I keep getting this error:
access_denied: {"error":"access_denied","error_description":"Client has not been granted scopes: read:user_idp_tokens"}
I think it is Auth0 related, but I can't seem to make sense of it? Any ideas? Has anyone else ever seen this?
Related
When I enter the password for my Instagram account, I get this error.
CSRF token missing or incorrect
where is the problem from ?
How to solve the problem?
please guide me.
Thanks
I tried some methods and did not get any results.
I tried most of the solutions, such as changing the IP or logging in with a VPN, but unfortunately, I could not get a positive result.
After the user passes this screen, how do I know that the user checked all the boxes?
Also, I tried disabling Incremental authorization to get an error if the user refuses one of the requested scopes, but it seems that Google doesn't return any error.
So I'm stuck. I want to show users errors when they don't check all the requested scopes.
Any help?
I just wanted to ask for assistance on the following. My client has enabled an ROPC flow and it works properly most of the time.
It is hard to record the error but we made it.
https://msit.microsoftstream.com/video/2340a1ff-0400-a521-2f90-f1eac84c3b02
Check from min 20 for the error.
There are invalid passwords like the following that doesn't work.
Ac#grra%42, Acgrra%42, Ac#gr%ra%42.
Passwords that worked properly were the following:
Vg#5k4VrMw, &wy6S"-s'&, Micro%s0ft.
Is there any password policy or anything that may cause this behavior?
If ClaimsIdentity set through JwtBearerAuthentication middleware doesnt have enough roles required through
[Authorize(Roles="whateverrole")]
it returns 401 instead of 403.
I am struggling with this in asp.net core web api whole night. I have also seen this question on stackoverflow but i havent seen any solution i could make work. The order of registering middleware nor AutomaticChallange setting did the job.
I dont know if i am missing something but it seems shocking that this hasn't been solved properly for years. It is so annoying.
Is there any normal, usual, non-workaround, non-hack way of solving this?
UPDATE (in response to comment from #juunas)
I have tried that and roles are mapped correctly from Claims.
So, if i remove Roles requirement from attribute, for all roles that user is assigned to (in JWT token) User.IsInRole(x) returns true. So mapping works just fine.
About moving from roles based authorization to policies...can you provide some some link with some best practices, recommendations or something that you base that statement on?
I am not saying its not something to be done but would just like to understand it.
It's important to understand the difference in these to errors to understand why you will get one and not the other.
401 is for authentication. If you are getting this error then you have to ask yourself is the user logged in, or does the user have a current token provided by a valid token provider? If the token has expired or the provider is not valid then you can get a 401. If this is what you are getting then you need to check User.Identity.IsAuthenticated does this return true? Most likely it returns false.
403 is for authorization. This would mean the user has a valid token, but the token they have does not give them access to the resource they are requesting. This is where you would want to check User.IsInRole() and it would return false.
If you're getting 401 it means that the user hasn't been authenticated i.e. they have not logged in, their login was invalid, the token has expired... etc. As far as your application is concerned the user hasn't proved they are who they say they are yet.
Edit: Apologies for assuming the user wasn't Authenicated, I didn't see where you stated that they where in your first post. It's hard to help without seeing code but my next guess is that the Claims check hasn't been added to the services pipeline.
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc();
services.AddAuthorization(options =>
{
options.AddPolicy("whateverrole", policy => policy.RequireClaim("whateverrole"));
});
}
This is in your Startup.cs. MS doc is here https://learn.microsoft.com/en-us/aspnet/core/security/authorization/claims
Last update: Simply put using the default Authorize attribute tag you can't change it. MS designs I this way due to the number of layers in the pipeline that could impact authentication. I was unaware of this because I use a custom Authorize attribute and forgot that I over wrote the way it handled status codes.
However I found a nice solution that might suite your needs https://github.com/aspnet/Security/issues/872#issuecomment-232624106
It adds an error page to the pipeline prior to the app.UseMvc() that redirects authentication errors to an error page that returns the correct status code.
I've followed through the InteractiveConsole and FriendsSmash example in Unity and learnt how to request permissions during login and get the friend list of the user.
But there's one little problem bothering me a lot.
When FB.Login("email,user_birthday", LoginCallback) is called for an authorized user. The user will be redirected to the Facebook page saying "You have already authorized App-Name".
I'm thinking to only call FB.Login("",LoginCallback) to every user, and then use the FB.API to check if the correct permissions exist, and after that call the original FB.Login method. However, this doesn't seem a very wise way to do this to me.
I did a bit of research but still can't seem to find a nice way to solve this. Can anyone please help me out on this?
Thanks.
If you have status=true in your FB.Init(), it should come back with login info if the user is logged in. You can then use FB.API() and do your permissions check.
I had PlayerPrefs.DeleteAll being called for testing purposes. I found that it was removing the Facebook data so it wasn't authorising on initialisation.
Make sure you don't call PlayerPrefs.DeleteAll()