I'm using IdentityServer 4 - Device Flow as my authentication mechanism.
All the authentication is working fine.
I'm now trying to "Register" the device on the identity server Activation controller where you can add a name for the device.
Does anyone know how to Retrieve/Decrypt DeviceCode from DeviceCodes Table?
I would like to use this ID with a SignalR system at a later time.
I ended up creating a custom IDeviceFlowCodeService and implementing it that way.
Related
I created a new ASP.NET MVC WebApplication in Visual Studio 2015 with the options to use School or Work Accounts to authenticate against an AzureAD. This worked fine.
Then I converted the Project to an App for Office Project as an Excel Task-Pane Add-In.
Then when I start the Application it starts an Excel Spreadsheet with a taskpane showing the request to login with Microsoft. When selecting an account or choosing to log-in with another account I get redirected to login.mocrosoft.com in a new Browser but receive the following error:
IDX10311: RequireNonce is 'true' (default) but validationContext.Nonce
is null. A nonce cannot be validated. If you don't need to check the
nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'.
The URL shown in the new browser is "https://localhost:44300/" since I am debugging locally I take it.
Is this an issue because the authentication originates from the Task-Pane? Is the Task-Pane the same as an iFrame? If so it could be a similar issue as the following problem: OpenIDConnect Azure Website hosted in an iFrame within Dynamics CRM Online
Can I simply set the RequiredNonce to false? If so how?
Please help me to create an App for Office with Authentication against an AzureAD / Office365Domain? The AzureAD I am authenticating against is my private Free MSDN Subscription currently, wanting to use the company's Office365 AzureAD in future.
I am using Office2016, VS2015, Microsoft.Office.js Version 1.1.0.9.
First, it is feasible to do what you are looking for, have a look on my add-in: Keluro Mail Team. Keep on working, you'll manage to make things work^^.
Step1
First, start with the most simple scenario: your auth process should work in a standard window we sill see the sandboxed iFrame later. Check your OAUTH flow when browsing your 'app directly', i.e. test your authentication as a plain regular web app which is served in your case at https://localhost:44300/". To avoid javascript errors remove all Office.js related stuffs and the Office.Initialize function.
From the error message dealing with Nonce, I bet you are implementing a code authorization flow. This should be more or less something that looks like this sample. In this code authorization flow, the token and the REST requests are made by your server using an authorization token. Meanwhile authentication between your server and your web app is made with a plain old asp.NET cookie (in the sample above at least). This scenario is OK for our purpose, I use it too. To complete this step, try to request some basic stuff that is not related with Office.js but only with the Office 365 REST api. In one word forget that your developing and Office add-in, image you are developing an Office 365 web app.
Step2
Now that you completed Step1 you can go for step 2: make things work in a sandboxed iFrame within Office. Have a look at this blog post from Richard DiZerega. This is the most reasonable approach to handle OAUTH flow in a sandboxed environment. If you are using the sample mentioned in Step 1 above, the authentication between your server and your app is made using an asp.NET cookie. Following, Richard's guideline you could keep it in a server-side cookie dictionary after the popup OAUTH flow is completed and then set it in a request from the original iFrame. To recognize that the two windows correspond to the same user you can generate (cryptographically secure!) an id that you can pass in the two requests (parameters are encrypted in https). Ok that is complicated but it works. The SignalR technique Richard talks about is a plus for user experience but is not mandatory, that could be a Step3.
I solved my issue by adding https://login.microsoftonline.com and https://login.live.com to the App Domains in the App Manifest. I dont understand the technology, so I cannot comment on why this works, but the solution works for me.
We have an ASP.Net MVC 5 application which is authenticating against an Azure AD.
We want to get the objectidentifier from the ClaimsPrincipal when the user browses to a controller action and so we use the following code:
var objectIdentifier = Guid.Parse(new ClaimsPrincipal(identity)
.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier")
.Value);
This works absolutely as expected in IE 11 - identity has 9 claims on it, including the objectidentifier.
When we run exactly the same code but log in using Chrome, the identity only has 7 claims on it and it does not include objectidentifier.
Any idea why this is happening?
Sorry to answer my own question, but it turns out the the two browsers we logging in using 2 different user identities, one of which was a user in the AAD and the other was a LiveId added to the AAD. The latter has fewer properties associated with it, including no objectidentifier.
I'm attempting to integrate Gigya's social login into an iOS application. Within a ViewController, I'm triggering the showLoginUI method on the GSAPI class. This appears to work fine and invokes the web view containing links to each of the social providers. The problem that I'm facing is clicking on any of the providers, the delegate method gsLoginUIDidFail is returning the responseText
{"errorCode":400011,"errorMessage":"Invalid redirect_uri"}
I've been following the guide found at http://developers.gigya.com/035_Mobile_SDKs/010_iPhone
Initially, I thought that perhaps this was a problem with the gigya test providers, but adding a real provider app to the gigya configuration didn't resolve the problem.
The gigya api internally references a gsapi://login_result/ and wondered if perhaps this is the issue as I can't seem to work out where that protocol is being defined.
Also, running the test application linked in the guide encounters the same issue.
Hoping someone has encountered this problem themselves and knows what trick i'm missing to get things working?
Ok, so it turns out if you have already been using the API and have an API key, it's super easy to miss the step within "Gigya Setup - Obtain Your Gigya API Key" which requires you to tick a Enable Mobile or Desktop Client Applications API Access checkbox.
Ensuring this is set resolves the issue.
My goal is to build a standalone RESTful Rails 3 service that communicates with a Rails 3 web application via ActiveResource JSON and an iPhone application via iOS 5 native JSON. I have each running so that a single table of data is being exposed in the service app and that can be called and rendered via both a Rails app and the iPhone app.
My question is around authentication and something that can be reusable for both the web application and the iPhone app or in the future an Android app.
From the research I have done on this site, it seems HTTP Basic would work for both, however I would be unable to properly logout a user on the web side like sessions or cookies could and I have the browser login form to deal with. If I use sessions, how would that translate to setting up authentication on the iOS side of things?
This project is a code learning exercise, so I am hoping for implementation or architectural guidance rather than simply implementing Devise or Authlogic, etc.
It sounds like you're conflating at least two problems.
The first issue is authentication: you need to determine if the user is who they say they are. For authentication, you can do basic auth. You could also use client certs, though that's probably not what you're looking for.
The second thing is session management: First, you can do basic auth on each page request and store the session state in the database, but you're right about not being able to log the user out, as the browser will cache the credentials.
You may want to consider a login page that requires basic auth and shoots back a cookie to do session management. All other pages don't require basic auth, but give a 401 unauthorized if the cookie isn're present. Or you could redirect. The iOS client code will have to know to call the login page first to get the cookie and then use it after that. Logging out is deleting the cookie.. hrmm, but the browser will still cache the basic auth credentials.
I'm thinking the only way you're going to get what you want is to have a form-based auth for your web users (to allow them to log out and log in as someone else), and a basic-auth based system for iOS users. As a result of both authentication mechanisms, return a cookie that has to be used for all other pages.
I'm looking for a solution similar to the iPhone Facebook Connect (https://github.com/facebook/facebook-ios-sdk) for the BlackBerry platform. Basically, I need my users to authenticate against Facebook from within a native BlackBerry application (so, not a Web based mobile application). Is there a library I could use, and if not, what will be the correct approach to achieve this?
Thanks in advance!
Options for BlackBerry are:
Use Facebook Platform for Mobile
Use REST API approach provided by Eki Y. Baskoro
Try to port JavaFB from J2SE to J2ME
I managed to go through Facebook Connect authentication within my BB app. After cracking my head for three days I realised that it is the URL that is the culprit!
Basically these are what you need (assuming you are developing for 4.5 platform):
Using Browser Field, do a POST to http://m.facebook.com/login.php (the mobile version of Facebook) passing all the necessary arguments as per the Desktop application counterparts (one challenge is to get the signature generation correct).
Once the User successfully grants access, capture the URL of the success screen. You will obtain your auth_token.
Do a POST to the REST server to obtain the session key and secret given the auth_token you obtain.
Save the returned session key and secret, persist it, and wholla! your app is up and running.
I am developing a custom LoginScreen and FacebookFacade object to incorporate the first three steps above, if anyone is ever interested to reuse my code. It'll be GPLed, I suppose ;)
Afzal, I had a similar problem and I've found out that I actually had a problem with my connection string. You can look at the following link there is some explanation and code for creating the correct connection string
http://www.localytics.com/blog/post/how-to-reliably-establish-a-network-connection-on-any-blackberry-device/
and just add the connection string to the FetchThread where it opens the connection:
connection = (HttpConnection)Connector.open(absoluteUrl+getConnectionString());