Comments (5)
@ioplex That's definitely not the expected behavior after completing 2FA. I know that there's a variety of errors that can happen to send you back to that page, but they are supposed to trigger an error message that would show up. I wonder if you're somehow hitting an error we didn't expect or don't handle correctly. My other hunch is that perhaps your redirectUri
configuration is wrong somehow.
If you're up for a little debugging, you could try stepping through the duoCallback
method in LoginController.java
line 128 to see where things are going wrong.
from duo_universal_java.
You are correct. I just needed to set:
duo.redirect.uri=http://localhost:8080/duo-callback
Now the example works fine. This is stated clearly in the SDK documentation but it might help newbies like me if you explicitly state this in your example doc since the example is hard-coded to redirect to /duo-callback.
I guess I was expecting the end-user to just get redirected back to where they entered and not some pre-defined fixed point.
I'm trying to integrate the Universal Prompt with an Enterprise SSO solution as in Kerberos / NTLM style where no password is entered at all so there's no login form. It would be nice if the end-user could be redirected back to whatever resource they tried to access initially. But I can see trying to do that is potentially problematic.
from duo_universal_java.
Glad you got it working!
Let me see if there's a good way to clarify this in the documentation or example code. It is tricky, because the redirect is actually still part of the authentication flow - the auth isn't finalized until the application consumes the code that Duo sends back. That's why the redirect is to a fixed point - i.e. the application code that knows what to do with the code. So getting the user back to where they wanted to go in the first place has to happen after that, and only if the authentication succeeded, etc. etc.
from duo_universal_java.
Do you really have to do it after?
If a filter style handler were used and the state and duoCode parameters are supplied and the state parameter maps to a valid username, then that is pretty selective.
if (clientSuppliedValidSignedCookie(request)) {
doFilter(request, response);
} else if (state == null ||
duoCode == null ||
username.equals(stateMap.remove(state)) == false) {
duoClient.healthCheck();
...
} else {
Token token = duoClient.exchangeAuthorizationCodeFor2FAResult(duoCode, username);
...
setSignedCookie(username, integrationKey, timestamp);
}
But Client, in duo-example at least, is instantiated once and the redirectUri is a property of that shared Client. That's fine. All ops are re-entrant and so having one shared Client is an efficient arrangement. But it seems that prevents setting the redirectUri on a per-request basis.
Although I suppose there are probably only a handful of entry points in an application in which case one could make a dynamic Map of Clients for each entry point and then just dispose of them after some expiration. Most requests would re-use a Client so that's effectively just as efficient.
from duo_universal_java.
These are all totally feasible ideas. They're probably overly complicated for what we want to include in our very simple demo application, but in a real application you could definitely use some of these practices. The filter flow definitely would let you combine steps as you noted above.
I believe the client should be flexible enough to accomplish this, but if you find it lacking, let us know if there's a potential change that would make it more useful.
Since you got things working, I'll close this issue, but keep us posted if you have further problems. Thanks for using Duo!
from duo_universal_java.
Related Issues (12)
- Http Proxy support? HOT 15
- duo.redirect.uri =? HOT 2
- Please help fix, unknown bad request HOT 1
- fasterxml.jackson-core 2.3.2 dependency HOT 7
- Dependency version conflict HOT 5
- Maven artifactId in docs are wrong HOT 2
- Upgrade OkHttp dependency to 4.3+ HOT 5
- Remove dependency on Lombok
- Reasons for use_duo_code_attribute HOT 6
- Possible NPE in exchangeAuthorizationCodeFor2FAResult HOT 10
- Update Lombok to 1.18.20 for Java 16 (and presumably onward) compatibility HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from duo_universal_java.