Problem with OpenIdDict on client side regarding the Redirect_Uri - asp.net-core

I am using OpenIdDict but having trouble with redirect_uri which stored in my database. The redirect_uri entry in my database is signin-oidc but don't know why have error shown below.
The request address matched a server endpoint: Authorization.
info: OpenIddict.Server.OpenIddictServerDispatcher[0]
The authorization request was successfully extracted: {
"client_id": "console",
"redirect_uri": "https://localhost:6001/signin-oidc",
"response_type": "code",
"scope": "openid profile",
"code_challenge": "Nr0Jgf4cY3jUtC_1w3GwZ2ryR5FeYoSWrYpu7VF2nxQ",
"code_challenge_method": "S256",
"response_mode": "form_post",
"nonce": "637773059511435225.Y2ZkMDY4MzctYjczNi00MmFlLWFiNjEtMmJlOWI1NDllMzNjOTYxY2Q1MmQtNDcyOS00N2RmLTgyZTQtZDg4Yjc0ZDk5ODk4",
"state": "CfDJ8NYwebNNwH9FkusxDMvbzdrGCOwob0ZBYnanAjf_cGnDjOjF-VnCxbzK8hxyodvDee-v7Sh2Ny4zKhbjOZZZEzSKi-ebQCROJYha2GUiUxbDpvX34Drs-ehjMozt68GkY2ETu_GIf-vRr7Ij4KXaSeUeq5bZioLyJI97kf79txzv700HeEQxxK_unsvj8n8s4fOELMx9dRydCBV0Yw26jROlb-_qjhP9cL1pALEoZ2xeotAl8LY9FZjUDuOuHZSknK-GGFUIhT34-rJ_Wg71MncO-Mat__6m_ISNkr7BIti6qf9qPnLcrTeW-eg6Y_9IK8W_G59ChO1-wwD5Q1A68F086xzGVEvkPLeH1HCGFi0BceBRjRI_Efer9yWJn3pzow",
"x-client-SKU": "ID_NETSTANDARD2_0",
"x-client-ver": "6.11.1.0"
}.
fail: Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware[1]
An unhandled exception has occurred while executing the request.
System.Text.Json.JsonReaderException: 'h' is an invalid start of a value. LineNumber: 0 | BytePositionInLine: 0.
at System.Text.Json.ThrowHelper.ThrowJsonReaderException(Utf8JsonReader& json, ExceptionResource resource, Byte nextByte, ReadOnlySpan`1 bytes)
at System.Text.Json.Utf8JsonReader.ConsumeValue(Byte marker)
at System.Text.Json.Utf8JsonReader.ReadFirstToken(Byte first)
at System.Text.Json.Utf8JsonReader.ReadSingleSegment()
at System.Text.Json.Utf8JsonReader.Read()

i realized the redirect_urls is an array stored in the database not a single redirect url.

Related

ADFS WebProvider returns 401 for UserInfo endpoint

After integrating the WebProvider for ActiveDirectoryFederationServices from preview 4.1.0-preview-1.23108.18, a 401 occurs after the frontchannel redirect and userinfo call.
Probably this is due to the behavior described here: ADFS 4.0 (2016) OpenID Connect userinfo endpoint returns 401 when provided with access token.
Apparently the attachment of the resource = urn:microsoft:userinfo is missing.
In my experience when trying to hit the ADFS OIDC userinfo endpoint you need to pass a querystring key value pair (resource=urn:microsoft:userinfo)
The retrieval and validation of the token was successful.
The token response returned by https://[redacted]/adfs/oauth2/token/ was successfully extracted: {
"access_token": "[redacted]",
"token_type": "bearer",
"expires_in": 3600,
"resource": "8f238a5c-2dea-42cd-80eb-abf7638fcadd",
"refresh_token": "[redacted]",
"refresh_token_expires_in": 26751,
"scope": "openid",
"id_token": "[redacted]"
}.
Is there any way to set the resource or disable the retrieval of user info?

Authenticate a cognito user using expo AuthSession API

I am using this example code
I am able to get a response from authorize endpoint.
request: {"clientId": "<retracted>", "clientSecret": undefined, "codeChallenge": "t6xISsEiAwOIwQxk0Ty1JNo2Kqa53mECL9a7YahLv_A", "codeChallengeMethod": "S256", "codeVerifier": "<retracted>", "extraParams": {}, "prompt": undefined, "redirectUri": "exp://192.168.0.22:19000", "responseType": "code", "scopes": undefined, "state": "o7FeO9ANoa", "url": "https://<retracted>"//oauth2/authorize?code_challenge=t6xISsEiAwOIwQxk0Ty1JNo2Kqa53mECL9a7YahLv_A&code_challenge_method=S256&redirect_uri=exp%3A%2F%2F192.168.0.22%3A19000&client_id=<retracted>"f&response_type=code&state=o7FeO9ANoa", "usePKCE": true}
LOG response: {"authentication": null, "error": null, "errorCode": null, "params": {"code": "<retracted>"", "state": "o7FeO9ANoa"}, "type": "success", "url": "exp://192.168.0.22:19000?code=<retracted>"&state=o7FeO9ANoa"}
const exchangeFn = async (exchangeTokenReq) => {
try {
const exchangeTokenResponse = await exchangeCodeAsync(
exchangeTokenReq,
discoveryDocument
);
setAuthTokens(exchangeTokenResponse);
} catch (error) {
console.error(error);
}
};
while exchangeFn is being invoked i am getting an error "ERROR [Error: Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the "Authorization" request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code and include the "WWW-Authenticate" response header field matching the authentication scheme used by the client.]"
Here is the application flow enter image description here
As per Oauth 2.0 while Exchanging an authorization code grant with PKCE for tokens we need to add Authorization header.
The authorization header string is Basic Base64Encode(client_id:client_secret). The following example is an authorization header for app client djc98u3jiedmi283eu928 with client secret abcdef01234567890, using the Base64-encoded version of the string djc98u3jiedmi283eu928:abcdef01234567890
The example code does not include this. That is the issue. we have to get the App client secret from aws cognito and add it to exchangeTokenReq.
const clientId = '<your-client-id-here>';
const userPoolUrl =
'https://<your-user-pool-domain>.auth.<your-region>.amazoncognito.com';
const redirectUri = 'your-redirect-uri';
const clientSecret = 'app-client-secret';
exchangeFn({
clientId,
code: response.params.code,
redirectUri,
clientSecret,
extraParams: {
code_verifier: request.codeVerifier,
},
});

Way to detect invalid device token in FCM HTTP v1 API

we are using FCM HTTP v1 API to send push notification.
When, our users register their device tokens, our push server just stores it to database without verification because FCM does not provide token verification APIs.
The only time the push server could detect whether the device token is valid or not is when sending push notification via FCM.
According to FCM registration token management, if the device token is invalid the FCM server responds with UNREGISTERED or INVALID_ARGUMENT.
However, the INVALID_ARGUMENT code can be returned when using invalid payload as well. So we can not distinguish errors between invalid device token and invalid payload.
The following is actual response from the FCM server in case of using invalid device token and invalid payload respectively.
{
"error": {
"code": 400,
"message": "The registration token is not a valid FCM registration token",
"status": "INVALID_ARGUMENT",
"details": [
{
"#type": "type.googleapis.com/google.firebase.fcm.v1.FcmError",
"errorCode": "INVALID_ARGUMENT"
}
]
}
}
HTTP/1.1 400 Bad Request
{
"error": {
"code": 400,
"message": "Invalid JSON payload received. Unknown name \"priority\" at 'message': Cannot find field.",
"status": "INVALID_ARGUMENT",
"details": [
{
"#type": "type.googleapis.com/google.rpc.BadRequest",
"fieldViolations": [
{
"field": "message",
"description": "Invalid JSON payload received. Unknown name \"priority\" at 'message': Cannot find field."
}
]
}
]
}
}
When the token has a proper format but its user is no longer active, you will receive an UNREGISTERED response indicating that you should delete that token from your backend.
However, if you send a token that does not have a valid format (it has been modified in your backend or truncated, for instance) you will receive an INVALID_ARGUMENT. If this is the case you probably want to check your code because you may be modifying the token somewhere (in App or backend). Probably you have to manually detect and delete those tokens.
Once this is solved, you do not have to worry anymore about the INVALID_ARGUMENT response to delete the tokens, except if you make further changes that corrupt them again.

Tapkey Token Exchange returns 400 bad request invalid_grant

regarding tapkey token exchange flow:
when exchanging access tokens through https://login.tapkey.com/connect/token api, I get error code 400 with error message invalid_grant
I am aware of a similar question and the solution in: Tapkey returns 400 bad request invalid_grant
My jwt token contains of the following:
Header:
{
"alg": "RS256"
}
Payload:
{
"algorithm": "RS256",
"audience": "local",
"iat": 1633339589,
"exp": 1633343189,
"issuer": "tapkey",
"subject": "myIpUserID1"
}
Before I make the API call I generate the jwt token with "iat": Time.now.to_i and "exp": Time.now_to_i + 3600, the call is done a few seconds later, manually.
Beforehand I created a IdentityProviderUser via API with the "IpID": "myIpUserID1", and got a success response with a new User-ID (ID).
I also tried to make the https://login.tapkey.com/connect/token api-call with "subject" to be set to that returned User-ID, but that gave me the same error message.
The payload field for the UserId is expected to be "sub" not "subject"

Generating oauth token on sandbox throws ServerError

When generating oauth token from ordercloud sandbox environment, ordercloud returns ServerError as the error. Double checked the client_id, username, password and grant_type and it is correct. I am able to generate token using client_credentials grant_type. Is there a different way to generate token using password grant_type?
"client_id": "827D3F9E-F0AE-4C12-AF55-24D1D526303F",
"grant_type": "password",
"username": "admin02",
"password": "Test1234567#",
"scope": "CatalogAdmin BuyerReader MeAdmin InventoryAdmin PasswordReset OrderAdmin PriceScheduleAdmin ProductAdmin ProductAssignmentAdmin ShipmentAdmin"
"ErrorCode": "ServerError",
"Message": "An unknown error has occurred on the server.",
Your API Client has a ClientSecret set and you are not passing the ClientSecret in the request body. If you remove the ClientSecret, or pass it in the request body, your call should succeed.
It should be returning a 400 though rather than 500, so I will log that as a bug on our end.