I have 2 keys (api key, sub key), one is a querystring parameter, the other is a header. In Zapier, in an app that you've already created, you can "Manage Authentication Settings", and whether you have one Header Key, and a Querystring key, a username, a pass, you only have one "Manage Authentication Settings" button.
Inside the Manage menu, you can select settings that are then applied to ALL FIELDS AT ONCE. You can select the Auth Type, either ApiKey(querystring), or ApiKey(headers), one or the other, but you cannot designate one field as being a querystring, and the other field as a header. On the bottom, you can select the Access Token Placement. Whether, header, querystring, or both, again, applied to all auth fields.
So far as I can tell, the "Both" token placement does nothing.
Long story short, I need to specify which one is the header, and which one is the query string. Currently, the querystring side is working fine, and I'm getting an error from our server for the header being missing. Is this something that can be done in Zapier? If so, how?
Related
We are using KeyCloak as SSO directory for our application. We use OAuth 2.0 protocol.
We have defined one custom attribute in KeyCloak, and this attributed has "MultiValued" properties on.
Then, each user has multiple values entered as value1##value2##value3
For some users Keycloak correctly send the attribute in the ID token as an array of values, such as ["value1", "value2", "value3"]
But for some other users, the string is passed as it is entered "value1##value2##value3", which is not correct.
I'm struggling finding why these different behaviours occur.
Has anyone seen the same problem ?
Thanks a lot
Keycloak uses ## as a delimiter internally, this is ok. Make sure you have marked the value as multivalued in the clients mapper.
After doing this i went from getting only the last element to getting all elements.
I want to store the unique user id returned in the response by an Oauth provider in my SQL database. I've seen some posts suggesting that varchar(128) should be enough. Are there any providers whose user id extends this limit? I have checked the docs for some of the more popular providers like Google, Facebook and Github but I can't seem to find any information about the size of this user id.
OIDC defines the sub claim as:
A locally unique and never reassigned identifier within the Issuer for the End-User, which is intended to be consumed by the Client, e.g., 24400320 or AItOawmwtWwcT0k51BayewNvutrJUqsvl6qs7A4. It MUST NOT exceed 255 ASCII characters in length. The sub value is a case sensitive string.
So better use VARCHAR(255).
I am writing an application in asp.mvc. I have a view that displays a Product with specific id and on with that view user can modify the Product. There is a dropdown list with colors, that user can select. Range of available colors depends on user's permissions, not all users have access to all colors.
When user clicks "Save" button an ajax request us sent to server with ids of Product and selected color.
Here is the problem:
When user opens the page I check if he is authorized to edit the product with id provided in url and I display only those colors that user can access. But I have no guarantee that user modifies the ajax request sent when he saves the Product. So I can display Product with id 1, and colors with id 12, 13, 14, but user can manually alter the request and change Product id to 3 (which he is not permitted to edit) and select color to 15 (which he shouldn't even see).
In good old webforms this wasn't a problem, because id of product could have been saved in viewstate, and on server side I checked which index of dropdown was selected and then I knew what is the id of selected item (stored in viewstate or controlstate). How do you solve this problem in MVC? Do I have to check if user has access to each element twice, when I display the data and when I receive it, for example in "Save" request?
Even ViewState without protection and care can expose your web server to malicious content. Please note:
Because it's composed of plain text, the view state could be tampered with. Although programmers are not supposed to store sensitive data in the view state (credit card numbers, passwords, or connection strings, for example), it goes without saying that the view state can be used to carry out attacks on the server. View state is not a security hole per se, but just like query strings and other hidden fields you may have used in the past, it's a potential vehicle for malicious code. Since the view state is encoded, protected, and validated, it does provide more security features than other hidden fields that you may use for your own programming purposes.
as Dino Esposito states here.
You've got three options:
Protect (encrypt) your hidden fields (current productId and colors) and validate them on server after a user posts.
Use sessions (store current user's working context, i.e. productId and colors), in case option 3 is too resource consuming or you don't want to maintain huge amount of validation logic on server.
Validate permissions for the objects after user posts. In case option 2 cannot be accepted (you don't use sessions at all).
I agree with RononDex's answer. Session provides you with an easy means of storing data on the server for the user, without exposing that data in way they can manipulate.
So you could store the product ID like so:
Session["ProductId"] = however you get the id.
Plus you can store the colours:
Session["Colours"] = // Whatever you want, an array of int or List<int>
There are caveats with session state though, including that it can be wiped, be it by an expiration of that session (which you can control the number of minutes before that takes place), or an application pool refresh, so bear that in mind.
This might also be good reading for you:
http://brockallen.com/2012/04/07/think-twice-about-using-session-state/
So there are pros and cons to session state. If you decide to not use session state, and instead store the ID values in hidden fields in the HMTL, then please do consider hashing, or encrypting, those ID values so that a user cannot see what they are, or try to alter them.
TempData is used in cases to maintain state, it is stored on the server for one user request.
I have an application that shows many charts and tables using JQuery. Some of these charts are based on variables that are saved in the session (E.g. user added a value in another page and in the next page I am generating a chart, so the user request doesn't send any parameters)
I was looking around on the net and most of the solutions are based on
[OutputCache(Duration=60, VaryByParam="someParm")]
The problem is most of my request don't send parameters, they just use values that are in the session.
Is there any way to enable cache for these kinds of requests?
Edit: We have a complex security requirement that we couldn't use the default authorization attribute of MVC. We had to write logics based on the current user + the parameters sent to the action, so a method inside the action decides either to go ahead with the request or returns nothing. This makes caching very difficult because at the time OutputCache is executed we just have parameters, but identity object in the context is empty. As a result, if a user with admin privilege send a request for a and b and after him someone with minimum privilege send request for a and b, the second person will see the result because the action didn't run, but the value from the cache is used!
To solve this problem I used the getvarybyCustome. All this function does is to return user's group name which helps to create a more complex key. The person with minimum privilege in the last example will have different cache key (a,b,group_less) than the admin's request cache key (a,b,group_admin). However, getting's group name for each request is expensive as well, so I use Cache object to cache user's group, so at the beginning of the session the user's group is queried from AD and saved to cache, so for his/her later requests, his group name is retrieved from cache.
If something you can't achieve by VaryByParam then you can try VaryByCustom. See an example here
You could make a redirect of this request and send it to a new controller method sending the session parameters, by this way in a future implementation may be you use query string parameters instead of session and your code will work too.
You could make a method for conversion of this session parameters on a base class of all your controllers, to write the conversion once.
I'm trying to send the user id (integer) from a view to the action. If I pass it using routevalues object, the user id will be visible in the browser address bar.
How can I pass user id from view to the action without using aforementioned method??
You can use a hidden input element inside a form. You should generally use POST, not GET (i.e. use a form, not an a href) for anything that is changing data in your system.
The user id is commonly inferred from your authentication mechanism (cookie etc), so for the current user you shouldn't need to pass it around.
The main time you would include this in the request is when the page being displayed relates to users - and in particular where you (or an admin) want to browse other users records - then you might use "/users/current/orders" (use the cookie) or "/users/12345/orders" (and you should verify permission to browse 12345).
Note that if you use /current/ or similar, you should ensure it isn't cached between different users - so in many ways it is simpler to just show the user-id and to heck with the url; just go for the simple "/users/12345/orders" case.
What is the scenario here?