HybridAuth telegram authorization - authorization

Issue with standard script Telegram keeps asking for authorization "Required data not provided" The script itself
(https://dropmefiles.com/nYq83)
I also suffered with MailRu and Vkontakte, but I overcame the problem, now I still need to overcome this one, I can’t even sit and conjure for a week. Does anyone have a solution. My handler (all other OAuth (social network authorization) work with views) Handler itself
(https://dropmefiles.com/LlIq9)
I tried to post the code here but it didn't work.

Related

OAuth2 Failing at consent stage

I have been happily using the xoauth client to negotiate PKCE grants flows up to earlier today.
Tokens were obtained and refreshed, all was looking fine until I needed to amend my scopes and needed to re-consent.
Now I receive an error on the callback - http://localhost:8080/callback?error=access_denied&state=8AJEDHk6tlNX2E98Y3JuFmXmDrcS2DNB#_=_
This error would usually indicated that consent was canceled by the user but I am definitely pressing Allow.
I have:
Deleted the app and made a new one, tried a new Code Flow app, tried a trial organisation instead of the Demo organisation, all without luck.
However, it will succeed if I specify the bare minimum of scopes: openid and offline_access
Any ideas?
My Client ID is: 17B89D9AF3984680BCA620A3986AE8EB
Update: It does however work in a private browser window so I suspect something local. Will poke some more and close if so.
So that last piece makes it sound like some kind of browser / cache issue.
We did have another user where an ad blocker was causing the problem during the granting access page. Maybe that was you..? API team is looking into this further.
If you are continued to be blocked you can open a ticket by emailing api#xero.com

Google oauth2 and 400 bad request: Bug on Google side?

We have Google oauth2 working fine on our website. However, often Chrome users complaint about 400 Bad request and we were able to reproduce it now. Based on the investigation, it indeed looks like a bug on Google side:
It only happens with users who were authenticated earlier and logged-in with multiple accounts on GMail
It doesn't happen when the same user uses incognito window.
This problem is universal and not only with our website. At this moment, I am not able to login using google oauth2 on any website including StackOverflow. Stackoverflow site also gives the same 400 Bad request error and I have to use incognito.
No additional information is present along with 400 Bad Request Error
To further confirm, I just loaded https://accounts.google.com/o/oauth2/auth without any parameters and it also gave 400 Bad request. However, if I load it in incognito, it gives Error: invalid_request. So there is indeed different behavior.
So We suspected that the problem might be with cookies sent along with request since incognito window has no cookies. So we cleared all the cookies for domain accounts.google.com and problem magically solved. This confirms that Google side of code is not able to handle their own cookies.
We really need to solve this. Please help. Do let me know if you need any information.
This might be caused only for the clients that have multiple google accounts logged in as described here Google OAuth2 returns Bad Request when logged with multiple accounts.
It is not clear to me if is a google bug or a miss-use of the api. Anyway stackoverflow is affected as well.

Occasionally 401 Unauthorized Google Cloud Message

While using Google Cloud Message API I occasionally get 401 Unauthorized status. So, sometimes my push notifications are send and sometimes not, without changing anything in the API request.
I use curl request with server key.
I tried to specify IPs list and set it to "Any IP allowed".
I already tried to create new server keys and projects, as some people here tell it helps them in similar situation. Sadly, it not helps me.
I'm seeing a similar problem with other Google Cloud APIs and I suspect it's related to your authentication being expired. Make sure to refresh any tokens you are using.

How do I configure what happens when using Authorize(Roles) attribute?

I have an MVC4 project with simplemembership configured. It's all working etc. but I would like to know how to tell it wich controller/action to redirect to when a user is not authorized to view a given page.
For example, if I use [Authorize(Roles="Admin")] and try to view that page with a logged in user that does not have the "Admin" role it redirects me to the login page, even though I am already logged in.
I would like to change this to something else... maybe a 404 or a nice message to say "You are not authorized to view that content".
I've tried googling for just about everything I can think of to do with this but haven't found an answer so far.
Can this be done with the current setup or do I need something else? A pointer in the right direction would be appreciated :)
Try creating a custom AuthrorizeAttribute and override the OnAuthorization method so that you do a redirect to your custom page if authorization fails and to the logon page if authentication fails. Another approach that some people use is to check if the current user is authenticated on the logon page and if they are you can assume they were redirected to this page because authorization failed. In that case display a special message to the user indicating that they are not authorized to access that page. For some applications this may make sense because a user might have multiple accounts and they want to logon to another account where they are authorized to perform the operation. Some of these concepts are discussed in this QA.
This is, unfortunately, a problem with Asp.net as a whole (although it originates from a problem in the HTTP specification), it does not differentiate between unauthorized users and unauthenticated users, even though they seem to go out of their way to talk about the difference. In order to change this behavior, you would have to write a lot of code, and it's just easier to write a custom handler to check if you are already authenticated.
The HTTP standard never intended for a user to be in an "authenticated state". In fact, it doesn't really even know about the concept of a "user". Each page request is intended to carry information independent of the other page requests. The fact that browsers cache this information (or authentication is done by cookie) is irrelevant to what the standard intended.
The standard basically says that the server should issue a 401 if the requested resource is not authorized, and since each request has it's own authorization, the intention a simple pass/fail scenario. There is no concept of an authorized state for the site. The request either succeeds or fails.
I think frameworks like ASP.NET have gone a long way to creating their own authorization/authentication state, but they really should just go all the way here.
You might find this thread enlightening regarding the disagreement among the web community about the exact interpretations.
403 Forbidden vs 401 Unauthorized HTTP responses

UserAuthentication via Flattr-REST: No PIN returned?

I'm trying to write a new application using the Flattr REST-API version 1 (not the beta v2). The application acquires a request token at first, which seems to work properly. But I run into a problem authenticating the user. The link created for authentication looks like this:
https://api.flattr.com/oauth/authenticate?access_scope=read,click&oauth_token=MY_REQUEST_TOKEN
Clicking the link everything seems alright. Information about the application and the scope requested is shown, but clicking "Authenticate", there's no pin code, but the following error from https://flattr.com/apps/pincode/MY_REQUEST_TOKEN:
Something went wrong. Please try again
BUT now the Application IS in the authorized application list of the user though that doesn't really help if the user can't get the pin code...
The Application type is set to client. It's the first time I try to work with the API so I'm not sure if I miss anything important? Would be grateful for some help.
Just as an update: We finally changed to API v2. Getting Authorization for our application feels a bit clumsy, as we set the redirecturi to some webpage, where we display the returned code and let the user copy&paste it into our client application... we kind of made our own pincode-flow :/
If possible, please use the v2 api, which uses oauth2 + bearer token.
However, the new API doesn't support authentication using the pincode flow.
As stated by Maike this is probably a bug that has surfaced yet again :(
I'll create an internal bug ticket and try to get it fixed.
The pincode isn't a feature planned. You can use the oauth2 "implicit grant" to authenticate the resources owner. This isn't documented at the moment but is possible.
When you do the request to https://flattr.com/oauth/authorize you pass the response_type token instead of code. This will append a access_token fragment in your callback URL. In your http client it might be possible to catch the 302 from our server and parse the access_token from the fragment.
All this requires a http client in your application whom you can control the flow inside your app.