I'm integrating Azure AD and MS-Identity on a web app with Angular.
It works on my machine, but when I deploy it, I get an issue with the callback URL.
First, to make sure the callback URL is ok, I extract it from the microsoft login popup window's URL:
Then, I url decode the content. The URL seems fine and it is available in my Azure app's redirect URL.
Then I login to Microsoft normally and I get this error (AADSTS50011):
Then I inspect the URL again (inside the query string from the urldecoded popup window's URL) and now the URL seems to have been "tampered with".
It's now something like this:
http://somedomain:80/some_page/somequerystring
instead of
https://somedomain/some_page/somequerystring
so I wonder if it's part of the problem or if it's normal behavior.
It is also mentionned "If you contact your administrator, send this info to them." I suppose I'm the "administrator" so what can I do with that "Copy info to clipboard" info to investigate the problem?
Is your application hosting on http (80) or https (443)? If your app service is terminating your TLS connection and handling that for you instead of your app, your sign-on will construct the redirect using the http request scheme. I hooked into the OnRedirectToIdentityProvider event to correct the scheme.
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(options =>
{
Configuration.Bind("AzureAd", options);
options.Events ??= new OpenIdConnectEvents();
options.Events.OnRedirectToIdentityProvider += _fixRedirect;
});
...
private async Task _fixRedirect(RedirectContext context)
{
context.Request.Scheme = "https";
if(!context.ProtocolMessage.RedirectUri.StartsWith("https"))
context.ProtocolMessage.RedirectUri =
context.ProtocolMessage.RedirectUri.Replace("http", "https");
await Task.CompletedTask;
}
Related
I am developing an SPA with Laravel 9, Vuejs 3 and Sanctum. I am newbie to vue and to Sanctum and I use the sanctum API authentication instead of the token authentication.
At this stage I am in dev and run the embedded laravel server for laravel app and vite server for SPA.
Everything is going smoothly when I sign in and out using the Firefox browser. But when I use Google Chrome or other browser based upon chrome (Brave, Vivaldi, chromium) I cannot sign in nor register. I get a CSRF token mismatch response.
Here are my login an register methods from vuex 's store
actions: {
async register({ commit }, form) {
console.log("in register of index");
await axiosClient.get("/sanctum/csrf-cookie");
return axiosClient.post("/api/register", form).then(({ data }) => {
console.log("data dans index");
console.log(data);
return data;
});
},
async login({ commit }, user) {
await axiosClient.get("/sanctum/csrf-cookie");
return axiosClient
.post("/api/login", user)
.then(({ data }) => {
commit("SET_USER", data);
commit("SET_AUTHENTICATED", true);
//commit("setAuth", true);
return data;
})
.catch(({ response: { data } }) => {
commit("SET_USER", {});
commit("SET_AUTHENTICATED", false);
});
},
Could somebody help me making out what is wrong or missing?
Edited after Suben's response
I read from somebody that the trouble in Chrome could come from the domain being localhost instead of http://localhost in sanctum config.
Thus I did that and could manage to login with both browser. The trouble is that even with a satisfactory answer to login and the reception of the csrf-token now in both browser the store state is not set despite the answer in the .then function being a valid user object.
Moreover, doing 3 similar requests after that strange situation, the 3 of them being under the auth:sanctum middleware, the first failed with csrf-token mismatch, the second succeeded and the third failed also with csrf-token mismatch. Looking at the requests, they have exactly the same 3 cookies including one with the csrf-token.
My guess is, that RESTful APIs are stateless. That means, they do not worry about sessions. https://restfulapi.net/statelessness/
As per the REST (REpresentational “State” Transfer) architecture, the server does not store any state about the client session on the server-side. This restriction is called Statelessness.
When you login a user with Laravel's SPA authentication, then you ARE storing client session data on the server-side.
So you have two options:
You are moving the endpoint /api/login to web.php (logout too!) OR...
You are using the API token based login.
EDIT:
I had my problems at first too with Laravel Sanctums SPA authentication and Vue. There is a video, which goes through a lot of cases, that might help you aswell for the future (Configuration of cors.php and more): https://www.youtube.com/watch?v=It2by1dL50I
I'm trying to implement Google OAuth 2 signin using FormidableLab's react-native-app-auth library in my react native android application as shown below:
googleLoginPressed = async () => {
const config = {
serviceConfiguration: {
authorizationEndpoint: 'https://accounts.google.com/o/oauth2/v2/auth', tokenEndpoint: 'https://accounts.google.com/o/oauth2/v2/auth',
},
clientId: app_params.GOOGLE_CLIENT_ID, redirectUrl: 'https://<my_domain>/oauth/google',
scopes: ['openid', 'profile', 'email'], additionalParameters: { 'response-type': 'code' },
};
try {
const result = await authorize(config);
} catch (error) {
console.log(error);
}
}
This invokes a web view with Google's signin page and I could successfully authenticate myself. Google then correctly redirects to my oauth callback endpoint and populates the oauth code in the redirect url like it should. At this point, I expect react-native-app-auth to get the control back from the webview to application. Instead, the web view stays open at the redirect url page.
I have added necessary website association configuration under AndroidManifest.xml and the following code under MainActivity.java to check for getting the control back to application from the redirect url:
#Override
public void onNewIntent(Intent intent) { // this is not getting hit
super.onNewIntent(intent);
Uri appLinkData = intent.getData();
if (appLinkData != null) {
bar = appLinkData.getPath();
}
}
What I tried so far
I ensured my app can open Universal links. So website association must be working fine.
Also tried replicating the entire setup on iOS. Same result. The webview shows Google correctly redirecting to oauth endpoint but app fails to get control back.
How do I get control back from oauth web view to my react-native code?
If you are using Claimed HTTPS Schemes, which is the most recommended security option for mobile apps, you are likely to also need an interstitial page after login, that triggers the Universal Link.
My blog post has further info and a code sample you can run, though it uses plain Kotlin rather than React Native.
I own a domain in a hosting provider (just the domain). This domain is pointing to another web address:
domain.com-->anotherdomain.dom/path
In another side, I have added my domain to my Cloudflare account, like this:
domain.com-->Cloudflare-->anotherdomain.dom/path
The issue is that after typing domain.dom, the URL text in the browser URL bar is anotherdomain.dom/path, and I need it to be domain.com.
Is it possible to have domain.com in the broswer URL bar? Do I have to write some code inside my .htaccess file or something inside anotherdomain.com? Do I have to do something inside Cloudflare (maybe with "workers")?
It sounds like currently, your domain domain.com is set up as a redirect. When a user visits domain.com in their browser, the server (Cloudflare) responds with a message saying: "Please go to anotherdomain.com/path instead." The browser then acts like the user actually typed anotherdomain.com/path in the address bar.
It sounds like what you want instead is for domain.com to be a proxy. When a request comes in for domain.com, you want Cloudflare to fetch the content from anotherdomain.com/path and then return that content in response to the original request.
In order to do this, you will need to use Workers. Cloudflare Workers allows you to write arbitrary JavaScript code to tell Cloudflare how to handle HTTP requests for your domain.
Here's a Worker script that implements the proxy behavior that you want:
addEventListener('fetch', event => {
event.respondWith(handleRequest(event.request))
})
async function handleRequest(request) {
// Parse the original request URL.
let url = new URL(request.url);
// Change domain name.
url.host = "anotherdomain.org";
// Add path prefix.
url.pathname = "/path" + url.pathname;
// Create a new request with the new URL, but
// copying all other properties from the
// original request.
request = new Request(url, request);
// Send the new request.
let response = await fetch(request);
// Use the response to fulfill the original
// request.
return response;
}
My windows service is collect instagram datas from instagram api. I was using client_id but this uses format is removed.
Instagram api is want to access_token but Oauth 2.0 is web-based. or not?
I using .NET and my application type is windows service and web request don't work because this call url: "https://www.instagram.com/oauth/authorize/?client_id=CLIENT-ID&redirect_uri=REDIRECT-URI&response_type=code" is have one more contain redirect. so web response haven't contain my web application link also auto redirect is open..
what should I do?
Thanks..
Steps to get instagram access token
register ur application in instagram account.
get a client id and client secret.
Step 1: HIT the below url.
https://api.instagram.com/oauth/authorize/?client_id=CLIENT-ID&redirect_uri=REDIRECT-URI&response_type=code
step 2: after hitting above url you will be taken to login page. enter the login credentials and take the code from address bar.
it will be live for only 20 seconds i guess.
step 3: The code which you got put it in CODE parameter in the below source code, then run the below code in console application n hit breakpoint at response. you will get access token and userid.
public void GetDataInstagramToken()
{
try
{
NameValueCollection parameters = new NameValueCollection();
parameters.Add("client_id", "CLIENT-ID");
parameters.Add("client_secret", "CLIENT-Secret");
parameters.Add("grant_type", "authorization_code");
parameters.Add("redirect_uri", "REDIRECT-URI");
parameters.Add("code", "CODE");
WebClient client = new WebClient();
var result = client.UploadValues("https://api.instagram.com/oauth/access_token", "POST", parameters);
var response = System.Text.Encoding.Default.GetString(result);
// deserializing nested JSON string to object
var jsResult = (JObject)JsonConvert.DeserializeObject(response);
string accessToken = (string)jsResult["access_token"];
}
catch (Exception)
{
//exception catch
}
}
I've deployed MVC 5 site to AppHarbor, got the https-only app working thanks to this gist linked by AppHarbor support.
When I connected to Google OAuth 2 provider locally, everything worked fine - I can log in without problems, but when I try it on AppHarbor, I get error on login "redirect_uri_mismatch". I've got proper key and secret set for web app, the problem is with path, for some reason my page responds with redirect_uri starting with "http://..." instead of "https://..." which I've set in the google project console - (other than that it's the same uri).
I've tried this workaround for URL-based problems, but it doesn't seem to change anything.
As I don't think switching to http for /signin-google would be a good idea - how to fix it?
It's a few months later but I hope this will help someone. I had exactly the same problem with AppHarbor load balancers and loosing the "https" in the redirect_uri string. The simplest solution that I found is to register a few lines of code like a middleware in Startup.Auth.cs before any registration of external login providers:
app.Use(async (context, next) =>
{
if (string.Equals(context.Request.Headers["X-Forwarded-Proto"], "https", StringComparison.InvariantCultureIgnoreCase))
{
context.Request.Scheme = "https";
}
await next.Invoke();
});
This simple middleware checks for AppHarbor header "X-Forwarded-Proto" and if exist just add a correct Scheme property. If you look at the Katana's code correct Scheme property solve the problem:
...
string requestPrefix = Request.Scheme + "://" + Request.Host;
string redirectUri = requestPrefix + Request.PathBase + Options.CallbackPath;
...