I am trying to implement MSAL to a xamarin windows app. When im trying to use AcquireTokenInteractive it gives me this error.
" {"Only loopback redirect uri is supported, but urn:ietf:wg:oauth:2.0:oob was found. Configure http://localhost or http://localhost:port
both during app registration and when you create the PublicClientApplication object. See https://aka.ms/msal-net-os-browser for details"} "
CODE:
`app = PublicClientApplicationBuilder.Create(ClientId)
.WithBroker()
.Build();
System.Collections.Generic.IEnumerable accounts = await app.GetAccountsAsync();
AcquireTokenInteractiveParameterBuilder interactiveRequest = await app.AcquireTokenInteractive(GetScopes).WithAccount(accounts.FirstOrDefault()).ExecuteAsync();`
AND in Azure AD i have added the below redirecr Uri;
"ms-appx-web://microsoft.aad.brokerplugin/{sid}"
This worked for me when i was working on the feature branch and now when i have merged this into the master, it's not working.
Related
Below is my code to popup and login through MSAL.
var app = PublicClientApplicationBuilder.Create(msal.ClientId)
.WithDefaultRedirectUri()
.WithTenantId(msal.TenantId)
.Build();
var result = await app.AcquireTokenInteractive(msal.Scopes).ExecuteAsync();
Code above works when it's running on my local machine.
And below is my settings in Azure AD. Its working when I set it to localhost:5000
But when I set the localhost to 'myWebAppUrl' which is hosted on Azure Virtual Machine. MSAL won't popup. And it will just return "The operation was cancelled". Anything I missed here?
Please check the below points.
In azure ad,the reply URL must begin with the scheme https, unless using localhost. ex:http://localhost:5000
Else you can use something like https://yourappurl and don’t forget to Grant admin consent
Under Permissions for the scopes you have in azure ad.
Please check Redirect URI restrictions
Apps that use system browsers: http://localhost
Apps that use embedded
browsers:https://login.microsoftonline.com/common/oauth2/nativeclient
For Node.js, you can use msal://redirect
Please check Add a redirect URI section and Client application configuration (MSAL) | Microsoft Docs
And check if you can use confidential client to your app
.
Some authentication libraries like MSAL.NET use a default value of
urn:ietf:wg:oauth:2.0:oob when no other redirect URI is specified,
which is not recommended. This default will be updated as a breaking
change in the next major release.
Other references
Instantiate a public client app (MSAL.NET) - Microsoft identity platform | Microsoft Docs
Initialize MSAL.NET client applications - Microsoft identity platform | Microsoft Docs
I have multitenant Web API application with Hangfire scheduler that calls a task which trying to connect to self endpoint through external server DNS name with tenant name in it. Doing it this way, because Hangfire doesn't have HttpContext to resolve on which tenant task must shoot. On my staging server or if I send this request from Postman it works nice, but on my local machine and on production server it raises the error from title.
The code looks like nothing special:
var url = $"{tenant.Url}/notifications/client/send-appointment-sms";
var jwtToken = await _authService.GetTokenByUsername("admin");
using var requestMessage = new HttpRequestMessage(HttpMethod.Get, url);
requestMessage.Headers.Authorization = new AuthenticationHeaderValue("Bearer", jwtToken.AccessToken);
var response = await _httpClient.SendAsync(requestMessage);
Where tenant.Url is for example https://api.tenant1.example.com/api2 which is available from browser on production server where application is running.
If I understanding clearly, my application can not connect to itself for some reason.
I have tried common solutions like firewall settings or disable proxy, still nothing on this point. What can I check next?
UPD I must add that NodeJS server on production is able to call this service too, so I think issue is not in server but maybe more about ASP.NET configuration settings.
I am trying to implement social login using keycloak in a react-native application and upon following official keycloak documentation I have hit a dead end.
I have correctly configured (according to documentation) the correct redirect URI.
Details-
1.created a new facebook app. Now I have two different web resources.
a.) An instance running keycloak server on a docker setup.
b.) A dummy web app on a different domain that I am redirecting to using my react native code. I am using react-native-login package and the configuration which goes into their Login.start(config) method is attached below.
2.The website uri is the facebook app setting is same as the redirect uri that keycloak provides upon adding an identity provider.I have double checked my app id and app secret
and switched the app to production by giving it a privacy policy on the dummy express aplication I am trying to redirect to.
3.The keycloak server and the dummmy express app I have are on different domains (I don't see any problems with this but the tutorial I was following had the website and the keycloak server on the same domain with different sub domains could this be the problem).
The error
{
"error": {
"message": "Can't load URL: The domain of this URL isn't included in the app's domains. To be able to load this URL, add all domains and sub-domains of your app to the App Domains field in your app settings.",
"type": "OAuthException",
"code": 191,
"fbtrace_id": "Awr-3dCV3zr"
}
}
config object
const config = {
url: "https://authserver.ml/auth",
realm: "Demorealm",
client_id: "demoFrontEnd",
redirect_uri: "https://dummyapp.ml/privacypolicy",
appsite_uri: "https://dummyapp.ml",
kc_idp_hint: "facebook",
};
website URI in facebook = redirect uri by keycloak (according to keycloak documentation)
added both the domains in the domains section of facebook app settings under the basic tab.
In the Share Redirect Domain Allow List section in advanced settings in facebook app I have added both the URI's ie. the authentication broker url from keycloak and the uri I am trying to redirect to after a successful login but I get this error everytime
Another scenario I have noticed is when I try to give the react-native-login config object a redirection uri that is mentioned in keycloak I get the invalid parameter error from keycloak
NOte- the error is arising from facebook's graph api which means that the authentication request went past the keycloak server and to facebook (https://graph.facebook.com/oauth/authorize?scope=email&state=rest of the url)
Any suggestions at this point will be much appreciated.
I'm building a UWP application and using web authentication broker for sign in. I'm using Azure B2C with another AD as an identity provider.
When requesting an authorization code, it will always return a code when the scope parameter is: scope=openid
If I change this to be: scope=openid offline_access, it will not return to the application. It hangs on a blank window.
I've checked the Web Auth events and it completes successfully with an authorization code, but does not return to the application. I've tested this code by copying it and requesting an access token with it and that works every time.
When I've looked up these kind of issues, the redirects recommended to use are either: ms-app://xxxx, or urn:ietf:wg:oauth:2.0:oob. Both of these result in the error with StatusCode: 0x800C000D
Is there an issue that I'm missing here?
EDIT:
Here's the request. Note that both endUris here have worked, seemingly at random, then will not work again after a reinstall of the application. When it does work, getting a token using the auth code has never been an issue.
Uri endUri = new Uri("urn:ietf:wg:oauth:2.0:oob");
//Uri endUri = new Uri("https://<tenantName>.b2clogin.com/tfp/oauth2/nativeclient");
string startUrl = $"https://<tenantName>.b2clogin.com/<tenantName>.onmicrosoft.com/B2C_1_signIn_SignUp_V2/oauth2/v2.0/authorize?client_id=<clientId>&response_type=code&response_mode=fragment&scope=openid offline_access&redirect_uri=" + endUri;
Uri startUri = new Uri(startUrl);
var webAuthenticationResult = await WebAuthenticationBroker.AuthenticateAsync(WebAuthenticationOptions.None, startUri, endUri);
I am trying to replace my old username/password Rally authentication with Rally API Keys.
server, user, password, workspace, proj = rallySettings(options)
rally = Rally(server, user, password)
to
rally = Rally(apikey='SECRET_KEY')
When I made the change, I started getting errors like: ('Cannot connect to proxy.', gaierror(-5, 'No address associated with hostname')).
If I switch back to the old user/password route, it works just fine.
Here's how I am setting the proxy:
proxy = "http://internal.proxy.com:port"
os.environ['HTTPS_PROXY'] = proxy
os.environ['https_proxy'] = proxy
os.environ['HTTP_PROXY'] = proxy
I'm using pyral 1.1.1 and requests 2.3.0 on a redhat server. Any ideas why switching from Username/Password to APIKeys would cause a proxy connection issue?
ApiKey replaces username/password, but it does not replace host.
This line:
rally = Rally(apikey='SECRET_KEY')
is missing host(server)
See an example here.
if apikey:
rally = Rally(server, apikey=apikey, workspace=workspace, project=project)
else:
rally = Rally(server, user=username, password=password, workspace=workspace, project=project)