1

I have to enable OpenID for our command line application (Django Application) For Ex: whenever the users try to access our APIs, I have to make sure that the user is Authenticated using OpenID (Microsoft/Google). I am trying to write a Shell script to access OpenID website and then store the cookie on the user's machine and whenever he tries to access second application he should be given access based on the cookie that I store on his machine.

I am trying to use the approach mentioned here and whenever I try to access the second url, I am getting an error "Your browser is currently set to block cookies. You need to allow cookies to use this service."

My websites are not on a single domain, They use OpenID to authenticate.

  1. I logged into the first website and the site redirected me to OpenID website (Azure AD)
  2. I accessed the redirected url using curl with username and password successfully and stored the cookie.
  3. When I am trying to login to the second website using the below line, I see this error. (Since I have the cookies stored it should be able to read them and open the second website page)

curl --cookie ./somefile https://secondwebsite.com/b

Here is my complete script

#Setting redirect url in IP variable
set IP=`curl -w "%{url_effective}\n" -I -L -s -S http://mysite1.com -o /dev/null`
echo "Trying to Authenticate.."
curl -L -s -S -I -k -v -i --user "username@microsoft.com" -D ./temp/cookie $IP
echo "Authentication successful"
#I need to check if the cookie is set or not, If it is set Authentication is successful

echo "Trying to access the second url"
#The below line is failing, When I wrote the whole content to html file, I see the error mentioned above (Your browser is currently set to block cookies. You need to allow cookies to use this service) 
curl --cookie ./temp/cookie https://secondwebsite.com/

To Summarize, I am stuck with 2 questions

  1. Authenticating the user to second site without needing to logging in again
  2. Sometimes the Authentication url asks for Password from the user, which will be sent to users Mobile (2 Factor Authentication). Any pointers on how to handle this case if it arises?
Community
  • 1
  • 1
Venkatesh Marepalli
  • 606
  • 7
  • 20

1 Answers1

0

There are proper secure ways to enable your command line application to access your API.

[OpenId Connect RFC] (http://openid.net/specs/openid-connect-core-1_0.html), allows you to use the public client [code flow] (http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) to obtain an access_token and refresh_token. THe user can do that for the first time and for later uses the command line application can use the Refresh Tokens keep renewing for a new access token and call the API.

Azure AD B2C has some examples that show how you can invoke the [code flow from a desktop application] (https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-native-dotnet) and the corresponding GitHub.

This link has more details https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-oauth-code#4-refresh-the-token

This way your command line application is never collecting sensitive information such as passwords or mfa details. It invokes the browser to let AAD B2C do the most secure authentication configured and give app the access_token. From then on the command line just uses the access_token as a bearer token usually by placing it in the Authorization header.

Vikram
  • 21
  • 2
  • As per the specification, it required browser interaction but I am looking for completely command line based authentication. the client must be capable of interacting with the resource owner's user-agent (typically a web browser) (https://tools.ietf.org/html/rfc6749#section-4.1) – Venkatesh Marepalli Apr 20 '17 at 17:38