In a project written with Laravel 9, I needed to connect with a banking portal, I encountered the following error on the Callback:
https://javadheidarpour.com/sap/CallBack
[HTTP/1.1 419 unknown status 1122ms]
Cookie “remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d” with the “SameSite” attribute value “Lax” or “Strict” was omitted because of a cross-site redirect. CallBack
Cookie “XSRF-TOKEN” with the “SameSite” attribute value “Lax” or “Strict” was omitted because of a cross-site redirect. CallBack
Cookie “nobt_mn_session” with the “SameSite” attribute value “Lax” or “Strict” was omitted because of a cross-site redirect. CallBack
file config/session.php :
'same_site' => "lax",
Callback path defined in routes/api.php ect:
https://javadheidarpour.com/api/sap/CallBack
Related
When OIDC authentication request is being validated, first readirect_uri and client_id are verified (client must be registered and it must allow specified redirect uri). After redirect_uri is verified all further validation errors should be redirected to redirect_uri with error/error_description parameters (for example "https://example.com/oauth-callback?error=invalid_request").
However there is response_mode param which tells how response (including error response) should be returned to the client. There are some scenarios in which response_mode is present in the authentication request but it cannot be verified/validated:
response_mode is just invalid / unsupported by server - in theory error response with error=invalid_request should be returned to the client afaik, but which response mode should be used in this case? some default response mode for authorization flow represented by response_type?
response_type is invalid/unsupported by server or not allowed by client - in this case error response with error=unsupported_response_type|unauthorized_client should be returned afaik, but which response_mode should be used in this case? The problem is that some response modes are not allowed by some authorization flows (for example response_mode=query in implicit flow). So for example if request contains response_type=invalid&response_mode=form_post, then how error response should be returned to the client? Using form_post?
response_type=token&response_mode=query - this is not allowed, but how error response should be returned to the client? Using query or fragment response_type?
I could not find in OAuth2/OIDC RFCs how to handle those cases. It seems reasonable to:
if response_type is invalid then use fragment response_mode to return error
if response_type is valid but response_mode is invalid or not allowed by client then use fragment response_mode to return error
if response_type is valid and response_mode is valid and allowed by client then, for any further request validation errors, use specified response_mode to return those errors to the client
But not sure, are there any documentation / best practices how OAuth2/OIDC server should behave is such cases?
I am using OAuth 2.0 for authorization according to this documentation :(https://developers.vendhq.com/documentation/oauth.html#oauth) and having this error:
"error": "invalid_request", "error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Check the \"grant_type\" parameter."
Request
Method : POST
Content-Type: application/x-www-form-urlencoded
URL : https://{domain_prefix}.vendhq.com/api/1.0/token
Parameters :
code = {code}
client_id = {app_id}
client_secret = {app_secret}
grant_type = authorization_code
redirect_uri = {redirect_uri}
As per the RFC6749, section 4.1.3, the encoded body of a POST request should look like code={code}&client_id={app_id}&client_secret={app_secret}&grant_type=authorization_code&redirect_uri={redirect_uri}.
Example:
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb&client_id=CLIENT_ID_1234&client_secret=CLIENT_SECRET
Do not forget to encode the redirect Uri: http://foo.bar/ => http%3A%2F%2Ffoo.bar%2F
Concerning the authentication error, it may be because the authorization server do not support client secret in post request (or your client is not allowed to use it).
Then try to add the Authorization header with basic authentication scheme.
The value of this header is Basic {ENCODED_AUTHENTICATION} with {ENCODED_AUTHENTICATION} =base64(client_id + ':' + client_secret)
With this header, the client_id and client_secret in the post request have to be removed. Your request parameters become code={code}&grant_type=authorization_code&redirect_uri={redirect_uri}.
You will need to check the URL to which you are attempting to send your POST to. The service that you are attempting to contact does not exist or is currently unavailable.
Im using Ember-Auth and have login to my rails application working.
Once logged in the auth.auth-token is set and i can view it in my templates with:
{{auth.authToken}}
I no need to pass this token along with my ember-data requests but for the life of me cant figure out how to access it.
App.Store = DS.Store.extend
adapter: DS.RESTAdapter.reopen
namespace: 'api/v1'
setHeaders: (->
this.set('headers', { "auth_token": <what goes here?> });
return
).on('init');
some of the things I've tried:
App.Session.get("authToken")
App.auth_token
App.auth.auth_token
App.Auth.get('auth_token')
App.Auth.get('authToken')
There seem to be lots of people doing it different ways, due to embers rapidly changing API. But everything I've tried ends up being undefined.
DEBUG: -------------------------------
DEBUG: Ember : 1.5.0-beta.3
DEBUG: Ember Data : 1.0.0-beta.7.f87cba88
DEBUG: Handlebars : 1.3.0
DEBUG: jQuery : 1.11.0
DEBUG: -------------------------------
Auth configuration:
App.Auth = Ember.Auth.extend
request: 'jquery'
response: 'json'
strategy: 'token'
session: 'cookie'
signInEndPoint: '/api/v1/user_session' # api url for sign-in
signOutEndPoint: '/api/v1/user_session' # api url for sign-out
tokenKey: 'auth_token' # param returned from api containing auth token
tokenIdKey: 'user_id' # param returned from api for id of authenticated user
tokenLocation: 'param' # auth token will be sent to api as a param
Well the answer to this I believe was that my authentication server wasn't returning the token with the correct name in my json response.
I switched to ember-simple-auth since having this issue, but had a similar issue until I discovered that the name of my auth token in the json my server was returning was: "auth_token" rather that what ember-simple-auth expected: "access_token"
So my guess is that the auth was seeing that the request succeeded, which explains why I could login. but then the session was empty because ember-simple-auth was looking for a token of a different name and failing that didn't bother to create the session.
Perhaps a suggestion to the ember-auth and ember-simple-auth people is to add a warning or error when the returned token is missing?
Hope this helps someone else :)
Getting authentication errors when I try and obtain my upload authorization token
https://developers.google.com/youtube/2.0/developers_guide_protocol_error_responses
Using a packet sniffer, my first error message is>
401 Token invalid - Invalid token: Cannot parse AuthSub token:
In addition to perhaps improperly formatted Auth key value, I'm wondering exactly what headers I should be including for my upload auth request.
I am using the following though think clientId has been deprecated
"Authorization", "GoogleLogin auth=\"" + authToken + "\""
"X-GData-Client", clientId
"X-GData-Key", "key=" + devKey
After changing
"Authorization", "AuthSub token="+authToken
to
Authorization", "GoogleLogin auth="+authToken
in my request I no longer get 'Cannot parse AuthSub token' error message but
I still get
Error #2032: Stream Error. URL: http://gdata.youtube.com/action/GetUploadToken
<errors>
<error>
<domain>yt:authentication</domain>
<code>Unknown</code>
</error>
</errors>
Stumped. Would really appreciate any feedback as I'm not even certain now where my error(s) exist!
ok working but not really sure how:)
Am using these 2 headers in my POST request to
'http://gdata.youtube.com/action/GetUploadToken'
"Authorization", "GoogleLogin auth="+authToken
"X-GData-Key", "key=" + devKey
And also needed to associate my youtube user developer credentials with a channel
https://groups.google.com/forum/#!msg/youtube-api-gdata/76x8vaADJWM/36O05FD7mC0J
A packet sniffer or at least adding support to read the XMl error responses is essential!
I resolved this problem by providing the correct developer key
In grails acegi plugin, you can specify the authenticationFailureUrl property in SecurityConfig.
Is there a way to get the url that caused the auth failure in the scope of the authenticationFailureUrl?
This is not as simple as just getting the request or looking on the params. If there is an auth failure, you get redirected to the authenticationFailureUrl, so the url on the request at that point is the authenticationFailureUrl, not the url that caused the auth failure.
Im my case, I set authenticationFailureUrl to be a controller method -- looking at everything in the debugger no solution is obvious to me....
Thanx in advance.
The SavedRequest representing the original request is stored as a session attribute with name specified by the constant DefaultSavedRequest.SPRING_SECURITY_SAVED_REQUEST_KEY (or AbstractProcessingFilter.SPRING_SECURITY_SAVED_REQUEST_KEY in pre-3.0 versions).
This may help for others working with Spring Security 3.0.0 . In SS 3.0.3
AbstractProcessingFilter is deprecated and there is no constant SPRING_SECURITY_SAVED_REQUEST_KEY in DefaultSavedRequest. So you can get this by:
SavedRequest savedRequest = (SavedRequest) session.getAttribute(WebAttributes.SAVED_REQUEST);
Reference :
Spring Security: How to get the initial target url