I have been trying to implement the OAuth v2 for Microsoft Accounts for my website. Its currently in development stage and so am testing on localhost. The Website is an ASP.NET Core MVC 5 Application.
I have followed the tutorial here to implement OAuth for Twitter, Google and Facebook accounts. I found this to be quite simple with only a few small issues that I was able to solve with simple google searches.
However I have spent several days trying to understand what is happening when trying to use Microsoft Account authentication on my site.
I have watched the video here on registering an application in the Microsoft App Registration Portal. At around minute 6 in the video a short demo shows how to set up the App. You can see my App details in the following screen shot:
In the video at about 7.5 mins in, there is a small section explaining how to test the App by building a URL string.
On submitting the query string to the browser the page is redirected as expected to my App page as you can see here:
In this instance I was all ready signed into my Microsoft Outlook account. If I wasn't signed in I would be prompted to login to a Microsoft account. Logging in, in this case choosing my already signed in Outlook account causes the page to be redirected back to my site as seen in the following screen shot but because the site didn't send the request its not expecting a token sent back for login so nothing really happens. This is expected behaviour, at this point as I was only testing that the Apps end point was working as expected.
[
The next stage is to test the functionality from my website. This is where I always have issues. To activate the OAuth functionality for Microsoft Account login requires simply un-commenting a couple of lines of code within the Startup.Auth.cs file in my websites App_Start folder and passing in the Apps ClientKey and ClientSecret values as can bee seen in the following code snippet:
app.UseMicrosoftAccountAuthentication(
clientId: System.Configuration.ConfigurationManager.AppSettings["MicrosoftOAuthClientID"],
clientSecret: System.Configuration.ConfigurationManager.AppSettings["MicrosoftOAuthClientSecret"]);
This code basically adds a little button to the login page that allows you to choose Microsoft login as can be seen here:
[
When I click the Microsoft button I get the following error page:
And the query string returned contains the following:
https://login.live.com/err.srf?lc=2057#error=unauthorized_client&error_description=The+client+does+not+exist.+If+you+are+the+application+developer%2c+configure+a+new+application+through+the+application+management+site+at+https://apps.dev.microsoft.com/.&state=JMxMRuKaOiYWCQw_Uqkhv3gLQn3ULlkG2miM4ymcHhTK5niXVQl5n4L0a6VoWeEKmFM7T1ciU2oQAh26_Y0i2DMjdt6BOAtpjNeMaSpBq4wbCjva9lOuctOUIWwoFdTEGvxJ4M904lUsoudd9e9cYi6eiH3JF81HB5ouQSus2ddE1sVUQLw-YB1GjUL79y2muFaBFIOIOk75oCV2IxX4cFO2rJU04K9Se6gxu698WpzR8taUB2c6tK9u0dBisckhavf0IvKB9dWQq-IVwQgvaA
Anybody know why or what is happening????
Now I have read in several of my many searches while trying to understand whats happening when I try to test the App from my site rather than a URL directly in the browser that I should have
/signin-microsoft
appended to my Redirect URL in the App Portals configuration. I have Tested with my Redirect URL set like that and this does not work. I get a HTTP ERROR 500 sent back because the page signin-microsoft does not exist. So this is not my problem.
Please help if anyone has had the same issues and solved it.
EDIT: I should have mentioned that I was initially trying this using Local IISExpress but after reading some posts saying it can be done only on IIS so I published my site locally to IIS.
Related
I am trying build up a Staging Environment for an ASP.NET MVC Web App, but am stumbling from problem to problem, the last one having been this one: HTTP 500.79 Error / System.UriFormatException when deploying ASP.NET App to Azure Web App
Currently I am getting a HTTP 403 - Forbidden, "You do not have permission to view this directory or page." error when trying to access the page.
Authentication-wise the App uses Azure Active Directory as Authentication Provider, which is working fine in local testing (using a Test-AAD) and in production. The local and productive apps are not using Azure Web Apps. I noticed on the Azure App Service page that there is a possibility to specify authentication right within Azure, but I don't really want / need to use that, as everything is specified within the app resp. configured in the web.config (ClientID, ClientSecret and Tenant). Anyway, when I tried filling in the Authentication on Azure directly it did not work either, so I removed it again.
What happens now is that the redirect to the Login page on login.microsoftonline.com works, and according to the AAD Admin the login attempt is being successful, or at least shows no pecularities. However, when being redirected back to my page, I get a generic 403, without any additional information that could help pin the problem down.
I did check all sorts of logs for further details, and the only pecularity I found is that for some very odd reason, all requests are made to a completely gibberish URL:
Requested URL / specified Reply URL: https:\\skillmanagementtest.azurewebsites.net
Actually requested URL according to logs: https:\\Skillmanagementtest:80
I have absolutely no clue where this URL originates from, however, "Skillmanagementtest" with that capitalization seems to be the name I specified for the Azure Web App:
Screenshot resource group items
The web.config is being transformed properly during the CI/CD pipeline and I double-checked the auth settings there (tenant, clientID, clientSecret), and I am really out of ideas what may be causing this problem.
One hint I found on other problems was to check the IIS logs, but when I attempted accessing the directory these logs were said to be placed in I was rejected access, even though I have owner permissions on the App Service...
UPDATE
After a long and weary process of trying stuff out and discussing we finally got the App up and running. Some observations we made which may be interesting for others with this or similar problems:
The role-based authorization did not work because we forgot to specify the App Roles in the App registration's manifest file, and then link the security groups to the application roles. Check here for more info: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
We had one API which is only visible within our company's domain. As an Azure Web App runs outside that domain, trying to access that API resulted in an internal server error. We still have to find a solution for this.
We had a situation where requests to the reply URL after authorization would be redirected from HTTPS to HTTP. We have solved this, but as five people were trying out stuff consecutively we don't know currently what the fix actually was. We may create another Azure Web App which may then reveal this part of the solution.
Check to ensure that what you have in your web.config and app settings matches what you have in the reply URLs for your app registration in the portal. There may be some reference somewhere where the reply URL does not match.
Are you using the openid sample? https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect
Also ensure that you are logging in with a user who has the right permissions under the tenant and to the app itself. My colleague and I made a short video that includes the right configurations that may be helpful for this use case. https://www.youtube.com/watch?v=MohaxN6fsDs
After a long and weary process of trying stuff out and discussing we finally got the App up and running. Some observations we made which may be interesting for others with this or similar problems:
The role-based authorization did not work because we forgot to specify the App Roles in the App registration's manifest file, and then link the security groups to the application roles. Check here for more info: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
We had one API which is only visible within our company's domain. As an Azure Web App runs outside that domain, trying to access that API resulted in an internal server error. We still have to find a solution for this.
We had a situation where requests to the reply URL after authorization would be redirected from HTTPS to HTTP. We have solved this, but as five people were trying out stuff consecutively we don't know currently what the fix actually was. We may create another Azure Web App which may then reveal this part of the solution.
I created a new ASP.NET MVC WebApplication in Visual Studio 2015 with the options to use School or Work Accounts to authenticate against an AzureAD. This worked fine.
Then I converted the Project to an App for Office Project as an Excel Task-Pane Add-In.
Then when I start the Application it starts an Excel Spreadsheet with a taskpane showing the request to login with Microsoft. When selecting an account or choosing to log-in with another account I get redirected to login.mocrosoft.com in a new Browser but receive the following error:
IDX10311: RequireNonce is 'true' (default) but validationContext.Nonce
is null. A nonce cannot be validated. If you don't need to check the
nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'.
The URL shown in the new browser is "https://localhost:44300/" since I am debugging locally I take it.
Is this an issue because the authentication originates from the Task-Pane? Is the Task-Pane the same as an iFrame? If so it could be a similar issue as the following problem: OpenIDConnect Azure Website hosted in an iFrame within Dynamics CRM Online
Can I simply set the RequiredNonce to false? If so how?
Please help me to create an App for Office with Authentication against an AzureAD / Office365Domain? The AzureAD I am authenticating against is my private Free MSDN Subscription currently, wanting to use the company's Office365 AzureAD in future.
I am using Office2016, VS2015, Microsoft.Office.js Version 1.1.0.9.
First, it is feasible to do what you are looking for, have a look on my add-in: Keluro Mail Team. Keep on working, you'll manage to make things work^^.
Step1
First, start with the most simple scenario: your auth process should work in a standard window we sill see the sandboxed iFrame later. Check your OAUTH flow when browsing your 'app directly', i.e. test your authentication as a plain regular web app which is served in your case at https://localhost:44300/". To avoid javascript errors remove all Office.js related stuffs and the Office.Initialize function.
From the error message dealing with Nonce, I bet you are implementing a code authorization flow. This should be more or less something that looks like this sample. In this code authorization flow, the token and the REST requests are made by your server using an authorization token. Meanwhile authentication between your server and your web app is made with a plain old asp.NET cookie (in the sample above at least). This scenario is OK for our purpose, I use it too. To complete this step, try to request some basic stuff that is not related with Office.js but only with the Office 365 REST api. In one word forget that your developing and Office add-in, image you are developing an Office 365 web app.
Step2
Now that you completed Step1 you can go for step 2: make things work in a sandboxed iFrame within Office. Have a look at this blog post from Richard DiZerega. This is the most reasonable approach to handle OAUTH flow in a sandboxed environment. If you are using the sample mentioned in Step 1 above, the authentication between your server and your app is made using an asp.NET cookie. Following, Richard's guideline you could keep it in a server-side cookie dictionary after the popup OAUTH flow is completed and then set it in a request from the original iFrame. To recognize that the two windows correspond to the same user you can generate (cryptographically secure!) an id that you can pass in the two requests (parameters are encrypted in https). Ok that is complicated but it works. The SignalR technique Richard talks about is a plus for user experience but is not mandatory, that could be a Step3.
I solved my issue by adding https://login.microsoftonline.com and https://login.live.com to the App Domains in the App Manifest. I dont understand the technology, so I cannot comment on why this works, but the solution works for me.
I'm about to build a console application that needs access to the authenticated YouTube Data API. Calling the API's themselves is not a problem, I know quite well how to make and process HTTPS requests.
I've already gotten the API key and the Client ID. No problems there, either.
The problem is the authentication.
I've checked here: https://developers.google.com/youtube/v3/guides/authentication#installed-apps
On the "Installed applications" tab, in step two, it instructs on how to set up a url to call to do the authentication step. All good so far. But before programming anything, I thought I'd try and see what that url does in the browser.
Turns out it just displays a login prompt. Well how about that. That won't work in this kind of console application. The idea is, presumably, that the user is somehow shown this webpage and be instructed to login and allow access. Then, somehow, by some kind of magic perhaps, the access token is sent back to my console application.
Two things I'm not quite sure about:
1) How do I prompt for the username and/or password in the console app and send that to the authentication URL?
2) How would I get the access token back from it?
The biggest problem is that the API seems to require a browser... Which isn't there. My console application will (eventually) run unattended, so starting up a browser and displaying a webpage and doing nothing until it returns a code, is out of the question. I need to somehow supply the authentication page a username/password and get back the code right away.
I am brand new to SalesForce development, and want to explore the API and its capabilities. I have created a new Developer Edition account. I have not yet tried to access the API programmatically, but I am trying (unsuccessfully) to access it via both the Workbench ( https://workbench.developerforce.com/login.php ) and the Apigee Console ( https://apigee.com/console/salesforce ).
For some reason, in both cases I'm redirected to a URL with OAuth error code 1800 (e.g. https://na15.salesforce.com/setup/secur/RemoteAccessErrorPage.apexp?oauth_error_code=1800&display=popup in the Workbench case). At this URL, I am getting a screen with the text "Remote Access Authorization Error" - "There was a problem in setting up your remote access". What am I doing wrong?
Some additional details:
I can log into SalesForce just fine, the problem only occurs with API/OAuth access
I have not touched anything in my brand-new Developer Edition account, except for (1) populating it with some sample data (Leads, Accounts, Contacts), and (2) resetting the security token (through "My Personal Information" -> "Reset My Security Token")
On the WorkBenh login screen, it does not matter which API version I choose (tried 24, 25 and 26), and I am using "Production" for the Environment since my login doesn't seem to work at all for Pre-Release or Sandbox
(not a real answer, I expect to update it frequently as the situation develops)
Weird.
Yes, Developer Edition is a "Production" as far as connecting apps are concerned. You might have to file a Case with Salesforce Support (Help&Training link in the upper right corner).
Workbench does use API (and probably so does this Apigee thingie) but if you're using your username & pass I don't see how it might go to OAuth...
Can you download any other SF-related tooling (Data Loader, Force.com IDE, Real Force Explorer, Excel Connector, some iPad/Android app... hell, Chatter for Desktop even) and try the connectivity?
Sometimes API products don't display special field for the security token (which you can bypass by entering longer string in the password field: "passwordSecurityToken") but Workbench never asked for a token when I was accessing my Dev. Edition.
There was an issue with OAuth on NA15, but should be resolved now. I tested with Workbench with a brand new NA15 org and its working as expected.
I've run into this when I try and "short circuit" the auth url by decoding the startUrl param and going straight to it in a tab that's already logged in. For example
login to some org on na14.salesforce.com
click sfdx authorize an org in vs code with default url
get sent to a url like https://login.salesforce.com/?startURL=%2Fsetup%2Fsecur%2FRemoteAccessAuthorizationPage.apexp%3Fsource%3D<long_base64_encoded_string>
use a url decoder (i.e. https://meyerweb.com/eric/tools/dencoder/) to translate that to https://login.salesforce.com/?startURL=/setup/secur/RemoteAccessAuthorizationPage.apexp?source=<long_base64_encoded_string>
change the url to match the domain i'm logged in as, i.e. https://na14.salesforce.com/?startURL=/setup/secur/RemoteAccessAuthorizationPage.apexp?source=<long_base64_encoded_string>
go through the standard oauth grant
success
For the most part that works fine, but in some cases I get that wonderful oauth error 1800. In those cases I've been able to work around the issue by specifying the specific domain my instance is on when starting the oauth authorization. Using the above example for step 2 I would chose https://na14.salesforce.com for the the url (other oauth flows typically provide a similar custom url input, but ymmv). Voila, step 7 is successful.
Can't say for sure if that's exactly what will happen for others.
I have a BlackBerry java-based app that works with salesforce data and uses oauth 2 for authentication. It has been working fine until recently when users have been complaining that once they get to the accept/deny salesforce oauth page, clicking on Accept button displays a salesforce 404 page.
I attached a debugger to the bb simulator (OS7) and found that everything was working fine up to the point where a POST is made to salesforce on pressing the ACCEPT button in the final stage of authentication/authorisation via salesforce oauth2 user agent flow. At this point, the post would succeed and the response body would contain some markup with a small JavaScript block that just performs a document.location.href assignment to force the browser to navigate to a new URL. I noticed that the URL was not what I was expecting - I was expecting to see the redirect_uri callback address + the access token etc data appended to the end of it (as per the sf oauth2 documentation). What I saw instead was a URL that when navigated to leads the user back to a login page with a message saying that they are attempting to access a resource that requires authentication.
If I perform the same flow in say chrome the URL after the post is what I expect. This all used to work just fine so I am confused as to why it would stop working all of a sudden. I've heard that Salesforce changed their oauth 2 implementation back in late 2011 slightly so I wonder if this has broken my client although I don't see how.
As an experiment I removed all of my code except for an embedded BrowserField and made it navigate to the oauth URL as constructed by combining consumer key and various other values as per the documentation and it still fails with a 404 page at the point of clicking on the accept button after a successful login.
If I try the same bootstrap oauth URL in the built in bb browser the full authentication flow works fine and I am eventually redirected to the final callback URL with access token information appended.
Has anyone else out there had trouble with oauth2 user agent flow on BrowserField (from field2 package)?
Have you tried using the "scope=mobile" parameter? This parameter puts you into a very simplified oauth flow that is optimized for blackberry...we've found they generally have trouble getting through the richer flows designed for iOS/Android. That said, I haven't heard of them having issues on BB7...only the 5 and sometimes 6 series
If that fails, could you open a support case with us?
Try also "display=mobile" and "scope=api web" (with a space), depending on what you are trying to access after OAuth.