Hi ,I have used below page as callback page on azure portal while app registration for the azure ad authentication.
and callback page is anonyms in the forge component where we are getting response after succesful authentication.Can anyone suggest please it should be anonyms or it should not ?I have followed below document for implementation.https://itnext.io/getting-started-with-outsystems-and-microsoft-graph-123006356d41Thanks,
Hi,
I think it will be anonymous. Its a page to create user in "User" table. once the user detail is available in Azure DB and "User is not registered user, it will raise security exception. It will redirect to this callback page and create a user in User table. And so the user can access the pages in application.
Regards,Wasimkhan S
The callback page should be anonymous. It is the page Azure will call back to after the login process and in that stage the OutSystems User is not logged in yet. That will have happen during this stage.
Thanks for the answer.I am facing one more issue in implementing SSO.1) Local outsystems USER will login using outsytems login default login authentication.2) SSO user will use login URL as application dashboard page URL.Currently login and manually button click log out process working fine for both the SSO and local user.I am facing issue - when session timeout happens when user is idle then the local outsystems USERS they redirected to the SSO login page instead of outsystems defualt login page which is used for local outsystems users.Below is coding flow implemented on the global exception handler. Please suggest feasible solution for the same.Thanks.
If a user hits the session limit, then the user is practically logged out and the GetUserId will return a NullIdentifier. This leads in your flow that the user is redirected to Entra Portal.
Suggested workarounds:
* You remember the sign-in method in the browser's local storage (client-side variable) and read the value of the local storage in the security exception handler and then redirect to the appropriate login method. Like a LastLoginMethod client variable
* You change the login form so a user must first only enter a email address. After submitting you look up the user in the users table and determine if it is an SSO user. If not, you request the password in the login form and if yes you redirect to entra.
Best
Stefan
Thanks for the answer. One last doubt I have on the same.I have put code like this on the global exception handler.What will happen if I put the RedirectedToScreen option blank ?
Thanks.
The redirect uri is passed thru the authentication flow and you can retrieve the redirect url in your callback page to redirect the user back to another screen once you performed the login. It is suitable in situations where a user tries to access a concrete link (e.g. from a favorite) and needs to authenticate first. Getting the last accessed url and setting the redirect url parameters helps to redirect that user to the original requested screen.
If I wanted to redirect on the multiple screens (Multiple dashboard pages) based on user role after authentication in that case How I need to setting the option of RedirectToScreen ? How can I give multiple screen name in RedirectedToScreen option ?Thanks.
Hi ,Is there any solution for the above mentioned issue in the comment ? Becauser each user having different role in application and Based on user role we have different dashboard to land on the page once login is succesful.Please suggest alternative solution How can we achieve it when we implement SSO using microsoft login connector ?Thanks,
In such a scenario you would not use the redirect url at all. Instead on the callback page after successful sign-in in you would query the role and then using a Switch statement have multiple redirects to a target screen.
Hi,Are you talking about below callback page ?Currently on the forge component's callback page code is like this, where exactly I need to check role in this flow ?and in the demo application on the onexception event we have code like below where we are redirecting user on the application dashboard page.
then where exactly I need to make the change to achieve the expected outcome. I am stuck here only to redirect users on the different dashboard pages based on the role. Please suggest your thoughts on the same.Thanks.
The InitializeCallback handles the returned code from Entra, requests id and access token and performs the login of the user. After this you have a valid logged in user. Instead of returning to the provided redirect url you can add some additional logic afterwards to redirect a user to any url or screen you want.
This is the way. You can't determine what someone's redirect URL will be based on his profile until that person has completed the login process. In fact, you don't even know who is going to logon until after the fact because the entire process (including retrieval of the username) is done by Entra Id.
Just change (or create a new) the callback page where you implement logic for the redirect. I would recommend creating a new page in a different OutSystems application, that way you can keep on upgrading the Login component without disrupting your login flow. Do check, after each update, that the callback page has not changed. If it had you will need to migrate those changes back into your custom callback page.
Thank you so much.
Thanks a lot for the explanation on the same .Please provide your feedback if I something is missing in below logic flow.
Currently on dev environment I have implemented the code on the callback page of the forge component.
(https://<Dev environment server url>/MicrosoftLoginConnectorReactive/CallbackPage)
OnReady event of the screen as shown in the below image..Initialise callback action parameters.If condition to check verify the roleIf condition is true then redirecting user on the below page.
Is this right way to implement it for this type of usecase ? Is there any security risk ? Best Regards,Ajit Kurane.
I don't see a security risk in this configuration. The page you redirect to would (normally) validate the user again and if this person has no access then an error will be shown (or however you handle that).
I personally would not use the "RedirectToUrl" feature though. Make the screens public and add references to it so you can access them from the Callback page. That way you can more easily see where the references are created. Note that screen references are loosely coupled so there is no change of a circular dependency.
But again, and I can't stress this enough, create a custom callback page for this particular application outside of the Login Connections Application scope. This will make your life a lot easier. Now, and in the future.
Custom callback page means I need to create another application where I will add dependency of Microsoft login connector forge component's callback page and there I will define this role logic. Am I right ?
The another application I will create for the custom callback page... screens of that app do I need to make the public?
I am just confused about that how to create a custom callback page and How to redirect users from that custom callback page?
Can you please explain more so that I can understand it well.
Thanks
Hello Vincent and Stefan,
Hope you are doing well.
We have used callback page of this forge component in our MFA implementation and it is working as expected in production.
Our client wants to perform pentest for the MFA functionality on UAT.
So do you see any security risk while using this callback page from the forge component? Is there any chance to bypass the MFA due to this callback page?
Please provide your inputs and suggestions so that we can make changes if it's there security risk.
Anyone from the community if you have any prior experience on the same please share your thoughts to make it more secure.
Thanks in advance
Hi Ajit,
that is very hard to tell as the overall security depends on the combination of configuration on the Entra side and implementation on the O11 side. Generally speaking there is no way to bypass a configured MFA on the Entra side. but this only applies if the user is really redirected to the Entra sign-in.
O11 sessions may have longer validity than the access token ttl configured which leads to an effect that a user is logged into O11 though the access token is already invalid.Saying that this could lead to some insecure behaviour in combination with conditional access rules. Lets say the rule says that MFA only applies when the user is outside an office. It could now happen that a user sucecssfully authenticates within the office, than travels home, but will still be able to use the OutSystems application without additional login.Another security aspect to consider is that the component by Vincent is a little outdated and - as far as I know - not maintained anymore. As I remember it uses only client id and secret during the authorization code flow without using PKCE, which is recommend and with OAuth 2.1 a requirement.
So could you please suggest in the existing implementation what should be done now to make it more secure?
I will await for your response.
Thanks,
Ajit Kurane
Hello Stefan ,Thank you for your response.
Could you please suggest what changes we need to do in current implementation ? Is there any updated component with Oauth 2.1 for MFA implementation ?
Thanks,Ajit Kurane