I still got the 403 response with Error code: 2S119/1. I read both keys from the URL of AuthorizePage1 and use them to create the request to the Invision login Endpoint. My request looks like: URL: https://forum.gom.com/index.php?/login POST parameters: csrfKey=42xxxxxxxxxxxxxxxxxxxxxxxxxxxxdb ref=aHR0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxMQ== auth password remember_me=1 _processLogin=2 _processLogin=2 Request header: POST /index.php?/login/ HTTP/1.1 Host: contoso.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Upgrade-Insecure-Requests: 1 Content-Length: 175 Origin: https://other.saml.login.com Connection: keep-alive Referer: https://contose.com/oauth2/v2.0/authorize?resource=https://contoso.user.com&response_type=code&client_id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx&redirect_uri=https://contoso.com/oauth/callback/&state=3-aHR0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxaW4v-42xxxxxxxxxxxxxxxxxxxxxxxxxxxxdb-aHR0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxMQ==&code_challenge=H9xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxUU&code_challenge_method=S256&scope=userlala Pragma: no-cache Cache-Control: no-cache I saw, that login will have the same csfrKey and ref are equal when using different login methods on same time. So I just tried to use the same values to connect to #2 method, like I got from system to login request to #3 method. Best, gom Edited September 7, 2020 by GOM IT
Carl Zeiss GOM Metrology Posted October 23, 2020 Author Posted October 23, 2020 I had a look for this again. I am able to send the request 1:1 from our invision main site "forum.contoso.com", but not from external site "login.contoso.com". Althought I allowed my Apache reverse proxy to handle this URL with CORS. Is there a need to add the URL to invision too for sending REST requests?
bfarber Posted October 26, 2020 Posted October 26, 2020 If you are sending a request that requires the CSRF key then you need to fetch the valid CSRF key for the user. This is going to be difficult if processed from somewhere external to the software, because the user needs to hit the community to initiate a session on the backend and receive the session cookie (typically ips4_IPSSessionFront as I recall), and then this cookie will need to be sent with the request.
Recommended Posts