I am working on cakephp project I have URL like :
http://www.example.com/
As CakePHP takes an url like
http://www.exaple.com/controll/function_name
I was going through the web-master tools site verification where I was verifying my site,
Google provides verification file(HTML) which I need to store in root directory.
The problem is that CakePHP does not allow to put .HTML in the URL, so how can verify my site then ?
They also offer a meta tag that you can use for verification. Use that instead.
There is another option that isn't mentioned yet to my surprise, but you can put files you would like to serve "as is" under the app/webroot folder. So if you create app/webroot/google-site-verification-a12bc345.html, you (and more importantly, Google) can access that page through
http://cakeapp.com/google-site-verification-a12bc345.html
In addition to what John said, Google Webmaster tools can be verified via Google Analytics's if you use one.
However for Google Analytic's verification, Google Analytics JavaScript tracking code must be in the <head> (not the <body>) section of your page. Sometimes GA code exist in other JS files or at the bottom of the page, which is problematic.
If you do not have Google Analytic's implemented (and you are not planning to) the simplest solution is what John has said - using meta tag verification.
Related
I have an ASP .Net MVC5 application using Azure AD Authentication. Whenever I enter URL, it takes me for authentication (if not done already) using a URL of this sort.
https://login.microsoftonline.com/[tenantID]/oauth2/v2.0/authorize?
There are 3 questions
Can I say its using OAuth2 ?
If someone enters a url for a page e.g. https://mydomain/Category/View/1, then it goes for auth (which is alright), but then post successful authentication, it should redirect me to the originally requested URL but currently its taking me to the root URL https://mydomain . But subsequent ones, work fine once authenticated.
Currently the auth happens every 1 hr I believe..how can I extend it to every 4 hrs ?
Will be helpful to see your suggestions.
Cheers.
According to your description of point 2, would you like to achieve that, visiting a url -> direct to login page -> redirect to that url? If so, I think this document can help you.
In my opinion, if I wanna a demo app or app just for simple test, just add all possible url to the redirect configuration form. If I need to do an formal app or I need to make it easy to maintain, I use the idea in the above document. I think the centeral thought is creating a specific place to control url redirecting, including judgment, and only need to add this specific url to the redirect configuration in azure portal. If you wanna a sample, may this document will help you.
To point 3, emmm perhaps you can search for some key words like 'azure ad authentication set token lifetime policy', I found several powershell scripts but I haven't tested. If you haven't got the result I will do some test on it next Monday.
I am working on Asp.Net MVC 5. When i click a link (placed in another website) I navigate to UserDetails.cshtml page. Basically that 3rd party site is passing the UserName & Password to my site & using that I authorize & display further user info.
It's fine but the Url is looking like this
localhost:8080//Admin/UserDetails/UserName/PWD.
I don't want to show the UserName & Password in URL i.e URL should look something like :
localhost:8080//Admin/UserDetails/
One possible solution could be rewrite the URL in IIS (http://www.hanselman.com/blog/ASPNETMVCAndTheNewIIS7RewriteModule.aspx)
But I believe there is an easier way to handle this by using the routing mechanism of MVC.
Please help me to figure out the same.
EDIT :
As many of you are confused why I am not doing a Form Post here, let me re-frame my question. I have no control over the third party application, so I cant request them to do a form Post to my MVC application. Again the 3rd party application is a Oracle Reporting application (OBI), so doing a POST from that application might not be feasible too...
Let me reverse engineer your requirements from your question:
I want to have an URI that when invoked will give access to a secured section of my website. This URI must be clicked by visitors of a third-party site, whom I give that URI to. I want to hide the credentials from the URI.
You cannot do this, the requirements are conflicting. You cannot hand out URIs that will authenticate anyone who fires a request to that URI.
You could do something with a token (like http://your-site/auth/$token), but then still, anyone with access to that URI can use it to authenticate themselves, or simply put it up on their own website.
If you have data you want to expose to a third-party site, let that site perform an HTTP request (with tokens, usernames, headers or whatever you want to use to authenticate) in the background to your site, and display the response in their site. Then the visitor won't see that traffic, can't share the URI and all will be secure.
No. No. NO. Like seriously, NO. Any sensitive information should be sent via a post body over a secure connection (HTTPS). You can't "hide" information in a GET request, because it's all part of the URI, or the location of a particular resource. If you remove a portion, it's an entirely different location.
UPDATE
I find it extremely hard to believe that any third-party application that needs to authenticate via HTTP and isn't designed by a chimp with a typewriter, wouldn't support a secure method to do so, especially if it's an Oracle application. I'm not familiar with this particular app, but, and no offense meant here, but I would more easily believe that you've missed something in the documentation or simply haven't found the right way to do it yet before I'd believe you have to send clear-text credentials over GET.
Regardless, as I said previously, there's no way to hide information in a GET request. All data in a GET is part of the URL, and therefore is plainly visible in the browser location bar or whatever. Unfortunately, I have no advice for you other than to look closer at the documentation, even reach out to Oracle if you have to. Whether by post or something like OAuth, there almost has to be another way.
I'm using YoutubeAPI v3.0 to automatically upload videos to my own channel. However the script still needs manual intervention during Oath2.0 authorization. How to make it completely automatic?
1) Access the API using username and password
2) Or find a way to create permanent OAuth2.0 authentication
P/S: I use this script to upload
https://developers.google.com/youtube/v3/guides/uploading_a_video
The only thing I can think of is web scraping. Basically, programmatically open the web page and get its HTML. Then find the authorization code, and store it as a string. I don't know if your scripting language of choice can do it, but Python has Beautiful Soup (links at the bottom). The problem, of course, is accessing the contents of a page like that which is pretty clearly designed to be reached by a logged in user from a web browser. I've never done that, but there's some concept of a "login handshake" where you post the data to the server that's needed as you access the page. I've a few links at the bottom.
Anyway, to give you a better idea of what I mean in pseudo-code (for those who may be confused), it'd be something like:
webURL = 'http://any-url.net";
webPageObject = openPage(webURL);
pageHTML = webPageObject.getHTML();
theHTMLTag = searchForTagById(pageHTML, "<p id='oAuthMessage'>");
//And from there, figure out where the string containing the code is.
//Probably just by getting a substring from the end of the text in the <p>
//backward until you reach the length of the oAuth code.
You'll have to look at the page source to know which tags to look for specifically, but this can all just be done programmatically/automatically, as you wanted.
Links:
Login handshake - Scraping from a website that requires a login?
Beautiful Soup - http://www.crummy.com/software/BeautifulSoup/
google.gov/webScraping - https://www.google.com/search?ie=UTF-8&oe=utf-8&q=how+to+web+scrape+logged+in+page
You can use get Google OAUTH2 for devices in order to have fully automatic token renewal process.
So all you need now is:
Request a device code and confirmation code
Enter confirmation code to confirm your application have access for specific account
Generate new or renew existing ACCESS_TOKEN for your device code
Upload Video using your device code and valid ACCESS_TOKEN
Here is documentation for it.
And here is some examples.
If I want to integrate DotNetOpenAuth (primary for people to use their Google/Yahoo accounts to login, not act as provider) into my existing site, is this one line control good enough?
<rp:OpenIdTextBox ID="OpenIdTextBox1" runat="server" />
Say, if a user wants to login as Google, I can simply set the textbox to "https://www.google.com/accounts/o8/id" and then they can login. I tried it with my Google account, it seems working and I can get the token from HttpContext.Current.User.Identity.Name.
Is this "one line" solution secure enough for production? or is it a "must" that I have to use "OpenIdSelector" or "OpenIDLogin" control?
I also opened the .net template and some samples, they are very complicated. There are PAPE policies, xrds.aspx (for discovery), ConsumerKey + ConsumerSecret...etc. As a newbie, I am very confused. Any tips on this will be really appreciated. Thanks
Security-wise what you've done is sufficient. But there is more that you'll want/need to do. The first one being to set this attribute on your top-line page tag:
<%# Page ValidateRequest="false" %>
Otherwise your users will see random login failures because some OpenID messages "look" dangerous to ASP.NET.
The next thing you'll want to do is set up your xrds.aspx page and the link to it from your home page. This isn't strictly necessary to get basic OpenID working, but it enhances security for your site if you have open redirector URLs, and some Providers like Google and Yahoo can display ugly warning messages to your users if you don't properly implement this "RP discovery" aspect of your site.
After that, you're free to leave it alone if you're getting everything you need.
But if you're only interested in Google users, consider using the OpenIdButton ASP.NET control instead of OpenIdTextBox as it may provide a better visual for your users.
I am trying to install openID into my web site project that is using ASP.NET MVC, specifically with Yahoo
Yahoo keeps giving me this :
"Warning: This website has not confirmed its identity with Yahoo! and might be fraudulent. Do not share any personal information with this website unless you are certain it is legitimate."
However I have followed the setup procedures I have a Yardis document setup and the following in the header of my realm URI
<meta http-equiv="X-XRDS-Location" content="http://www.daimokuchart.com/yadis" />
My Yardis document is as follows
<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS
xmlns:xrds="xri://$xrds"
xmlns:openid="http://openid.net/xmlns/1.0"
xmlns="xri://$xrd*($v*2.0)">
<XRD>
<Service priority="1">
<Type>http://specs.openid.net/auth/2.0/return_to</Type>
<URI>http://www.daimokuchart.com/Users/Authenticate</URI>
</Service>
</XRD>
</xrds:XRDS>
This is getting rather frustrating as I am not sure what else I can be missing.
Note: The domain given in this example isn't actually live at this time... I am however testing it on a live site I just can not give out the URL at this time as we are not done developing the site yet.
Update 3/4 I did find a Yadis testing site, and it passed so the problem is Yahoo is not discovering it for some reason.
Update 3/5 Still no luck I talked with someone and they said this
needed to be in my root url so I did that now yahoo reports something is wrong with the site... but not sure what the problem is...
Check that your openid.return_to parameter is found in your YADIS/XRDS document, including matching capitalization.
My first thought is that your realm URL (http://www.daimokuchart.com/yadis), seems to redirect to http://blog.daimokuchart.com/yadis when I attempt to browse there. The following writeup (linked from Yahoo's OpenID FAQ) mentions that the realm URI can't redirect:
Why Yahoo! says your OpenID site's identity is not confirmed
Yahoo! OpenID - FAQ