I set up a project on my main domain example.com and then moved it to a subdomain sub.example.com
Now when I try to use the same (default ASP.NET MVC or on my Discourse forum) project with OpenId and click on the Google button to log in with my Google account it throws the following error -
That’s an error.
OpenID auth request contains an unregistered domain: http://sub.example.com
I have tried Googling that message but apparently I am one of the first four people to see it. Any ideas here?
According to this page,
Google closed registration to new OpenID 2.0 clients in May 2014 and will be shutting down the OpenID 2.0 service in April 2015.
The reason why some hosts work and some don't is that although Google isn't adding new hosts, you can still use the ones that are already registered.
UPDATE :
Some people have asked for a simple explanation for how to fix this, or otherwise how to proceed.
Basically, you now have 2 options.
Use OAuth 2.0 (instead of openID protocols and older versions of OAuth)
or
Use Google+ login (which Google tried to "push" you towards)
For more details check the migration guide :
https://developers.google.com/+/api/auth-migration#userinfo
I would like to add some context to this thread together with a potential solution to developers that are currently blocked.
Back in February we announced the deprecation of OpenID 2.0 (OID2) scheduled for April 2015. We also announced that new OID2 relying parties (RPs) registrations† will no longer be accepted after April 2014.
Given that the API will be shut-down in less than a year’s time, our intention is to avoid having new RPs integrating with Google's OID2 API. Instead, we suggest to use our OpenID Connect API which we consider more secure and easier to implement.
Registrations were effectively closed on May 19th (as documented in the Google’s OID2 developer documentation). All RPs already using OID2 should not be affected by this the closure.
As for developers currently working on an integration with our OID2 API (presumably because they missed the announcement and warnings in our OID2 documentation), we will do our best to minimize the friction caused by the registration closure. If you are in such situation, please let us know by posting a registration request before June 15th. The post should contain a sample OID2 request used by your application, in case you prefer not to disclose such information, please post an email address and we will reach out. We plan to look into each case and try to get you unblocked in the best possible way.
† OID2 does not have a registration procedure for RPs integrating with an identity provider. RPs are associated to the realm value (e.g., www.example.com) used when contacting Google OID2 API. Thus, a RP is considered "registered" if its realm value has been used to contact our OID2 API.
You can easily change to OAuth 2, this article shows you how to register your app with Google and add the key to MVC. Scroll down to: "Creating a Google app for OAuth 2 and connecting the app to the project."
And you may need to add the Microsoft.Owin.Security.Google package via NuGet.
I had the identical problem but when using nodejs / expressjs
I have migrate my code using below url code and fixed that issue
Passport strategies for authenticating with Google using OAuth 1.0a and OAuth 2.0.
https://github.com/jaredhanson/passport-google-oauth
The sub-domains that fail are those that had never seen any user requests before. As per https://developers.google.com/+/api/auth-migration#timetable, Google is not allowing new domains in the OpenID2 API.
I have this exact problem, we use googles login to run a platform, its a brand new problem.
A few things I have discovered if this helps
Full domains trying to use openID never fail www.example.org and www.example2.com are not having this problem
Subdomains on the platform have this problem sometimes, but the same subdomains always fail and the others always work.
It started around Monday and is still happening now.
Take a deep breath and just change Startup.Auth.cs file
app.UseGoogleAuthentication();
to
app.UseGoogleAuthentication(
clientId: "000-000.apps.googleusercontent.com",
clientSecret: "00000000000");
refer to the http://www.asp.net/mvc/tutorials/mvc-5/create-an-aspnet-mvc-5-app-with-facebook-and-google-oauth2-and-openid-sign-on page.
Related
I have a custom developed Windows service that until recently used basic authentication to access an O365 mailbox over POP and pull the contents on a predefined schedule. Microsoft recently announced that they were dropping the support for basic authentication and I should be using OAuth 2 instead. I have followed the steps in this article and my application has the necessary permissions in the Azure portal. I'm still running into an issue.
I can successfully generate the OAuth token. When I try to use said token to authenticate I get "Authentication failure: unknown user name or bad password". No further details are available. I tried Microsoft support but they only referred me to guides I've already followed. Any help is greatly appreciated!
After three days of scratching my head I finally stumbled upon the answer. Turns out that according to Microsoft ObjectID is different from ObjectID. Because logic! Two different interfaces for the same thing with two different ObjectIDs. You need the one on the right when giving permissions to the mailbox.
I'm gonna make an native iOS app with Swift 2 and Xcode 7. The users should login using LinkedIn and OAuth 2 but I'm wondering how I should begin to set this up. I don't have many experience with OAuth 2.
Is there a good tutorial or a sample app? I saw the Ray Wenderlich post but that comes with an existing project. I want to build an app with LinkedIn login from scratch.
EDIT
I want to use the LinkedIn login to get the user's connections and send them notifications. I was researching this and I found some pages that said that connections can't be retrieved from the new LinkedIn API, is this true? It is not possible to get someone's connections from LinkedIn in a native iOS applications?
You should start with LinkedIn guide for LinkedIn and OAuth 2 .
But still if you need a sample for Authentication with OAuth 2 here it is .
For your second question related to the connection yes Linked have made changes but the API is still available but for the partners .
If you are an existing LinkedIn partner, these changes will not impact your existing partnership or the associated APIs that your partnership allows you to access.
If you are experiencing issues as a result of the May 12th changes, please reach out to your LinkedIn Business Development representative immediately.
For further details you can see Developer Program Transition Guide.
Check out this repo, I did this swift pre-2.0 but it shows you the basic algorithm. You can do it the with your secret hard coded or fetch it from the server. The key is getting the oath header just right which is a huge pain
https://github.com/GregPrice24/SwiftStream
Check this out: https://github.com/jeyben/IOSLinkedInAPI
I used this repo and successfully implement LinkedIn integration in my App. It is in Objective-C but you can use Cocoapods and import them as Frameworks and use in swift2 with no trouble.
Note: As of the 12´ May 2015 LinkedIn applied restrictions to API usage for all non partners: See: https://developer.linkedin.com/blog/posts/2015/developer-program-changes
So you can only get the basicprofile at the beginning, but you can apply for the partner program to get those extra information such as connections here: https://developer.linkedin.com/partner-programs
I've taken over development of a Google Analytics API dashboard for a content management platform, and upgraded the code to use OAuth2 as the older oauth was disabled recently. The authentication flow and subsequent API calls are all working fine on my localhost for development.
The problem is when trying the code from a different domain. Google wants the redirect_uri to be whitelisted through the developer console, and if it isn't there, it throws Error: redirect_uri_mismatch
As this is a self-hosted (+ open source) package, people will be able of installing on their own servers, there is no way I'll be able of adding all possible redirect_uri values to the app key in the developer console.
After a bunch of Googling and trying to understand the docs, I get the impression there are 2 possible solutions.
Instruct users to go to the Google Developer console, and to create an app key of their own, before also going through the OAuth2 flow within the distributed app to provide the code access to the data in Google Analytics.
Use a redirect_uri value of urn:ietf:wg:oauth:2.0:oob with an Installed App key, instructing people to copy/paste the code back into the self-hosted app after authentication.
Neither of these are really appealing as it adds a bunch of complexity for the user (though option 2 sounds mostly doable). Are there other options, or am I simply overlooking something simple?
You actually don't have any choice in this matter. You must go with nr 1. When you state this is a dashboard and web application it leads me to believe this is some kind of scripting language. This means that the client id and client secret will be displayed to your users / customers. This is against googles terms of service.
Changes to the Google APIs Terms of Service Asking developers to
make reasonable efforts to keep their private keys private and not
embed them in open source projects.
You may not release your client id and client secret to your users they are going to have to create there own. Which nicely solvers your redirect URI problem they have to make there own.
Further reading Can I really not ship open source with Client ID?
I've tried a couple of ways (http://emmense.com/php-twitter/ and http://www.webmaster-source.com/2009/04/05/post-to-twitter-from-a-php-script/) to post updates to my twitter account but I am getting the response:
Basic authentication is not supported
I had a look at the twitter website and they said something about the new OAuth for authentication. Is this why my code isn't working?
Does anyone know of some PHP code that works?
This is correct. They recently adopted OAuth as their sole login platform for 3rd party apps as a security precaution.
Check out their developer area for examples:
http://apiwiki.twitter.com/w/page/22554657/OAuth-Examples
Basic auth is deprecated now. Check out this library https://github.com/abraham/twitteroauth for using OAuth in your application
It took me several hours to create this PHP script but it is working. Just make sure that your hosting company supports cURL. If you don't need the geo features you can cut them out.
I am building a twitter application that is currently using the classic login instead of OAuth. Does Twitter have any plans of deprecating this? I chose not to do OAuth because it is still being piloted as a beta.
I doubt there are any plans to deprecate the old API, because there are hundreds of applications which are designed to use it. Even though it's safe to use the old API, if I were you, I'd transition to OAuth due to user security concerns. OAuth is more secure than the plain API, and provides fewer ways for an attacker to obtain the user's password.
From the Twitter API documentation:
OAuth is the Twitter preferred method
of authentication moving forward.
While we have no plans in the near
term to require OAuth, new
applications should consider it best
practice to develop for OAuth. We
eventually would like to suspend Basic
Auth support. However we realize that
Basic Auth has been a large part of
the API's success, and that the
barrier to entry if OAuth is the only
solution is substantially higher. Many
applications rely on Twitter accounts
as their means of account management.
Additionally, Basic Auth allows a
developer with a command line, cURL,
and his account credentials to start
poking at Twitter data. There are
still a number of archetectural use
cases to work through before we
consider the deprication of Basic
Auth. Before any changes begin to
happen, we will discuss them with the
community through the support
channels, and give at least 6 months
lead time before making any policy
changes.
"When are you going to turn off Basic Auth?
We announced in December of 2009 the deprecation of Basic Auth. Its removal date from the platform is set for June 2010. We announced towards the end of June 2010 that we have postponed this until August 16th 2010."
--from http://dev.twitter.com/pages/oauth_faq
I believe using Oauth would be the safest bet, and its more convienet in the long run. I read an article saying that twitter is making Oauth mandatory pretty soon as well so you will have to switch over eventually.
It would be best if you provide both mechanisms to your clients, by default the classic login but if user is concerned about security they can choose the OAuth mechanism.
Mind it, many users will leave your application just because it requires them to give your application their (user's) credentials.