This topic has 23 replies, 1 voice, and was last updated 1 month, 1 week ago by [email protected].

  • Author
    Posts
  • #6043
     DavidPui
    Participant

    Hi,
    After installing Openam, I know tried configuring authentication using OAuth2.0 to my facebook account. It kind of semi work. The facebook logon icon appear when I invoke the openam login page and able to click on login via facebook. However, when I click on this it launches my facebook page however with an error saying that Given URL is not allowed by the Application configuration: One or more of the given URLs is not allowed by the App’s settings. It must match the Website URL or Canvas URL, or the domain must be a subdomain of one of the App’s domains.

    I search and search and tried all the suggestions but still couldn’t fix this.

    What should I set for Apps domains, Site URL and Redirect URIs ?

    Please advise.

    Cheers
    David

    #6045
     Rogerio Rondini
    Participant

    Hi David,

    Try to watch the following video demonstration.

    https://www.youtube.com/watch?v=u3kqjbtB0l4

    At.
    Rogério Rondini

    #6050
     DavidPui
    Participant

    Thanks Rogerio.

    Very good video.

    However, I could get this going. Basically I have setup a facebook app which points to a site URL openam.example.com/openam and the apps domain is openam.example.com.

    Basically if you invoke the openam.example.com/openam it displays the OPENAM login prompt.

    I set up a realm called test and also a userid called davidpui and also authentication module instance called facebook1 with the details as per the video.

    How do I test this ? Basically when I go toe openam.example.com/openam and click on facebook icon I got a message saying unable to login to openam.

    Please help… me with the steps.. on what I am missing.

    Or maybe if you can give me a simple example step by step on how I can setup and test this out.
    Thanks.

    Cheers
    David

    #6055
     Rogerio Rondini
    Participant

    Hi David,

    So.. I don`t know why it is not working in your environment. I did a simple test in my local environment and it is working.

    Anyway, when you configure Social Authentication using the Wizard, it will create an Authentication Module, an Authentication Chain, and a Social Authentication Implementations service in the realm that you choose during configuration. The service is the responsible by add the Facebook Icon in the OpenAM login page. I think you need to check the Social Authentication Implementations to make sure that all parameters are configured OK.

    Abs.
    Rogério Rondini

    #6056
     DavidPui
    Participant

    Thanks Rogerio for the prompt reply. OK I will check the configuration.

    Questions
    1. When you did your testing do you use just the root realm or you created another realm ?
    2. How do you know you are testing using root realm or test realm ?
    3. How do you test it to prove that it works ? Did you invoke the openam.example.com/openam login page and then click the facebook icon and then what happens next? What screen is prompted ? Should this be redirected to the facebook page or the Openam config page ?
    4. In our testing scenario who is the Identity Provider, isn’t this facebook ?
    5. Did you do any Account Mapping and Attributes Mapping or did you just leave this to the default? Please advise

    Thanks.

    Cheers
    David

    #6059
     DavidPui
    Participant

    Hi Rogerio
    When you created a simple test
    Are there any specific configuration that
    you entered.

    As for me I leave everything to default.

    Please advise.

    Cheers
    David

    #6061
     Rogerio Rondini
    Participant

    Hi David,

    No.. Just default config and the Facebook Application ID and client secret.

    When you clicked in the Facebook Icon, are you already logged in the facebook ?
    If yes, probably the error is to create the account in the OpenAM datastore (if configured to do it automatically as is the standard), or there is no linked account in the OpenAM datastore with facebook account.

    I think you need to enable “debug” in the OpenAM server, and check it debug files.

    Abs.
    Rogério Rondini

    #6062
     Rogerio Rondini
    Participant

    Completing your previous message…

    1. When you did your testing do you use just the root realm or you created another realm ?
    I used root realm, but I think it is not relevant.

    2. How do you know you are testing using root realm or test realm ?
    To use a different realm, you should add realm name in the login URL, like following..
    http://openam.example.com/openam?realm=<yourRealmName&gt;

    3. How do you test it to prove that it works ? Did you invoke the openam.example.com/openam login page and then click the facebook icon and then what happens next? What screen is prompted ? Should this be redirected to the facebook page or the Openam config page ?
    Yes, I clicked in the facebook icon and then…
    – Browser redirect to Facebook Login Page (if you are not authenticated in the facebook yet)
    – After log in facebook with a valid facebook account, browser will redirect back to OpenAM to show the authenticated user info, i.e, OpenAM EndUser page.
    – Here OpenAm will receive your facebook info and do link with an OpenAm user account by the “email” attributed. If si missing a user account with the same email got from Facebook, OpenAM can create the account or throw an authentication error.

    4. In our testing scenario who is the Identity Provider, isn’t this facebook ?
    Identity Provider is Facebook.

    5. Did you do any Account Mapping and Attributes Mapping or did you just leave this to the default? Please advise
    I kept default mapping, which is the “email” attribute.

    #6063
     DavidPui
    Participant

    Thanks Rogerio for getting back to me on the questions.

    I now created a facebook account which is my email address in Openam.

    I got a bit further after clicking the facebook icon in the Openam login page, it prompted my facebook page as I have already logon, however, I was expecting it to go straight into an Openam page – should I logon to this first?

    However, I got an error on top of my logged facebook screen – which says Given URL is not allowed by the Application configuration: One or more of the given URLs is not allowed by the App’s settings. It must match the Website URL or Canvas URL, or the domain must be a subdomain of one of the App’s domains.

    What are your definitions when you create the facebook app in facebook developers, please provide the Apps Domains, Site URL and particularly what is the Redirect URI.

    Thanks.

    Cheers
    David

    #6064
     Rogerio Rondini
    Participant

    Hi David,

    App Domains: example.com
    Site URL : http://openam.example.com:18080/openam

    In my case, OpenAM is running on port 18080 not 80.

    #6069
     DavidPui
    Participant

    Hi Rogerio,

    This is the error I get and I believe it’s in the facebook redirect uri in which I put
    request invalid, perhaps permission problem…

    when it tries to execute
    http://openam.example.com:8080/OpenAM-12.0.0/oauth2c/OAuthProxy.jsp

    Any idea what s the permission issue ?

    What do I need to do to fix this?

    Cheers
    David

    #6071
     DavidPui
    Participant

    Hi Rogerio,

    I got the Google Authentication OAuth2 to work nicely and easily. Not a problem.

    Both Google and Facebook config seems to be similar.

    However, with Facebook, somehow it seems when I clicked on the Facebook icon when I’m already logon to Facebook, it shows the Facebook page in the background followed by the URL invalid error message.

    At one stage, I manage to get the Facebook authenticate and logon successfully via the Facebook icon and then subsequently it redirect to attemp to logon to OpenAM and then failed.

    Somehow its seems to be to do with the config of the Account Mapper and Attribute mapper. I’m using OpenAM 12.0.0 it appears to be buggy… as in the Account Mapper, there seems to be double up of the Account Mapping sections.. in the screen…

    Which version of OpenAM are you running ? PLease advise.

    Cheers
    David

    #6072
     DavidPui
    Participant

    Hi Rogerio,

    In Facebook, the only useful attributes are Id, First_Name and Last_Name
    So what is the Corresponding Openam Attributes.. so when we map for attributes mapping
    do we map

    Id=Id
    First_Name=First_Name
    Last_Name=Last_Name

    what is the correct attribute name for Openam and also Facebook attribute so that I can get the correct mapping…. I think this may be the problem..

    Also it seems that when it execute the redirect uri it seems to get a permission problem.. How do I give the correct permission to the uri jsp in Openam.

    Please advise.

    Cheers
    David

    #6073
     DavidPui
    Participant

    Hi Rogerio,

    As part of the Facebook OAuth2 and OpenAM SSO configuration,
    Questions:
    1. Do you need to configure the Client OAuth2 Registration of the redirect URI that you specify in facebook apps under redirect URI section ? Please advise.

    2. There is the Web agent and J2EE agent, do we need to configure this so that the redirect URI that is protected need to be given the appropriate permission ; Please advise.

    Thanks.

    Cheers
    David Pui

    #6074
     Rogerio Rondini
    Participant

    Hi David,

    So.. I`m using OpenAM 12.0.

    About Redirect URI, I don`t understand why your URI is http://openam.example.com:8080/OpenAM-12.0.0/oauth2c/OAuthProxy.jsp if in the first post you told that your Site URL is http://openam.example.com/openam.

    My attribute mapping is:
    id=uid
    last_name=sn
    first_name=givenName
    email=mail
    name=cn

    You don`t need Policy Agent to work with OAuth Client.

    Abs,
    Rogério Rondini.

Viewing 15 posts - 1 through 15 (of 24 total)

You must be logged in to reply to this topic.

©2020 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?