After successfully connecting to the server, ie. after a successful callback to
- (void) xmppStreamDidConnect:(XMPPStream *)sender
I sometimes get an authentication failure, ie. the following callback is called:
(void) xmppStream:(XMPPStream *)sender didNotAuthenticate:(NSXMLElement *)error
The NSXMLElement looks like this:
<failure xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><not-authorized/><text>The response provided by the client doesn't match the one we calculated.</text></failure>
Like I said, I get this once in a while. I've traced the issue and I've tried several things so far.
Things that's I have looked into and I can confirm so far:
The username and password are 100% correct
I'm using the SCRAM-SHA-1 authentication mechanism (XMPPSCRAMSHA1Authentication)
My server supports the PLAIN mechanism as well and it fails with that as well (XMPPPlainAuthentication)
If I try to force a disconnect when I get this error ([xmppStream disconnect]) and then in the xmppStreamDidDisconnect callback I try to re-open the stream ([xmppStream connectWithTimeout:XMPPStreamTimeoutNone error:&error]) then I get into an infinite loop because the authentication fails consistently
Now, I looked into this even further and when using the SCRAM-SHA-1 mechanism it looks like it fails on the second challenge. The client sends something (seemingly valid) to the server but the server doesn't like it and throws the not-authorized error.
Thoughts anyone?
You have to check your username and Password. If you are passing wrong username and password for authenticate/Login then this didNotAuthenticate method will be called
Related
I'm working with a really strange (and nasty) API that I have no control over, and unfortunately when an invalid request is made, instead of responding with a 4xx status, it responds with a 200 status instead.
With this response, it also changes the response body from the usual XML response to plain text, but does not change the content type header. You can imagine how annoying this is!
I've got Siesta working with the API and the fact that it is no actually RESTful in the slightest, but I'm unsure how to get the next part working - handling the unsuccessful requests.
How do I go about transforming a technically valid and successful 200 response, into an error response? Right now I have the following setup:
configure("/endpoint") {
$0.mutateRequests { req in
... perform some mutation to request ...
}
$0.pipeline[.parsing].add(self.XMLTransformer)
}
configureTransformer("/endpoint") {
($0.content as APIResponse)
.data()
.map(Resource.init)
}
This is working just fine when the response actually is XML, however in the scenario where the response is an error, I receive the following:
bad api request: invalid api key
or something similar to this. The XMLParser class is already handling this, and in turn marks itself as having come across an error, however I don't know how to make Siesta realise that there is an error, and to not call my transformer but instead mark the request as failed to I can handle the error elsewhere.
How can I achieve what I'm after?
configureTransformer is just a common-case shortcut for the full-featured (but more verbose) arbitrary transformers Siesta’s pipeline supports. Full transformers can arbitrarily convert any response to any other, including success → failure and failure → success. The user guide discusses this a bit.
You can see this in action in the example project, which has a customer transformer that does something very similar to what you want, turning a 404 failure into a success with the content false. It is configured here and defined here. That example does a failure → success transformation, but you should find the code adaptable for your success → failure purposes.
I am working on iOS application and facing one strange issue. I am using AFNetworking framework to communicate with server (HTTPS communication). I am retrieving student data from server by using "getStudentData" web service API. It is post request. It works for all user ids except one. It fails when we have a data for more than 450 students. Below are the error details,
Error Domain=NSURLErrorDomain Code=-1017 "cannot parse response" UserInfo=0x7bf9c7d0 {NSErrorFailingURLStringKey=https://www.fdmobileservices.com/mAccountsWeb/services/speedpass/rpc, _kCFStreamErrorCodeKey=-1, NSErrorFailingURLKey=https://www.fdmobileservices.com/mAccountsWeb/services/speedpass/rpc, NSLocalizedDescription=cannot parse response, _kCFStreamErrorDomainKey=4, NSUnderlyingError=0x7bf9a380 "cannot parse response"}
As per error description, It tells "Could Not parse", so I think it may be due to server is returning "nil" or some data other than JSON format.
But I am not able to trace it since from application side it directly goes into below method,
- (void)connection:(NSURLConnection __unused *)connection
didFailWithError:(NSError *)error
Is there any way from application side to trace root cause? This method works for other user login except one.
I tried using web client to access this service by same user login, it works well and return data of 450 students. I think due to some reason iOS network layer rejects this. I am trying to find out.
Thanks in advance.
As you can see here, kCFURLErrorCannotParseResponse = -1017. So probably this is saying that there is something wrong in the parameters.
If You're using AFNetworking 2.0, I suggest You to deep debug your response flow with severals breakpoints.
Specifically try to set a breakpoint on AFURLResponseSerialization.m at the start of the method:
- (id)responseObjectForResponse:(NSURLResponse *)response
data:(NSData *)data
error:(NSError *__autoreleasing *)error;
Inside the method, if the below condition is true, probably there is something wrong (but you can step into validateResponse:data:error: to better understand what's wrong):
if (![self validateResponse:(NSHTTPURLResponse *)response data:data error:error])
If the above condition is false you can then check about the generated responseString:
NSString *responseString = [[NSString alloc] initWithData:data encoding:stringEncoding];
If you're expecting json data, check that responseString is not nil and data data is valid, maybe also the stringEncoding.
Also ensure that the contentType that you're receiving is the one you're expecting.
Until few days ago everything worked fine. But after some changes on FitBit new user can not get OAuth handshake anymore. The problem is when I receive temporary tokens and make call to finish handshake and receive credentials.
So in first step I get:
TOKEN: 1a227cfde686220183763946a98173bc and VERIFIER: p2g5ims7o4ffscev603rbif05g
and in second step I use theme to make call to https://api.fitbit.com/oauth/access_token ...
Signature Base String is:
POST&https%3A%2F%2Fapi.fitbit.com%2Foauth%2Faccess_token&oauth_consumer_key%3D7c5e888aa3dd4d17a26d82a7f541b278%26oauth_token%3D1a227cfde686220183763946a98173bc%26oauth_nonce%3D5hw45lgu%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1391094796%26oauth_verifier%3Dp2g5ims7o4ffscev603rbif05g%26oauth_version%3D1.0
And by that I receive header (with signature calculated using the same function as in first step)
Authorizing with HEADER: OAuth oauth_consumer_key="7c5e888aa3dd4d17a26d82a7f541b278",oauth_token="1a227cfde686220183763946a98173bc",oauth_nonce="5hw45lgu",oauth_signature="X4udgn9A7Q2xI%2FN38QELl%2BIDVqM%3D",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1391094796",oauth_verifier="p2g5ims7o4ffscev603rbif05g",oauth_version="1.0"
That should work but I get 401 error saying:
{"errors":[{"errorType":"oauth","fieldName":"oauth_access_token","message":"Invalid signature or token 'JNGSIMomid/oghtWGrz7crC6KhM=' or token '6c45d0ce39195e848da14cad0a4f9719'"}],"success":false}
I have been working od that for 7 hours now ... and as far as I can see everything is OK ... Error is saying about field name oauth_access_token ... This fields doesn't even exist. I tried anyway and recived error saying that security is not OK ...
Any Idea?
I had the same problem. After doing some research I noticed that the API has changed and the lib I was using was out dated.
To fix that, I updated my lib and did some code changes.
Here is the link of a .Net implementation after the change:
https://github.com/aarondcoleman/Fitbit.NET/wiki/Breaking-Change-on-1-24-2014-as-a-result-of-OAuth-update-in-Fitbit-API
Regards,
Fredy
I am using the Thinktecture.IdentityModel 4.0 samples for WebApiSecurity. I've modified the AdfsSamlClient to use our ADFS Server. I am able to get a SAML token from out ADFS Server using
var channel = factory.CreateChannel();
var token = channel.Issue(rst) as GenericXmlSecurityToken;
Then I try to make the service call
var client = new HttpClient { BaseAddress = _baseAddress };
client.DefaultRequestHeaders.Authorization =
new AuthenticationHeaderValue("AdfsSaml", saml);
var response = client.GetAsync("identity").Result;
And get a 401 - Not Authorized call.
I am not sure how to debug this. I have tracing for Microsoft.IdentityModel, but it is only information level trace, no errors or warnings, and nothing I am able to use to debug.
The interesting part of the service trace:
1.
Description OnEndRequest is redirection to IdentityProvider '/WebHost/api/identity'
2.
Description CreateSignInRequest
BaseUri https://[ADFS...]/adfs/ls/
wa wsignin1.0
wtrealm https://[WorkStation...]/WebHost/
wctx rm=0&id=passive&ru=%2fWebHost%2fapi%2fidentity
3.
Description Redirecting to IdentityProvider: 'https://[ADFS...]/adfs/ls/?wa=wsignin1.0&wtrealm=https%3a%2f%2f[WorkStation...]%2fWebHost%2f&wctx=rm%3d0%26id%3dpassive%26ru%3d%252fWebHost%252fapi%252fidentity&wct=2013-09-30T17%3a35%3a04Z'
Thanks for any insight.
Main thing that springs to mind is to make sure the server knows how to handle the "AdfsSaml" scheme that you're using, so you'll want to make sure that your mapping is correct to your token handler.
One thing I tried was to create my own token handler, and mapped that as the token handler for the header. If you want, you can start with Thinktecture's own HttpSamlSecurityTokenHandler, and debug your way through that. Obviously, if it never hits it, then you've got a mapping issue somewhere.
I also found that if an exception was thrown in the ClaimsAuthenticationManager, it would report as unauthorized - even though the exception being thrown was something completely unrelated (in my case, an InvalidCastException). That stumped me for a while, because I hadn't realise that authentication had gotten so far down the pipeline and that validation of the token had actually been successful - I was just checking the HTTP response, which kept saying unauthorised - so make sure you're not being misled by anything trivial like that.
At the second call to Client.ProcessUserAuthorization(); after I get the code from the oauth server, I get an exception: Error occurred while sending a direct message or getting the response.
Here is the last part from the log file taken with log4net, the full log is recorded in this gist: https://gist.github.com/tonyeung/5513769
2013-05-03 15:14:41,292 (GMT-5) [10] DEBUG DotNetOpenAuth.Messaging.Channel - Sending AccessTokenAuthorizationCodeRequestC request.
2013-05-03 15:14:41,393 (GMT-5) [10] DEBUG DotNetOpenAuth.Http - HTTP POST http://localhost:38828/OAuth/Token
2013-05-03 15:14:41,450 (GMT-5) [10] ERROR DotNetOpenAuth.Http - http://localhost:38828/OAuth/Token returned 400 BadRequest: Bad Request
2013-05-03 15:14:41,450 (GMT-5) [10] DEBUG DotNetOpenAuth.Http - WebException from http://localhost:38828/OAuth/Token:
{"error":"invalid_request"}
I've uploaded the solution to https://github.com/tonyeung/dotnetopenauth
The entry point is in the about action on the home controller of the Client project.
The solution is in VS2012, the latest nuget dnoa package. Nuget restore is on.
Please note that I'm implementing pieces as I need them in order to understand how the library works. I'm sure that this error is due to a missing implementation somewhere, but I'm not sure what it is?
So it looks like I was missing implementations for IsAuthorizationValid and CreateAccessToken in the Authorization Server. Please check the github repository for the stubs i put in that makes the error go away.
EDIT:
There was also a database validation error that I didn't trap. So basically any error on the server side will cause this message it looks like.
EDIT2:
There was also an issue where if the url of the page contains any non url encoded values it will throw an invalid request. In my case, my login page had a querystring parameter of returnUrl, and I had set it to /Home, which it DID NOT like, had to be: %2FHome