Develop Reference

Google OAuth2.0 Access right

when using the google oAuth2. I keep getting
Erreur 400 : redirect_uri_mismatch The redirect URI in the request, http://hostname/signin-google, does not match the ones authorized for the OAuth client. To update the authorized redirect URIs, visit:
with the HTTP access.
but I'm using the https access to access the url.
I don't know why it's redirecting by HTTP not HTTPS
.
For the auth I'm using
await HttpContext.ChallengeAsync("Google", new AuthenticationProperties() {RedirectUri = "/"})
--
Note : when trying to Add my hostname with http on the redirect_uris acceepted on the GCP, it doesn't accept http, but only HTTPS
thanks a lot

You should pass the address of your own server/client-app as RedirectUri, which can handle the answer of Googles login dialog. This address should be a full URL not just "/", it has to be registered in the Google developer console and is required to be one with a https:// prefix.
You cannot implement OAuth2 with an unsecure http:// redirect address, this would ruin all security.

In fact, it's the way you expose your app that is taken in parameters..
For me I'm using the dockerfile to expose my app, and I used to use
Expose http://*:80
And even if the associated domain was started with an HTTPS, inside the app it's always an HTTP call, so all the redirect are done through the http protocole.
I'v changed the way I expose my app from http://:80 to https://:443
And in the code I used kestrel to launch the app and it's working perfectly now
Thank you

Communication between a http server and https server will be secured?

I am trying to implement an HTTP server inside an iOS app. I could see similar apps in the app store. But in my case, embedded HTTP server has to communicate with external HTTPS Server. So now,
is the communication secured? Or do I need to implement HTTPS server, instead?
Is it possible to implement an HTTPS server in iOS app?
Will Apple reject this approach?
Thanks in Advance

I'm assuming that you use the internal HTTP server to provide interceped content for a WKWebView. I this case you web view connects to the HTTP server over HTTP and this connection is insecure. But generally this shouldn't be an issue because nobody can intercept the connection. You HTTP server connects to the internet over HTTPS, and this should be done because this connection could be compromised.
Don't be confused about the different protocols. If you call a HTTPS-URL NSURLSession will use HTTPS and use a secured connection. There is no pitfall or issue. You needn't to support HTTPS for the web view to server connection. This will give you not more notable security.
I use a similar setup in my application and it works perfectly.
BTW: In iOS 11 you may use WKURLSchemeHandler to intercept web view requests. This should be much easier than a local HTTP server. The disadvantage is, that you have to define a custom protocol (e.g. xhttp instead of http), and rewrite the URLs in the web content. But this should be much easier to achieve than a local HTTP server.

how to secure api call from proxy

I am working on some app which as API call. while i add proxy in mobile and see response in web debugging tools. I can see my api call parameters and response too.
while in others app I cant see this things and it is secured.
how can i acheive this?

Pictures said your API is using non-secure HTTP protocol while others app using HTTPS. The Web API should be performed via HTTPS protocol. HTTPS using SSL/TLS as secure transport layer, it means all data are encrypted before they're online. So, we don't care about any kinds of proxy

Scheme relative URL

There are a lot of questions on SO regarding scheme relative URL, but I don't understand what will happen in these scenarios:
1) I am on HTTPS clicking on href="//example.com/" (example.com doesn't have SSL (it's HTTP), so browser will try to open HTTPS://example.com/ (because it wants to match the current scheme) and if there won't be HTTPS scheme it will open HTTP://example.com/?
2) Vice-versa going from HTTP to HTTPS, when the target //example.com/ is only HTTPS. Will browser open HTTPS if the destination target does not have HTTP?

The browser will try to open the URL using the same scheme it's currently on; if it's currently on HTTPS, it will request the URL with HTTPS and vice versa for HTTP. If the target server does not support that scheme, it will simply fail. In case of a server which only supports HTTPS, that usually means that it enforces HTTPS; if you make an HTTP query to that server it often simply redirects to the HTTPS version of the same page. That's entirely up to the server to do though.
If a server only supports HTTP, that usually means that it doesn't have HTTPS at all. In that case an HTTPS request would simply fail and the browser will display an error message along the lines of "couldn't establish a secure connection/couldn't connect to server".

I have found the way how to do this with some inspiration from the answer on how to link to different port as I needed to do both. The way is:
<a href="/vnc.html" onclick='javascript:event.target.port=6080;event.target.protocol="https:"'>VNC connection</a><br />

http versus https for YouTube feed APIs

The YouTube documentation for the video feeds API is documented here:
https://developers.google.com/youtube/2.0/developers_guide_protocol_video_feeds#User_Uploaded_Videos
It states:
To request a feed of all videos uploaded by another user, send a GET request to the following URL. This request does not require authentication.
https://gdata.youtube.com/feeds/api/users/userId/uploads
I have found that the non-SSL format (http) of this API works as well.
I would prefer to use this version of the URL because I do not require SSL. However I am concerned that it is not documented (and thus might be dropped in the future). So, my question is, is the http form of this API officially supported?

I use HTTP too. The demo page from YouTube does not use HTTPS too: YouTube Data API
You should be perfectly fine by using HTTP.