How do I test the Google OAuth 2.0 on my app with localhost, since Google requires a top private domain as the authorized domain?
I tried to look up solutions, but all the solutions given have been a while ago, and I think Google has changed their service since then.
localhost is not a valid top-level domain, and it won't let you generate credentials without setting up a consent screen. You can add more than one authorized domain if you'd like, but you can't leave it empty. But you CAN delete the field if you have no domains / would not like to add domains for now. you just can't LEAVE it empty.
Notice the description -- "When a domain is used". so it's not an obligation to add authorized domain for consent screen. Moreover, the authorized domain here is only related with consent screen. Authorized origins and Authorized redirect URLs needs to be specified in the credentials part, which is all that matters; specifying the origin from which requests will be accepted and where it will be redirected. So just omit the authorized domain in the consent screen.
So how to delete it? Just in case if you haven't noticed, just hover over the field and this little man will pop up. delete it. that's all. Now you should be able to save and continue, where it might ask you to setup scopes.
I know it's really late, hoping it might help others..
After about an hour banging my head against the wall I found this article that has a step by step solution that works (as of July 2020).
Basically you need to create a service account, share the sheet with that account, and then it should work.
All of the other auth methods I tried either raised nonsense errors, or simply silently didn't work.
The list of authorized domains is required before you submit a request for app verification. If you want to configure a localhost redirect URI, that is configurable in your web OAuth client ID configuration.
In case anyone has struck out on the suggestions above, this answer did the trick for me. Set my authorized JavaScript origins URI to http://localhost:8080 in the google API console then emptied my Chrome cache.
Just add an OAuth-consent-screen from here without a domain or valid domain that's up to you, after that create Credentials from here, then select OAuth client ID and enter your from here you can add javascript origin url and there you go you've done.
You add your final domain for when you are ready to become verified. Until then you will generate an OAuth client ID and enable https://localhost:3000 in "Authorized JavaScript origins"
Simple screenshot of the field you can enter localhost
Not beautiful, but works!
I've made local website(domain) on Xampp like test1.com, added that domain in Authorized domains and started Chrome from separate shortcut with parameter --ignore-certificate-errors
Note, that when you start with this flag, Chrome must not be running!
It cause Chrome to open web site in the xampp\htdocs folder and I was forced to go to folder test1.git and then to public folder, where finally site opened and the url was: https://test1.com/test1.git/public
ps. Use port 80 in httpd-vhosts.conf and not 443!
Related
I am trying build up a Staging Environment for an ASP.NET MVC Web App, but am stumbling from problem to problem, the last one having been this one: HTTP 500.79 Error / System.UriFormatException when deploying ASP.NET App to Azure Web App
Currently I am getting a HTTP 403 - Forbidden, "You do not have permission to view this directory or page." error when trying to access the page.
Authentication-wise the App uses Azure Active Directory as Authentication Provider, which is working fine in local testing (using a Test-AAD) and in production. The local and productive apps are not using Azure Web Apps. I noticed on the Azure App Service page that there is a possibility to specify authentication right within Azure, but I don't really want / need to use that, as everything is specified within the app resp. configured in the web.config (ClientID, ClientSecret and Tenant). Anyway, when I tried filling in the Authentication on Azure directly it did not work either, so I removed it again.
What happens now is that the redirect to the Login page on login.microsoftonline.com works, and according to the AAD Admin the login attempt is being successful, or at least shows no pecularities. However, when being redirected back to my page, I get a generic 403, without any additional information that could help pin the problem down.
I did check all sorts of logs for further details, and the only pecularity I found is that for some very odd reason, all requests are made to a completely gibberish URL:
Requested URL / specified Reply URL: https:\\skillmanagementtest.azurewebsites.net
Actually requested URL according to logs: https:\\Skillmanagementtest:80
I have absolutely no clue where this URL originates from, however, "Skillmanagementtest" with that capitalization seems to be the name I specified for the Azure Web App:
Screenshot resource group items
The web.config is being transformed properly during the CI/CD pipeline and I double-checked the auth settings there (tenant, clientID, clientSecret), and I am really out of ideas what may be causing this problem.
One hint I found on other problems was to check the IIS logs, but when I attempted accessing the directory these logs were said to be placed in I was rejected access, even though I have owner permissions on the App Service...
UPDATE
After a long and weary process of trying stuff out and discussing we finally got the App up and running. Some observations we made which may be interesting for others with this or similar problems:
The role-based authorization did not work because we forgot to specify the App Roles in the App registration's manifest file, and then link the security groups to the application roles. Check here for more info: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
We had one API which is only visible within our company's domain. As an Azure Web App runs outside that domain, trying to access that API resulted in an internal server error. We still have to find a solution for this.
We had a situation where requests to the reply URL after authorization would be redirected from HTTPS to HTTP. We have solved this, but as five people were trying out stuff consecutively we don't know currently what the fix actually was. We may create another Azure Web App which may then reveal this part of the solution.
Check to ensure that what you have in your web.config and app settings matches what you have in the reply URLs for your app registration in the portal. There may be some reference somewhere where the reply URL does not match.
Are you using the openid sample? https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect
Also ensure that you are logging in with a user who has the right permissions under the tenant and to the app itself. My colleague and I made a short video that includes the right configurations that may be helpful for this use case. https://www.youtube.com/watch?v=MohaxN6fsDs
After a long and weary process of trying stuff out and discussing we finally got the App up and running. Some observations we made which may be interesting for others with this or similar problems:
The role-based authorization did not work because we forgot to specify the App Roles in the App registration's manifest file, and then link the security groups to the application roles. Check here for more info: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
We had one API which is only visible within our company's domain. As an Azure Web App runs outside that domain, trying to access that API resulted in an internal server error. We still have to find a solution for this.
We had a situation where requests to the reply URL after authorization would be redirected from HTTPS to HTTP. We have solved this, but as five people were trying out stuff consecutively we don't know currently what the fix actually was. We may create another Azure Web App which may then reveal this part of the solution.
I have "unverified app screen" when I request access to Google accounts.
To get rid of it I want to fill out OAuth Developer Verification Form. But, I got some problems with that due to some restrictions on my environment.
There is a field:
Homepage URL for your app *
The problem is that in my application my home page is not accessible publicly. Usually, it can only be accessed using VPN connection.
For push notifications, I use different URL that only handles them, but for the UI there is no access from the world without VPN. I was thinking of overcoming the issue and have a few ideas, but I'm not sure whether they will work.
Inform Google of restricted access to the home page via this field:
Is there any other information you can provide that will be useful?
However, this approach might not work due to the fact that it's not said that I can omit to specify the home page.
Find out what addresses google requests homepage from and to allow access to it from those addresses. But, firstly it's insecure and secondly, it's still a question how to get these addresses.
Make some static resource stub page and place it somewhere where I can provide access. For instance, I can put it near privacy policy file that is publicly accessible.
Is there a more suitable way of addressing this issue or some of these options might still work?
I've got a website that requires a login, this website shows a "portal" which makes it possible to go to deluge/plex/sonarr (webapps). these apps are connected to ports. so example.com:83031 = plex and example.com:83032 is sonarr (as an example).
Now if I go to example.com it prompts me a login and I if I then click on "plex", the portal goes to example.com:83031. this is correct. however, is there a way to disable a direct link to example.com:83031 (so is there a way to ONLY make it able to enter that site through portal?)
Long story short: I want example.com:83031 to ONLY be available through the portal, not if you enter it directly into the browser. is this possible?
[Editted the domains, got the point!]
In theory, a browser should send a "redirect" indicating from where you came. Hence, example.com:83031 could check if you came from example.com:80. This is however not reliable.
However, if you redirect to example.com:83031/loginOK?<GUID> then you have explicitly encoded the redirection information, in a way that no browser can strip.
BTW, don't invent non-existent domains. example.com exists for a reason.
Using reverse-proxy on Apache has fixed this issue.
Picture describing the outcome
We integrated our application with LinkedIn for sign on over 6 months ago and it's been working fine. Today, we went to developer.linkedin.com for our application to update the "OAuth 2.0 Redirect URLs" to add an additional URL. We previously had the production domain, test domains, and localhost entered. Now, when we save, we receive the "One or more urls are not allowed." error message. Through process of elimination, it appears to not approve our test domain "relode-dev.azurewebsites.net".
I've checked with SURBL and none of the domains we're entering are blacklisted.
Can someone explain why "relode-dev.azurewebsites.net" is no longer valid when it was for 6 months?
After experimenting some more, it looks like LinkedIn doesn't allow any *.azurewebsites.net domains any more. I'm not sure why they created this policy. For now, the workaround seems to be adding your own custom domain to your Azure website and using it in the LinkedIn OAuth 2.0a Redirect URL. You can follow the article at http://azure.microsoft.com/en-us/documentation/articles/web-sites-custom-domain-name/ to set up your custom domain.
If LinkedIn reads this, it would be nice if you notified third-party developers when you make policy changes like this. We've had to scramble for the past few days to workaround this change.
edit: fixed the url to the azure help page (it had an extra word on the end causing it to 404).
I'm trying to write a web application that would use Twitter via OAuth.
I run my local server as 'localhost', so I need the callback URL to be something like http://localhost/something/twitter.do but Twitter doesn't like that: Not a valid URL format
I'm probably going to do a lot of tests, but once I've approved my app with my username, I can't test again can I? Am I supposed to create multiple twitter accounts? Or can you remove an app and do it again?
You can use 127.0.0.1 instead of localhost.
You can authorize your app as many times as you like from the same twitter account without the necessity to revoke it. However, the authenticate action will only prompt for Allow/Deny once and all subsequent authenticate requests will just pass through until you revoke the privilege.
Twitter's "rate limiting" for API GET calls is based on IP address of the caller. So, you can test your app from your server, using the same IP address, and get (once approved) 15,000 API calls per hour. That means you can pound on your app with many different usernames, as long as your approved IP address remains the same.
When you send the e-mail to Twitter to ask for an increase to your rate limit, you can also ask for the increase to apply to your Twitter username too.
I believe Twitter requires you - if you need to change your IP address, or change the username that is using the app - to send in another request asking for the rate limit increase for that new IP address or username. But, in my experience, Twitter has been pretty quick at turning around these requests (maybe less than 48 hours?).
use like this
for Website :http://127.0.0.1
and for callback URL: http://127.0.0.1/home
or any of your page address like http://127.0.0.1/index
Have you tried creating your own caching mechanism? You can take the result of an initial query, cache it on thread local, and given an expiration time, refresh from Twitter. This would allow you to test your app against Twitter data without incurring call penalties.
There is also another solution (a workaround, rather) which requires you to edit your hosts file.
Here is how you do it on a linux box:
Open your /etc/hosts file as root. To do this, you can open a terminal and type something like sudo vi /etc/hosts.
Pick a non-existent domain to use as your local address, and add it to your hosts file. For example, you will need to add something similar to the following at the end.
127.0.0.1 localhost.cep # this domain name was accepted.
So, that's pretty much it. Pointing your browser to localhost.cep will now take you to your local server. Hope that helped :)
In answer to (1), see this thread, in particular episod's replies: https://dev.twitter.com/discussions/5749
It doesn't matter what callback URL you put in your app's management page on dev.twitter.com (as long as you don't use localhost). You provide the 'real' callback URL as part of your request for an OAuth token.
1.) Don't use localhost. That's not helpful. Why not stand up another server instance or get a testing vm slice from slicehost?
2.) You probably want a bunch of different user accounts and a couple different OAuth key/secret credentials for testing.
You were on the right track though: DO test revoking the app's credentials via your twitter account's connections setting. That should happen gracefully. You might want to store a status value alongside the access token information, so you can mark tokens as revoked.