How do I insert headers names and values such as access tokens and its values in IE?.Just like this one on the left with Edge. It has a storage tab and session tab on the left to which I could put the necessary headers to override the login and OTP. This is also available in Chrome
It's just that I want to override our apps OTP function and login by inserting the values needed for it to skip the OTP and login. It just so happen that I need to test our apps compatibility with IE , but then I'm stuck on our very own login to which I could not do and bypass the security. Where do I find or insert the tokens needed to. TIA
Got a help from a colleague.
Turns out. In the console, you should type
sessionStorage.setItem("accessToken","valueOfToken");
then press enter to insert the header.
After entering the value, when you type sessionStorage and press enter. You'd then finally be able to see the header that's going to be sent by IE. In my case its the accessToken header and its value.
Related
I would like to share my experience while setting up the mail.imap command in G1ANT studio.
For everyone stuck at the invalid credentials error--
Open your gmail account (the one you ware using in your code)
Go to the settings tab to the top right corner and then click on See all Settings.
In the All settings option click on Forwarding and POP/IMAP
Enable IMAP
Now head over to you homepage and click on manage accounts tab for your email account.
In the manage account section click on Security
Scroll down and turn on access to LESS SECURE APPS
Let the site update and go back (Do not close the tab directly)
This procedure should fix the invalid credentials error. However, even after doing all this the LIST variable (where the email data is stored) has no value allocated in it.
If anyone can find a solution to this problem, your help would be hugely appreciated.
I think your messages are already seen, so you can unread them and then try again and also see that you have got some messages that are from the current day.
Thank You for your solution for Invalid Credentials.
I've created an app using react native and which is using an IdentityServer 4 server to for authentication. I'm using react-native-app-auth to perform the authentication.
When I click login the app tries to open the Identity Server login page in Safari and iOS shows a standard dialog to say:
"myApp" Wants to Use "myIdServerUrl" to Sign In.
The problem is, where it should say myIdServerUrl, it actually says (null) as you can see in the screenshot.
Does anyone know why this might be? I'm not sure if its something I've misconfigured on the app side or something I'm not sending back from IdentityServer that I should be. I would have thought it would have just shown the URL that I'm requesting but that's not the case as the login page opens correctly when I click continue, so I haven't provided a null URL or anything.
If anyone knows where iOS looks when populating this dialog that would be a great help.
Thanks a lot!
EDIT
After a bit more investigation I've found that a CONNECT request is made to the Identity Server before showing the dialog. This suggests to me that the data it's using is somewhere in the certificate as the CONNECT request is where an SSL connection is requested for HTTPS sites. I'm still not sure what field I'm missing though. I have the Subject Alternative Name populated so I'm not sure what else it could be looking for.
EDIT
It seems, if the URL has a recognizable top-level domain, the domain name (as defined here) will be reported by the dialog. For example, some.host.name.zw will be referred as name.zw and video.google.co.uk as google.co.uk.
Otherwise, ("null") is produced, as in case of some.host.name.local, etc.
It is still an empirical finding, I don't have any official reference to this, but one that is easy to test.
I have an iOS app, with a long list of items to be POSTed to a remote web server. The list can be long enough to exceed recommended lengths for a GET request. After the list is posted, the user can log into their account and manipulate the list.
Ideally, I'd like to POST the list to Safari (or another default browser) so that if the user already has logged in, they don't need to do so again and they have access to all the normal web browser functionality.
It seems to work with a UIWebView, but isn't the best interface.
This can be done on Android or the UIWebView using this: https://stackoverflow.com/a/9909613
Do it in two steps:
POST the data to the server "anonymously". The server would assign some kind of unique id, and store the received data somewhere (database, temp file...), associated with the ID. Send back the ID to the client.
Alternatively, the ID might be provided by the client directly. For that, make sure it's some kind of UUID/GUID so you don't have conflicts.
Open a second URL (either in Safari or, probably better, in an SFSafariViewController) pointing to the login process along with the ID from step 1.
The server can then use the ID to locate the data posted during the first step.
I'm about to build a console application that needs access to the authenticated YouTube Data API. Calling the API's themselves is not a problem, I know quite well how to make and process HTTPS requests.
I've already gotten the API key and the Client ID. No problems there, either.
The problem is the authentication.
I've checked here: https://developers.google.com/youtube/v3/guides/authentication#installed-apps
On the "Installed applications" tab, in step two, it instructs on how to set up a url to call to do the authentication step. All good so far. But before programming anything, I thought I'd try and see what that url does in the browser.
Turns out it just displays a login prompt. Well how about that. That won't work in this kind of console application. The idea is, presumably, that the user is somehow shown this webpage and be instructed to login and allow access. Then, somehow, by some kind of magic perhaps, the access token is sent back to my console application.
Two things I'm not quite sure about:
1) How do I prompt for the username and/or password in the console app and send that to the authentication URL?
2) How would I get the access token back from it?
The biggest problem is that the API seems to require a browser... Which isn't there. My console application will (eventually) run unattended, so starting up a browser and displaying a webpage and doing nothing until it returns a code, is out of the question. I need to somehow supply the authentication page a username/password and get back the code right away.
I'm using dotNetOpenAuth to provide SSO to my app via a user's Google Apps account. Besides just simple authentication I also ask Google to return the user's email, first name and last name. When a user first goes in they get redirected to the typical Google Accounts page telling them that the app is asking for this info and do they want to allow it. There is the checkbox there to Remember This Approval. The problem is, the approval isn't being remembered. It does remember them if they go back to the site without closing their browser. But if they close their browser and then open it later and go back in, they are again prompted to allow it.
If I look through my Google account page that shows me connected sites, apps, and services, I see my app listed multiple times. It's like it doesn't recognize that it's the same app and keeps adding it.
I know I must be missing something obvious, but I'm not sure what it is. Any ideas?
Thanks!
You can find my code here
I see several problems in your code. To first answer your direct question, the reason Google doesn't remember you on return visits is because you are passing a random GUID in as part of your Realm each time you log in. The symptom is actually much worse than you realize. It's not just that Google prompts the user on return visits, your site won't recognize the user at all on return visits because Google will give them a new claimed identifier on each visit.
The fix is that you should use the exact same Realm for every login request:
Realm realm = "http://www.yoursite.com/";
var req = openid.CreateRequest(discoveryUri, realm, URIbuilder.Uri );
Or my personal favorite:
var req = openid.CreateRequest(discoveryUri, Realm.AutoDetect, URIbuilder.Uri );
Realm.AutoDetect will work for you unless your site is available both via HTTP and HTTPS, in which case you need to lock it down to just one or the other of these so that Google recognizes your site as always the same.
You must also remember that the returnTo URL that you pass in as the 3rd parameter to CreateRequest must always be based on the realm. So if your realm is HTTPS, so must your returnTo parameter be.
I also want to call out that you seem to have some GUID code and complex URL manipulation around trying to ensure that every OpenID response you accept comes from a request you sent out. I'm not sure why you're trying to do this in the first place, although there certainly can be legitimate reasons. The way you did it is insecure and can be circumvented. I suggest you delete all this code, in favor of adding this to your web.config file:
<dotNetOpenAuth>
<openid>
<relyingParty>
<security rejectUnsolicitedAssertions="true" />
</relyingParty>
</openid>
</dotNetOpenAuth>
The library has support for requiring all responses to come from your requests built in, and it does so securely so that the security exploit I alluded to earlier isn't possible.
But if you're only trying to apply this restriction so that you know it's coming from Google, may I recommend that instead of rejecting unsolicited assertions, you instead check the IAuthenticationResponse.Provider.Uri property when you receive responses and verify that it is coming from the Google OP Endpoint? Then, if Google ever supported sending unsolicited assertions it would work on your site, and ultimately your security gate is exactly where you intended it to be anyway.