I see these invalid HTTP requests in the server log.
The request URI includes scheme+hostname+port.
1.2.3.4 [13/Jan/2017:04:20:01 +0000] GET http://www.DOMAIN.hu:80/munkaugyi-segedanyagok/minimalber-2017-kormanyrendelet HTTP/1.1 403 http://m.facebook.com Mozilla/5.0 (iPhone; CPU iPhone OS 10_2 like Mac OS X) AppleWebKit/602.3.12 (KHTML, like Gecko) Mobile/14C92 [FBAN/FBIOS;FBAV/75.0.0.48.61;FBBV/45926345;FBRV/46260258;FBDV/iPhone8,1;FBMD/iPhone;FBSN/iOS;FBSV/10.2;FBSS/2;FBCR/TelekomHU;FBID/phone;FBLC/en_US;FBOP/5]
All other requests from the same visitor suggest a legitimate user.
Could it be the Facebook app for iPhone?
It turns out most webservers support absolute request URI-s.
https://www.rfc-editor.org/rfc/rfc2616#section-3.2.1
An HTTP client may send requests with absolute request URI-s like the ones in proxy requests but with the same domain name.
Related
I am trying to get OpenID Connect authentication working for my legacy ASP.NET MVC application. My ASP.NET MVC application will be the Relaying Party and a business partner of ours will serve as the Identity Provider.
To get familiar with what I'll need to do I created an account on Auth0 and created a new App for a Web Application. I then downloaded their ASP.NET MVC OWIN quickstart from GitHub. I got everything setup and I am able to authenticate successfully with Microsoft Edge and Firefox. But with Chrome the workflow goes like this:
Visit localhost:3000
Attempt to access a protected resource, which redirects me to localhost:3000/Account/Login
/Account/Login creates the challenge, which does two things: (1) Creates the Nonce cookie, and (2) redirects the user to Auth0's /authorize endpoint
I successfully login on Auth0's login screen
A POST request is made to the /callback endpoint on localhost:3000
I get a Yellow Screen of Death with the following message:
IDX21323: RequireNonce is 'System.Boolean'. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'. Note if a 'nonce' is found it will be evaluated.
Examining the HTTP traffic I see that the issue with Chrome is that in step (3) - when the server sets the Nonce cookie in the 302 Redirect - Chrome is not saving it. Therefore, when step (5) happens the browser does not send any Nonce information to the server and validation fails.
This is evidenced by the HTTP traffic at step (3) and (5). Here is the localhost response on step (3). You can see that it is telling the browser to store the Nonce cookie:
HTTP/1.1 302 Found
Cache-Control: private
Location: https://whatever.us.auth0.com/authorize?client_id=gYb3FOL5OWK419L8...
Set-Cookie: OpenIdConnect.nonce.fRunx5CPoGdhTRM3mgqpn62m9SFkH4AszKWpOOk8LV0%3D=T1NPQjNlYTgtQ...; path=/; expires=Sat, 18-Jul-2020 20:47:59 GMT; HttpOnly; SameSite=None
But after I am redirected to Auth0 I can check Chrome's cookies and it does not have the Nonce cookie in its cookies collection for localhost. Moreover, when step (5) hits, the browser request looks like so - no mention of the Nonce cookie:
POST http://localhost:3000/callback HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36
code=DANVniZ296OzQW...
This results in the error aforementioned.
(When I examine the HTTP traffic using Edge or Firefox, in step (5) I see the browser sends the Nonce cookie, whereas it's missing entirely from Chrome.)
I am using Chrome version 84 and Windows 10. I also tried this on an old computer at home with Windows 7 (and Chrome 84) and experienced the exact same behavior.
What is going on here and, more importantly, how do I get it to work? My initial assumption was that maybe it was a SameSite cookie issue, but I don't think that's the case because I can see that the cookie isn't get created in the first place (it's not that it exists, but just isn't being sent on the redirect to localhost). Moreover, the Nonce cookie has SameSite=None, so that shouldn't matter, right?
Thanks
Figured it out with the help of a colleague...
Chrome won't save the cookie when using SameSite=None if the traffic is over HTTP. Needed to setup Visual Studio to use HTTPS. Once I did that, things worked as expected.
I'm trying to refresh the oauth2 token using ClientOAuth2.Token.refresh() but keep getting the error sometimes:
{"error":"invalid_grant","error_description":"Session not active"}
This is the request which I captured by Fiddler
POST [URL]= HTTP/1.1
Host: [URL]
Connection: keep-alive
Content-Length: 2250
Accept: application/json, application/x-www-form-urlencoded
Origin: http://localhost:8080
Authorization: Basic YXNpbW92LWRldi1laGlzLXdlYjo=
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Sec-Fetch-Mode: cors
Content-Type: application/x-www-form-urlencoded
Sec-Fetch-Site: cross-site
Referer: http://localhost:8080/
Accept-Encoding: gzip, deflate, br
Accept-Language: en,vi;q=0.9,de;q=0.8,vi-VN;q=0.7,en-US;q=0.6,en-AU;q=0.5
refresh_token=[token]&grant_type=refresh_token
Maybe somethings wrong with my setting on KeyCloak account. Are there any suggestions?
You need to add the scope offline_access when retrieving the original token, otherwise you won't be able to refresh it when the related user session is not active (this is specific to OIDC, not oauth2).
Could be that your refresh token grant message is incomplete - missing a client ID or offline access scope - see the Refresh Token Grant section of my article on OAuth messages.
It is because you are logged out from you client application. That's why it giving you the error.
I'm currently using the form data method to upload a video to youtube api, but I have been receiving the following respond error
"message": "Uploads must be sent to the upload URL. Re-send this request to https://www.googleapis.com/upload/youtube/v3/videos?part=snippet,statistics,contentDetails&mine=true&access_token=ya29.ImGUB0a_t9jFeGl1jxduJWSr6qgOKtzb7UpJNMxjyX-U7tkwCTvBx1nEMWunodpyKoULnQqfBkxgzxvs1S27_LTPRIqkTokWHh7quTMssHpRGRpaQiCJzGxKV3wxWjypqQMk"
Youtube v3 API link
The following is my request
Request URL: https://www.googleapis.com/youtube/v3/videos?part=snippet,statistics,contentDetails&mine=true&access_token=ya29.ImGUB0a_t9jFeGl1jxduJWSr6qgOKtzb7UpJNMxjyX-U7tkwCTvBx1nEMWunodpyKoULnQqfBkxgzxvs1S27_LTPRIqkTokWHh7quTMssHpRGRpaQiCJzGxKV3wxWjypqQMk
Request Method: POST
Status Code: 400
Request Headers:
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFpMCekYXv6NAPEKN
Origin: http://localhost:8080
Referer: http://localhost:8080/
Sec-Fetch-Mode: cors
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
X-Requested-With: XMLHttpRequest
Query string:
part: snippet,statistics,contentDetails
mine: true
access_token: ya29.ImGUB0a_t9jFeGl1jxduJWSr6qgOKtzb7UpJNMxjyX-U7tkwCTvBx1nEMWunodpyKoULnQqfBkxgzxvs1S27_LTPRIqkTokWHh7quTMssHpRGRpaQiCJzGxKV3wxWjypqQMk
Can someone tell me what went wrong? very thankful.
I Use Youtube API V3 , my web page request bots request so my api result is too many Request this Ip
Bots Example :
1 Mozilla/5.0 (compatible; DotBot/1.1; http://www.opensiteexplorer.org/dotbot, help#moz.com)
2 Mozilla/5.0 (compatible; AlphaBot/3.2; +http://alphaseobot.com/bot.html)
this type many bots request my website www.watchyoutubevideo.com
Example bots Google,Bing,Yahoo etc bots ....
how to solve
help me
thank you
I have build a number of REST interfaces in app engine and while debugging a request on my iPhone client and via Chrome, I noticed that two identical requests had different responses sizes:
"GET /card?omid=2 HTTP/1.1" 200 1468 - "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36"
"GET /card?omid=2 HTTP/1.1" 200 10669 - "Null Society 1.83 (iPhone; iPhone OS 6.1.3; en_US)"
Note that the identical request from the iPhone client is 7x larger than the one from Chrome. These requests were a minute apart, and my server-side code does not distinguish between clients for determining responses. In this particular request, the server merely reads the query variable, "omid", and returns the appropriate data.
The only thing I can think of is that app engine natively compresses data by client? Seems weird though. Any help would be appreciated!
In the response section of the GAE docs it notes:
If the client sends HTTP headers with the request indicating that the
client can accept compressed (gzipped) content, App Engine compresses
the response data automatically and attaches the appropriate response
headers. It uses both the Accept-Encoding and User-Agent request
headers to determine if the client can reliably receive compressed
responses. Custom clients can indicate that they are able to receive
compressed responses by specifying both Accept-Encoding and User-Agent
headers with a value of gzip.
https://developers.google.com/appengine/docs/python/#Python_Responses
That sounds like it could explain what you are seeing.