I am trying to find an example of a good "returnURL" to be used with the Microsoft-Graph-UWP-Connect-SDK example in github.
<Application.Resources>
<!-- Add your client id here. -->
<x:String x:Key="ida:ClientID">xxxxx</x:String>
<x:String x:Key="ida:ReturnUrl">???????</x:String>
</Application.Resources>
I've tried using the Application Registration Portal, but I cannot find the correct entry or results.
Return URIs are the addresses that are allowed to be redirected on to pass the token/codes after authentication. From this example, I’ll use a Raspberry in a UWP. The name will be “laurellerpitest” and will return to port 81 on page token. So http://laurellerpitest:81/token
Important: Do give a read to Getting the access token on the same page.
And see if this works,
<Application.Resources>
<!-- Add your client id here. -->
<x:String x:Key="ida:ClientID">ENTER_YOUR_CLIENT_ID</x:String>
<x:String x:Key="ida:ReturnUrl">`http://laurellerpitest:81/token</x:String>
</Application.Resources>
Related
I am force to use an unergonomic web site (let’s call it zzz) that uses auth0 for authentication, and a REST API internally, and I have a strong desire to use the API directly.
Using the browser inspector, I can see how that API works, and if I use the JWT Access Token (transmitted using Authorization: Bearer) that I find there, I can script access to API.
The problem I am facing is getting such a JWT access token via auth0, given my username and password.
When I use the browser-based login, I see that zzz redirects me to
https://zzz.eu.auth0.com/login
?state=g6…mo
&client=uz…6j
&protocol=oauth2
&response_type=token%20id_token
&redirect_uri=https%3A%2F%2Ffoo.zzz.com%2Fcallback
&scope=openid%20read%3Amore%20scopes…
&audience=zz-api-prod
&nonce=0G…L7
&auth0Client=ey…n0%3D
(line breaks for your convenience)
I can now manually enter username and password, and get logged in, which seems to perform these steps:
A POST to
https://zzz.eu.auth0.com/usernamepassword/login
with a body of
{ "client_id":"uz…6j",
"redirect_uri":"https://foo.zzz.com/callback",
"tenant":"zzz",
"response_type":"token id_token"
"connection":"zzz-production-users",
"username":"…",
"password":"…",
"nonce":"0G…L7",
"state":"g6…mo",
"sso":true,
"_intstate":"deprecated",
"_csrf":"fb…KI",
"audience":"zzz-api-prod",
"auth0Client":"ey…n0=",
"scope":"openid read:stores more:scopes …",
"protocol":"oauth2"
}
and a response of
<form method="post" name="hiddenform" action="https://zzz.eu.auth0.com/login/callback">
<input type="hidden" name="wa" value="wsignin1.0">
<input type="hidden"
name="wresult"
value="ey…tE">
<input type="hidden" name="wctx" value="…">
<noscript>
<p>
Script is disabled. Click Submit to continue.
</p><input type="submit" value="Submit">
</noscript>
</form>
The JS on the login page seems to press that submit button, causing a POST to
https://zzz.eu.auth0.com/login/callback
which redirects to
https://foo.zzz.com/callback
#access_token=ey…7Q
&scope=openid%20read%3Amore%20scopes…
&expires_in=7200
&token_type=Bearer
&state=%7B%7D
&id_token=ey…Sg
… which contains the precious access token that I want.
Trying to script this precise flow, which would involve parsing the returned HTML to extract the wctx and wresult arguments, is quite tedious.
So my question is:
Is there a way to get the access_token some other way that is more convenient to script using just command line curl, or maybe some simple python code/library?
I have tried various things that I found on the auth0 documentation website (e.g. https://auth0.com/docs/api-auth/tutorials/password-grant#realm-support), but could not get them to work; presmably because they need to be explicitly enabled by zzz in their auth0 settings?
The correct approach should be a separation between these:
Unergonomic web site (Client A) - which uses the implicit flow
Web API
Client B (your command line) - which uses a different flow
In Auth0 you should configure a new OAuth Client Entry for Client B, which should probably use a different flow - perhaps the password grant you mention.
You will at least be able to get a token in this manner. Whether the API accepts calls from you may depend on other design aspects.
I have a subflow that ensures an OAuth access token is current. The token value is saved in an object store that expires the entry shortly before it times out. When expired, a new token value is retrieved and placed in the object store.
I didn't find any straightforward examples of a Mule v3 methodology to refresh a token that utilizes an object store, so here's the code, if anyone's interested.
<sub-flow name="get_token">
<objectstore:retrieve config-ref="TokenStore" key="StatusToken" defaultValue-ref="#['expired']" targetProperty="StatusToken" doc:name="Get token from Object Store"/>
<choice doc:name="Expired?">
<when expression="#[flowVars.StatusToken == 'expired']">
<set-payload value="#[{'grant_type':'refresh_token', 'refresh_token':'${RefreshToken}'}]" doc:name="Set payload for token refresh"/>
<http:request config-ref="HTTP-Token" path="${tokenPath}" method="POST" doc:name="Get new token">
<http:request-builder>
<http:header headerName="Content-Type" value="application/x-www-form-urlencoded"/>
</http:request-builder>
</http:request>
<dw:transform-message doc:name="Write token to flowVar">
<dw:set-variable variableName="StatusToken">
<![CDATA[
%dw 1.0
%output application/java
---
payload.access_token
]]>
</dw:set-variable>
</dw:transform-message>
<objectstore:store config-ref="TokenStore" key="StatusToken" value-ref="#[flowVars.StatusToken]" doc:name="Put token to Object Store"/>
</when>
<otherwise>
<set-variable variableName="Useless" value="#['']" doc:name="Useless placeholder"/>
</otherwise>
</choice>
</sub-flow>
The flow works well as designed, but here's my question. A choice router checks to see if the token has expired. There is no action required otherwise, and the flow errors out if the default path is empty. What's the simplest element to minimize processing and any resource utilization on the default path?
Following Ryan Carter's comment, this could be marked as a duplicate, but not really.
Here's the link:
How do I implement IF in mulesoft
Summary
Mule 4:
The <otherwise> tag is not needed
Mule 3:
A component is needed. I tend to use Logger with the level of TRACE, since log4j2 is smart and won't substitute parameters if the level is set to DEBUG and higher. However, if you really need to debug a flow, it would be good to see that it got routed correctly.
I've an issue on this feature.
SignIn action works well with ADFS and return to AuthServices/Acs
But Logout action don't call ADFS and redirect directly to returnUrl parameters (checked it with fiddler).
I'm calling this link : /AuthServices/Logout?ReturnUrl=~/&Status=LoggedOut
web.config is set up as this :
<kentor.authServices entityId="https://localhost:2181/AuthServices" returnUrl="https://localhost:2181/">
<identityProviders>
<add
entityId="https://ADFS DOMAIN/adfs/services/trust"
signOnUrl="https://ADFS DOMAIN/adfs/ls"
logoutUrl="https://ADFS DOMAIN/adfs/ls/?wa=wsignout1.0"
binding="HttpPost"
allowUnsolicitedAuthnResponse="true"
metadataLocation="https://ADFS DOMAIN/FederationMetadata/2007-06/FederationMetadata.xml"
wantAuthnRequestsSigned="true">
<signingCertificate fileName="~/App_Data/*****.cer" />
</add>
</identityProviders>
</kentor.authServices>
If I launch https://ADFS DOMAIN/adfs/ls/?wa=wsignout1.0 on another tabs, it is working, I return on signin page from my website.
So it seems to be an internal issue to retrieve logouturl and send it ?
Thanks for helps.
There are a number of requirements that need to be met before logout request will be issued:
You need to have a http://kentor.se/AuthServices/LogoutNameIdentifier claim and its issuer has to match the IDP that you're trying to logout from.
You need to have http://kentor.se/AuthServices/SessionIndex claim.
Your AuthServices IDP configuration needs a logoutUrl (I see you've specified this but probably it's easier to let AuthServices read it from the metadata)
You have specified a ServiceCertificate with either Signing or Both usage (i.e. not just Encryption)
Your AuthServices IDP configuration has DisableOutboundLogoutRequests =
false (this is the default)
Missing claims (first two points) is the most likely issue if you have some claims transformation happening during login or you are not retaining the original ClaimsIdentity. See also the documentation regarding ClaimsAuthenticationManager, e.g. https://github.com/KentorIT/authservices/blob/master/doc/ClaimsAuthenticationManager.md
You can turn on logging and see which of these points are failing:
https://github.com/KentorIT/authservices/blob/v0.21.2/Kentor.AuthServices/WebSSO/LogOutCommand.cs#L155-L170
I am trying to schedule a new blast to send emails. I am calling the below URL
https://app.streamsend.com/audiences/1/blasts.xml
posting the below xml to the service
<blast>
<from>
<name>Customer Service</name>
<email-address>xxx#example.com</email-address>
</from>
<to>
<audience-id>1</audience-id>
<filter-id></filter-id>
<include-lists>5</include-lists>
<exclude-lists>7</exclude-lists>
</to>
<subject>My First Blast</subject>
<body>
<email-id>9</email-id>
</body>
<options>
<track-views>true</track-views>
<track-clicks>true</track-clicks>
<include-social-bar>false</include-social-bar>
</options>
<scheduled-for>2015-02-17T20:00:00Z</scheduled-for>
</blast>
I am getting WebException showing error 422 unprocessable entity. Please help me in resolving this issue.
Before scheduling a blast we must first verify the email mentioned in the email-address tag(xxx#example.com). This is to ensure compliance with the U.S. Can-Spam Law.
<blast>
<from>
<name>Customer Service</name>
<email-address>xxx#example.com</email-address>
</from>
<to>
<audience-id>1</audience-id>
<filter-id></filter-id>
<include-lists>5</include-lists>
<exclude-lists>7</exclude-lists>
</to>
<subject>My First Blast</subject>
<body>
<email-id>9</email-id>
</body>
<options>
<track-views>true</track-views>
<track-clicks>true</track-clicks>
<include-social-bar>false</include-social-bar>
</options>
<scheduled-for>2015-02-17T20:00:00Z</scheduled-for>
</blast>
To verify the email address, Login to stream send web portal and try to set up a blast. Steps to set up a blast
Step 1: Mention the sender email address information
Step 2: Activation link is sent to the email mentioned in step 1. Once the user activates the link, the sender account is verified successfully.
We will be able to schedule the blasts after verification without any issues.
Note: In stream send one audience Id is created per account, usually the value is 1, sometimes it may have a value other than 1. While scheduling a blast it is better to check for the audience id by calling the API rather than hard coding the value.
We have a Google Gadget that connects to Fusion Tables through the Fusion Table API with the user’s Google Account. It performs SELECT and INSERT.
We built the gadget using OAuth1 (shindig library for opensocial). It worked fine for the deprecated version of the Fusion Table API. When we migrated it to the new PAPI, the select qworks fine because authentication with OAuth2 is not necessary. For the INSERT however, it is necessary. The documentation for opensocial has not been completely updated:http://docs.opensocial.org/display/OSREF/OpenSocial+Specification+Considerations
I cannot figure out how to successfully use OAuth2 to perform an Insert. We have the API privileges to read/write at the domain level and the user has owner privileges to the Fusion table.
The error I am getting is saying “Invalid Credentials” Pretty vague and I cannot tell why.
Here is our gadget header:
<OAuth>
<Service name="google">
<Access url="https://www.google.com/accounts/OAuthGetAccessToken" method="GET" />
<Request url="https://www.google.com/accounts/OAuthGetRequestToken?scope=https://www.googleapis.com/auth/fusiontables%20https://docs.google.com/feeds/default/private"
method="GET" />
<Authorization url="https://www.google.com/accounts/OAuthAuthorizeToken?oauth_callback=http://oauth.gmodules.com/gadgets/oauthcallback" />
</Service>
</OAuth>
I am not sure exactly how to update, so I added another header:
<OAuth2>
<Service name="google">
<Authorization url="https://www.google.com/accounts/OAuthAuthorizeToken?oauth_callback=http://oauth.gmodules.com/gadgets/oauth2callback" />
</Service>
</OAuth2>
When we make the call, we do the following:
options = {};
options[gadgets.io.RequestParameters.CONTENT_TYPE] = gadgets.io.ContentType.TEXT;
options[gadgets.io.RequestParameters.METHOD] = gadgets.io.MethodType.POST;
options[gadgets.io.RequestParameters.POST_DATA] = postData;
options[gadgets.io.RequestParameters.AUTHORIZATION] = gadgets.io.AuthorizationType.OAUTH2;
options[gadgets.io.RequestParameters.HEADERS] = {'Authorization':'{encrypted fusiontable key}'}; //not sure if this helps but its extra
options[gadgets.io.RequestParameters.OAUTH_SERVICE_NAME] = "google";
options[gadgets.io.RequestParameters.OAUTH_USE_TOKEN] = "always";
URL = https://www.googleapis.com/fusiontables/v1/query?key={encrypted fusiontable key} &client_id={id number}”;
postData=”sql=INSERT…”;
gadgets.io.makeRequest(URL, handlerWrapper, options);
Thanks!
If you're doing a write request, you will need to supply the oauth token that encodes the user's permission to access the table. It looks like this might be in gadgets.io.RequestParameters.OAUTH_REQUEST_TOKEN. The key is used for read access from public tables. Also, you may need to set the OAUTH_SERVICE_NAME to "fusiontables".