//I known that there are some topics about that but non that i found use blazor. - i didnt found any helping mi out one.
Im using oauth in my blazor app
I created login component as in
https://learn.microsoft.com/pl-pl/aspnet/core/blazor/security/webassembly/standalone-with-authentication-library?view=aspnetcore-6.0&tabs=visual-studio
and configured it
and it works fine. redirrect to login page, then i can login , then redirrect me to my app again
using RedirectToLoginComponent as in MS help website
and then after login - login component is stuck at
Authentication
Completing login...
and in console i see
Failed to execute 'postMessage' on 'DOMWindow': The target origin provided ('https://xx.corpnet.pl') does not match the recipient window's origin ('https://xx.localhost').
how to configure it ? i tried in <meta> tak but frame ancestors are not allowed
i tryed also in server project
app.Use(async (context, next) =>
{
context.Response.Headers.Add("Content-Security-Policy", "frame-ancestors, 'self' https://xx.corpnet.pl " );
await next();
});
what am i missing here? how to configure that for blazor wasm ?
regards
for blazur client to add this we have to do this this way:
var staticFileOptions = new StaticFileOptions
{
OnPrepareResponse = context =>
{
context.Context.Response.Headers.Add("Content-Security-Policy", "frame-ancestors 'self' https://xx.corpnet.pl;frame-src 'self' https://yy.corpnet.pl;");
}
};
app.MapFallbackToFile("index.html",staticFileOptions);
Related
I am trying to implement Microsoft SSO authentication in ionic 5.
Undefine occurs in the console when the code below is executed. Which part is the problem?
login(){
let authContext: AuthenticationContext = this.msAdal.createAuthenticationContext('https://login.windows.net/common');
authContext.acquireTokenAsync('https://graph.windows.net', 'clientID', 'http://localhost:8200')
.then((authResponse: AuthenticationResult) => {
console.log('Token is' , authResponse.accessToken);
console.log('Token will expire on', authResponse.expiresOn);
})
.catch((e: any) => console.log('Authentication failed', e));
}
error =>
https://ionicframework.com/docs/v3/native/ms-adal/
const browser = this_.iab.create("https://login.microsoftonline.com/" + tenant_id +
"/oauth2/authorize?response_type=id_token&client_id=" + client_id
+"&state=SomeState&nonce=SomeNonce"
, '_blank', 'clearsessioncache=yes,clearcache=yes,toolbar=no,location=no,toolbarposition=top,hidenavigationbuttons=yes,toolbarcolor=#0072bb')
browser.on("loadstart").subscribe(event => {
IAB is inappbrowser. Msal we had also tried to use when we needed this type of authentication for azure AD b2c. Similarly you have to do for your case.
There is enterprise level plugin available which cost around 8 lakhs INR.
So this is the work around. Tenant id and client id you will get when you register your app under applications in azure account.
So once the login is successful that load listener will listen to pages which IAB is visiting. And if found occurrence of #token_id(after sucesfull login).
Automatically the iab will close and ionic app page will resume or you can put some new route entry in that event listener.
May be for your case the base url might change. So try first visiting chrome with the url which opens your case login. And accordingly change.
MAKE IT WORK USING IAB AND NOT MSAL
I'm integrating Azure AD and MS-Identity on a web app with Angular.
It works on my machine, but when I deploy it, I get an issue with the callback URL.
First, to make sure the callback URL is ok, I extract it from the microsoft login popup window's URL:
Then, I url decode the content. The URL seems fine and it is available in my Azure app's redirect URL.
Then I login to Microsoft normally and I get this error (AADSTS50011):
Then I inspect the URL again (inside the query string from the urldecoded popup window's URL) and now the URL seems to have been "tampered with".
It's now something like this:
http://somedomain:80/some_page/somequerystring
instead of
https://somedomain/some_page/somequerystring
so I wonder if it's part of the problem or if it's normal behavior.
It is also mentionned "If you contact your administrator, send this info to them." I suppose I'm the "administrator" so what can I do with that "Copy info to clipboard" info to investigate the problem?
Is your application hosting on http (80) or https (443)? If your app service is terminating your TLS connection and handling that for you instead of your app, your sign-on will construct the redirect using the http request scheme. I hooked into the OnRedirectToIdentityProvider event to correct the scheme.
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(options =>
{
Configuration.Bind("AzureAd", options);
options.Events ??= new OpenIdConnectEvents();
options.Events.OnRedirectToIdentityProvider += _fixRedirect;
});
...
private async Task _fixRedirect(RedirectContext context)
{
context.Request.Scheme = "https";
if(!context.ProtocolMessage.RedirectUri.StartsWith("https"))
context.ProtocolMessage.RedirectUri =
context.ProtocolMessage.RedirectUri.Replace("http", "https");
await Task.CompletedTask;
}
I'm trying to implement Google OAuth 2 signin using FormidableLab's react-native-app-auth library in my react native android application as shown below:
googleLoginPressed = async () => {
const config = {
serviceConfiguration: {
authorizationEndpoint: 'https://accounts.google.com/o/oauth2/v2/auth', tokenEndpoint: 'https://accounts.google.com/o/oauth2/v2/auth',
},
clientId: app_params.GOOGLE_CLIENT_ID, redirectUrl: 'https://<my_domain>/oauth/google',
scopes: ['openid', 'profile', 'email'], additionalParameters: { 'response-type': 'code' },
};
try {
const result = await authorize(config);
} catch (error) {
console.log(error);
}
}
This invokes a web view with Google's signin page and I could successfully authenticate myself. Google then correctly redirects to my oauth callback endpoint and populates the oauth code in the redirect url like it should. At this point, I expect react-native-app-auth to get the control back from the webview to application. Instead, the web view stays open at the redirect url page.
I have added necessary website association configuration under AndroidManifest.xml and the following code under MainActivity.java to check for getting the control back to application from the redirect url:
#Override
public void onNewIntent(Intent intent) { // this is not getting hit
super.onNewIntent(intent);
Uri appLinkData = intent.getData();
if (appLinkData != null) {
bar = appLinkData.getPath();
}
}
What I tried so far
I ensured my app can open Universal links. So website association must be working fine.
Also tried replicating the entire setup on iOS. Same result. The webview shows Google correctly redirecting to oauth endpoint but app fails to get control back.
How do I get control back from oauth web view to my react-native code?
If you are using Claimed HTTPS Schemes, which is the most recommended security option for mobile apps, you are likely to also need an interstitial page after login, that triggers the Universal Link.
My blog post has further info and a code sample you can run, though it uses plain Kotlin rather than React Native.
I need to call Graph API from spfx webpart.
Previously we used the following method:
import { MSGraphClient } from '#microsoft/sp-client-preview';
But later we got to know that MSGraphClient is depreciated now in sp-client-preview.
I checked the following method which is mentioned in Microsoft docs also.
import { MSGraphClient } from '#microsoft/sp-http';
But it is giving an error as following:
Module '"d:/O365/upload-onedrive/node_modules/#microsoft/sp-http/dist/index-internal"' has no exported member 'MSGraphClient'
SPFx version we are using now is 1.6
Is there any way call Graph API from spfx now?
Of course we can use Graph in SPFx.
Graph+adal+SPFx steps:
Create an application in Azure portal. Click the manifest, then change "oauth2AllowImplicitFlow" value to true
Go to Settings->Required Permissions->ADD->Select an API->Microsoft Graph, select the permission and then Grant Permissions.
Build HelloWorld SPFx project : https://learn.microsoft.com/en-us/sharepoint/dev/spfx/web-parts/get-started/build-a-hello-world-web-part
Add and IAdalConfig.ts and WebPartAuthenticationContext.js patch files
Tips: If you have no adal module in node_modules/#types folder, you'd better manually install the module using the command : npm install #types/adal#1.0.29
Add the following code to render()
// Make an AJAX request to the Graph API and print the response as JSON.
var getToken;
var getCurrentUser = function (access_token) {
var xhr = new XMLHttpRequest();
xhr.open('GET', 'https://graph.microsoft.com/v1.0/me', true);
xhr.setRequestHeader('Authorization', 'Bearer ' + access_token);
xhr.onreadystatechange = function () {
if (xhr.readyState === 4 && xhr.status === 200) {
// Do something with the response
getToken=JSON.stringify(JSON.parse(xhr.responseText), null, ' ');
console.log('get Graph APi information=='+getToken);
} else {
// TODO: Do something with the error (or non-200 responses)
// console.log(' error');
}
};
xhr.send();
There is actually no reason to create any applications in the Azure side, it's all automatic and taken care of by SharePoint. See following documentation for details. We did change the API structure slightly between preview and GA, but the basics have remained the same with MSGraphClient usage and no reason for any manual access token handling.
https://learn.microsoft.com/en-us/sharepoint/dev/spfx/use-msgraph
I've deployed MVC 5 site to AppHarbor, got the https-only app working thanks to this gist linked by AppHarbor support.
When I connected to Google OAuth 2 provider locally, everything worked fine - I can log in without problems, but when I try it on AppHarbor, I get error on login "redirect_uri_mismatch". I've got proper key and secret set for web app, the problem is with path, for some reason my page responds with redirect_uri starting with "http://..." instead of "https://..." which I've set in the google project console - (other than that it's the same uri).
I've tried this workaround for URL-based problems, but it doesn't seem to change anything.
As I don't think switching to http for /signin-google would be a good idea - how to fix it?
It's a few months later but I hope this will help someone. I had exactly the same problem with AppHarbor load balancers and loosing the "https" in the redirect_uri string. The simplest solution that I found is to register a few lines of code like a middleware in Startup.Auth.cs before any registration of external login providers:
app.Use(async (context, next) =>
{
if (string.Equals(context.Request.Headers["X-Forwarded-Proto"], "https", StringComparison.InvariantCultureIgnoreCase))
{
context.Request.Scheme = "https";
}
await next.Invoke();
});
This simple middleware checks for AppHarbor header "X-Forwarded-Proto" and if exist just add a correct Scheme property. If you look at the Katana's code correct Scheme property solve the problem:
...
string requestPrefix = Request.Scheme + "://" + Request.Host;
string redirectUri = requestPrefix + Request.PathBase + Options.CallbackPath;
...