I'm using Azure Mobile Apps with the .NET SDK as a backend for my iOS app. The authentication done via Facebook. Yesterday out of nowhere (no code changes either on backend or app) the authentication with Facebook failed. The login inside the iOS client app is done via
self.client?.login(withProvider:"facebook", token: ["access_token" : FBSDKAccessToken.current().tokenString] ){ (user, error) in }
By calling this function I'm getting the following result, on the client.
Error Domain=com.Microsoft.MicrosoftAzureMobile.ErrorDomain Code=-1302 "You do not have permission to view this directory or page."
By inspecting the streaming logs of Azure Mobile Apps, I found out that the backend gets an Unauthorized 401.71 return back from calling the Facebook Graph API.
Streaming Log:
Microsoft.Azure.AppService.Authentication Verbose: 0 : Received request: POST https://XXXXXXXXXX.azurewebsites.net/.auth/login/facebook
'w3wp.exe' (CLR v4.0.30319: DefaultDomain): Loaded 'D:\Windows\Microsoft.Net\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll'. Skipped loading symbols.
'w3wp.exe' (CLR v4.0.30319: DefaultDomain): Loaded 'D:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll'. Skipped loading symbols.
Microsoft.Azure.AppService.Authentication Verbose: 0 : Calling into external HTTP endpoint GET https://graph.facebook.com/oauth/access_token.
Microsoft.Azure.AppService.Authentication Information: 0 : Sending response: 401.71 Unauthorized
I already tried cloning the Mobile App in Azure and creating a new Facebook App, without success.
for other users affected by this issue - I will quote the official answer from the MSDN Thread
TL;DR
Hotfix applied - App Restart Required
** UPDATE 3/28/2017 ** We're in the process of rolling out a rapid hotfix for affected apps worldwide. The hotfix mechanism will require
you to restart your app backend. You can do this using the Azure
Portal, the Azure Management CLI, or the App Service Mobile Companion
app for iOS and Android. Once restarted, please verify that your
Facebook logins are working again.
West US: Hotfix applied. Please restart your app. Other Regions:
Pending
I have the same problem, it stopped working yesterday without any code change.
I have tried to call the azure azure facebook authentication from rest client.
I get the same result as from the app, 401, and no additional information.
https://appname.azurewebsites.net/.auth/login/facebook
{
"access_token": "token Obtained after athorizing with facebook",
}
I have tried calling the facebook api from a rest client and it works.
https://graph.facebook.com/oauth/access_token?client_id=APP_ID&client_secret=SECRET_APP_ID&grant_type=fb_exchange_token&fb_exchange_token=ACCESS_TOKEN
My guess is that they changed something in azure web apps and broke the facebook authentification.
Please let me know if you find any solution.
This should be rolled out now. If you have any further questions see the MSDN thread from above: https://social.msdn.microsoft.com/Forums/azure/en-US/397f6952-57bf-4c28-b383-6bba08d28f9a/facebook-login-failures-with-app-service-authentication-authorization?forum=windowsazurewebsitespreview
Related
I have a web site that has been using Microsoft accounts for authentication for more than three years. It is a Node web app and is using the passport-windowslive package.
Lately, when users return from login.live.com after logging successfully using their Microsoft accounts, one of two types of errors is received, sometimes:
The provided value for the input parameter 'scope' is not valid. The target '«my web site domain»' does not exist.
or:
The provided value for the 'code' value is not valid. The code has expired.
The error is sporadic. I am unable to reproduce it on my development machine.
As the passport-windowslive package was last changed four years ago and my code has not changed for more than two years, the cause looks like it's at the Microsoft end. What has changed?
Update: The problem is getting worse. Previously, the problem could sometimes be overcome by using an incognito browser session or changing the browser. Now it's happening on all browsers. But I am still unable to reproduce the error when running on localhost (with no http).
Microsoft has changed how its applications can be used for oAuth. They must now be managed from Azure instead of apps.dev.microsoft.com or Microsoft Live.
Existing applications configured in apps.dev.microsoft.com will result in:
AADSTS700016: Application with identifier '000000xxxxxxx' was not found in the directory 'aaaaaaaa-bbbb-cccc-ddd-eeeeeeeeeeee'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.
The passport-windowslive module somehow did not bubble up the error response.
I have been trying to implement the OAuth v2 for Microsoft Accounts for my website. Its currently in development stage and so am testing on localhost. The Website is an ASP.NET Core MVC 5 Application.
I have followed the tutorial here to implement OAuth for Twitter, Google and Facebook accounts. I found this to be quite simple with only a few small issues that I was able to solve with simple google searches.
However I have spent several days trying to understand what is happening when trying to use Microsoft Account authentication on my site.
I have watched the video here on registering an application in the Microsoft App Registration Portal. At around minute 6 in the video a short demo shows how to set up the App. You can see my App details in the following screen shot:
In the video at about 7.5 mins in, there is a small section explaining how to test the App by building a URL string.
On submitting the query string to the browser the page is redirected as expected to my App page as you can see here:
In this instance I was all ready signed into my Microsoft Outlook account. If I wasn't signed in I would be prompted to login to a Microsoft account. Logging in, in this case choosing my already signed in Outlook account causes the page to be redirected back to my site as seen in the following screen shot but because the site didn't send the request its not expecting a token sent back for login so nothing really happens. This is expected behaviour, at this point as I was only testing that the Apps end point was working as expected.
[
The next stage is to test the functionality from my website. This is where I always have issues. To activate the OAuth functionality for Microsoft Account login requires simply un-commenting a couple of lines of code within the Startup.Auth.cs file in my websites App_Start folder and passing in the Apps ClientKey and ClientSecret values as can bee seen in the following code snippet:
app.UseMicrosoftAccountAuthentication(
clientId: System.Configuration.ConfigurationManager.AppSettings["MicrosoftOAuthClientID"],
clientSecret: System.Configuration.ConfigurationManager.AppSettings["MicrosoftOAuthClientSecret"]);
This code basically adds a little button to the login page that allows you to choose Microsoft login as can be seen here:
[
When I click the Microsoft button I get the following error page:
And the query string returned contains the following:
https://login.live.com/err.srf?lc=2057#error=unauthorized_client&error_description=The+client+does+not+exist.+If+you+are+the+application+developer%2c+configure+a+new+application+through+the+application+management+site+at+https://apps.dev.microsoft.com/.&state=JMxMRuKaOiYWCQw_Uqkhv3gLQn3ULlkG2miM4ymcHhTK5niXVQl5n4L0a6VoWeEKmFM7T1ciU2oQAh26_Y0i2DMjdt6BOAtpjNeMaSpBq4wbCjva9lOuctOUIWwoFdTEGvxJ4M904lUsoudd9e9cYi6eiH3JF81HB5ouQSus2ddE1sVUQLw-YB1GjUL79y2muFaBFIOIOk75oCV2IxX4cFO2rJU04K9Se6gxu698WpzR8taUB2c6tK9u0dBisckhavf0IvKB9dWQq-IVwQgvaA
Anybody know why or what is happening????
Now I have read in several of my many searches while trying to understand whats happening when I try to test the App from my site rather than a URL directly in the browser that I should have
/signin-microsoft
appended to my Redirect URL in the App Portals configuration. I have Tested with my Redirect URL set like that and this does not work. I get a HTTP ERROR 500 sent back because the page signin-microsoft does not exist. So this is not my problem.
Please help if anyone has had the same issues and solved it.
EDIT: I should have mentioned that I was initially trying this using Local IISExpress but after reading some posts saying it can be done only on IIS so I published my site locally to IIS.
I am currently using the Salesforce.com IOS SDK Version 3.0 to build a native application that connects to salesforce. This app will be used for external users, so it is pointed at communities.
I first started by creating a Native IOS SDK app and getting that working and talking to salesforce.
I then created a new community, created a community user, gave them the proper permissions and finished setting up the community.
Next I went into the Xcode Project, under supporting files to the application plist. I then edited the SFDCOAuthLoginHost to be set to the community URL.
Once that was completed I restarted the app, and was able to login to the community through the native SDK and things would work great until the app hit its session timeout. At this point I receive these errors.
ERROR|SFNetworkOperation|callDelegateDidFailWithError Session expired or invalid
ERROR|SFNetworkOperation|Session timeout encountered. Requeue 0.000000or retry later
ERROR|SFNetworkEngine|Ignore session timeout error callback as host URL changed, request URL is https://dev-patientsupport-dev.cs21.force.com/dev/services/apexrest/patientNotifications, login host is [cs21.salesforce.com]
Of course because it cannot get a new session all web callouts fail after this point.
I have searched everywhere and cannot find a solution to this problem. My guess is that because the request is being made to the community URL, but the refreshed session is being sent from cs21.salesforce.com so it is being ignored. Thanks again for everyones time.
A fix for this bug has been submitted as part of Mobile SDK 3.1.1 patch on GitHub, npm (forceios), and Cocoapods. Please see https://plus.google.com/105428096535342044035/posts/AkoVwL5Kdt3 for more details.
It looks like this may be caused by the refresh token having its instanceURL set to the wrong destination when using communities. This may be a bug in the SDK as it works fine on the web. Try changing the instanceURL of the credentials to be the same as the URL of the community to see if that helps.
finding it hard to troubleshoot this issue in an iOS app I'm developing, appreciate any tips.
Once-per-day (on the first use) the app fails to authenticate to Azure Mobile Services (using the Azure Mobile Services framework for iOS; Azure service is configured for Facebook authentication), using a Facebook token generated by the Facebook SDK (with what appears to be a correctly configured FB App on their site). Subsequent usage/calls to Azure have no problem once the app is reloaded.
Given it's once-per-day I'm assuming it's a token expiry issue, but I can't figure out where! Occurs in both simulator and real iPhone, and with FB Dev test accounts and real FB accounts.
The auth process I've established in-app is:
1. In the AppDelegate
Establish a shared Azure Mobile Services client object e.g.
self.client = [MSClient clientWithApplicationURLString:AZURE_SERVICE_URL applicationKey:AZURE_SHARED_APPKEY];
2. In the MasterViewController
Open the active FBSession with basic permissions:
[FBSession openActiveSessionWithReadPermissions:permissions allowLoginUI:YES completionHandler:{...}]
Once the FBSession is open, grab the FB token from the session:
NSString *fbToken = session.accessTokenData.accessToken;
NSDictionary *fbTokenDict = #{#"access_token": fbToken};
Attempt to authenticate to Azure Mobile Services using the FB token, via the shared client in the AppDelegate:
MSClient *client = [(AppDelegate *) [[UIApplication sharedApplication] delegate] client];
[client loginWithProvider:#"facebook" token:fbTokenDict completion:^(MSUser *user, NSError *error) { ... }];
(I plan to persist the Azure credentials in the keychain and only refresh when needed, but not until I've solved this issue. Right now it basically performs a re-auth every time which is fine for testing.)
Assuming no errors returned from Azure, continue with loading the data from the Azure service using standard Azure SDK calls.
Issue
Only on the first launch (either simulator, or real device; test or real FB account) after a long wait (say 10-30seconds) Azure Mobile Services returns a 500 error code to the app (among a lot of IIS HTML). Subsequent launches of the app do not return the error, and respond with data at access speeds.
Tried these so far
The Azure Mobile Services logs don't show any issues
Attempting to use the MSFilter delegate methods on the Azure service objects to catch errors reveal persistent 401 response codes, but responding to them doesn't affect the above behaviour at all
Following advice on other threads here, I've tried different combinations of FB App settings related to setting the App as Native/Desktop app and secret stored/not stored in app; with no luck
Any tips most appreciated!
I'm a member of the Mobile Services team.
For efficiency reasons, Mobile Services will shut down free tier services that are not actively receiving traffic. When a request is sent to a service that has been shutdown, it takes some time for it to start back up again. There is an issue that is affecting a small number of customers that causes that first request to return a 500 and we are actively working on a fix.
Until the fix is in place, the best way for you to resolve your problem is to scale your service up to the basic or standard tier. If it turns out you are already scaled up, please let me know as we have only seen this issue occur for customers in the free tier so far.
I am new to developing a Salesforce app and I am using OAuth 1 for authentication.
I am able to generate the Request Token, and I re-direct the user to the salesforce site.
Once I enter my credentials, I get a
Remote Access Authorization Error
There was a problem in setting up your remote access
with
oauth_error_code=1800
In my Login History page, it shows Status as Success for Application type OAuth.
I don't get any entry in my Debug Logs page.
I have enabled Development Mode.
Any ideas whats wrong?
So https://login.salesforce.com/services/oauth2/success is a stub URL for callbacks - and that is the screen you are seeing there, and the access_token variable is your session ID for the user. So the OAuth flow is working correctly.
In the code, you might check to see if oauthResponse.access_token is getting set correctly. If so, it looks like:
sfw.login( setupHomeView );
That is what should tell it to move from that page to the next UI page.
You might also check out the Force.com Mobile SDK (link). It also includes PhoneGap and has a great OAuth wrapper built in.