Is there any methods to find get custom query params in controller even using EnableRequestCaching()? - openiddict

I'm using Angular SPA with IDServer. In SPA application customers can change the culture but I want to change IDServer's culture for the first login. For example, if customers want to continue with French I have to send a parameter in customQueryParams (angular-oauth2-oidc) for their first login. However, I also use EnableRequestCaching in Startup.cs. I would like to get OpenIdDictRequest in Account/Login method.
Thank you!

If I understand your question correctly, your users are redirected from the SPA to the IDServer with a custom query parameter containing the user's culture.
They would land at your authorization endpoint first, before being redirected to Account/Login. In the authorization endpoint you have the OpenIddictRequest at your disposal. You could send the culture from the OpenIddictRequest along with the redirect to Account/Login, through a query parameter or ViewData.

Related

how to use cakePHP addUnauthenticatedActions() with tokens in the URL

I am working in Cake 4 and have successfully included the authentication plugin that replaces the deprecated Auth(). To avoid an infinite redirect loop I have added the actions I want excluded from authentication similar to that shown in the Cake CMS tutorial.
UsersController:
$this->Authentication->addUnauthenticatedActions(['login', 'forgotpassword', 'resetpassword']);
I intend to use tokens for the resetpassword action and a reset link sent to a user will look something like this.
http://localhost/axletrace/users/resetpassword7724d1bbd400e0bd624411549a2dd64c6b73481e
Because the action requested now looks like 'resetpassword7724d1bbd400e0bd624411549a2dd64c6b73481e', it is not a match to the exclusions listed above and it redirects to the login page.
I have tried using a wildcard as shown below but it makes no difference.
$this->Authentication->addUnauthenticatedActions(['login', 'forgotpassword', 'resetpassword*']);
Given that the token is not a static value what is the way to handle this situation. I am trying to use the token as an authentication token only. I would prefer not to use JWT Authentication and I am not worrying about session tokens for the time being.
Any help would be apprecated, thanks.

ASP.NET Core conditional redirect if not authorized

My ASP.NET Core 6 website has two "areas", Doctors and Patients. Now, if someone is not yet authenticated and tries to access a page in one of those areas, I want to redirect the request to either a Doctors Login or Patients Login depending on the "area" containing the requested page. In other words (for example):
https://example.com/doctors/home redirects to the Doctors Login page
https://example.com/patients/home redirects to the Patients Login page
Is there a "correct" way to set this up, or do I need to come up with some sort of scheme using something like app.UseStatusCodePages (as described in this SO post), or let ASP.NET redirect to a single login page and add code to the GET routine to add yet another redirect based on the request URL, or maybe write some custom pipeline code?

Rally: Seeing information about the current user from a web client

I'm writing a Rally app using REST service calls and JQuery. I'd like to customize app behavior to the current user, i.e., show their default project. Is there a way to get a username or ID for the current auth session? The closest I've found is this website url, which redirects to the userid (if you request it while logged in).
https://rally1.rallydev.com/#
But is there a real way to do it? A REST call would be nice, but I guess that's not RESTful?
You can make a request to https://rally1.rallydev.com/slm/webservice/1.38/user.js and it will return results for the currently logged in user.
Include UserProfile and DefaultProject in your fetch and any other fields on Project, Workspace, WorkspaceConfiguration and UserProfile objects and you should be able to get most of the info you're looking for.
If you're using SDK 2 some of this information is already available in the current context:
Rally.environment.getContext().getUser();

Search Netflix using API without the user being logged in?

I'm trying to search Netflix through their API, but without logging anyone in (because I want to do this on the back-end, not necessarily related to any user action). I'm just starting off with their API so please forgive me if I'm doing something completely stupid. Here's the URL I'm trying to access:
http://api.netflix.com/catalog/titles/?oauth_consumer_key=MY_CONSUMER_KEY&oauth_token_secret=MY_SECRET&term=fight+club
However, that gives me a 400 Bad Request error. Is there no way to browse/search the Netflix catalog without having a user first sign in to my application? Or am I doing something wrong?
Note: I'm accessing said URL through my browser, since I only want to perform a GET request, which is what a browser does by default.
When using OAuth you need to compute a signature for the request, even if you're using 2-legged authentication which just uses your shared-secret and no user token (this means that your application is logged in, but no user is logged in).
If it's an HTTP (as in non-SSL) URL then you need to be using the HMAC-SHA1* signature method rather than PLAINTEXT because you don't want your consumer secret being passed across the wire in plain text.
If they allow an HTTPS URL then you can use the PLAINTEXT method, but you'll still need to calculate it as per https://datatracker.ietf.org/doc/html/draft-hammer-oauth-10#page-27 and pass that as the oauth_signature query string parameter instead of passing oauth_token_secret. Note that you'll also need to pass oauth_signature_method=PLAINTEXT as a parameter too.
Also, it might be worth looking at the response that comes back. If they implement the OAuth Problem Reporting extension then that could give you some help with what's wrong.
*or another method that encryptes your shared secret

Redirecting back to a page after authentication through OpenID, Oauth, or Facebook Connect

I'm allowing users to login to my site with either OpenID, Twitter OAuth or FBConnect. If the user attempts to go to a page that requires them to be logged in, after that user logs in I want to send them BACK to that page. Is there an easy way to accomplish this with all of these or should I simply just write the redirect page to a cookie and upon a successful login send them to that page? I'm using Django so if there are any nice tips or tricks involving that specifically that would be great.
Thanks for the input in advance!
You could thread that parameter (the page they were at) through as a parameter to your return_to. As noted in the spec:
Note: The return_to URL MAY be used as a mechanism for the Relying Party to attach context about the authentication request to the authentication response. This document does not define a mechanism by which the RP can ensure that query parameters are not modified by outside parties; such a mechanism can be defined by the RP itself.
For example:
def sendOpenIDCheck(...):
# after getting an AuthRequest from Consumer.begin
return_to = oidutil.appendArgs(return_to,
{'destination_url': that_place_they_tried_to_go})
return redirect(auth_request.redirectURL, realm, return_to))
def handleReturnTo(request):
# after doing Consumer.complete and receiving a SuccessResponse:
return redirect(request.GET['destination_url'])
If there's some other state you need to track (like POST data), or you have an extraordinarily long URL that you can't fit in as a query parameter, or you need to have the destination_url tampered with by the user, you store that information server-side, send the key as a query parameter instead of a URL, and look it up when they get back.
Not very different from storing it in the session, unless the user's got several simultaneous tabs in one session that run in to this, and then having it in the query helps.
Sadly OAuth and OpenID aren't really aware of your app states (while OAuth WRAP can be). So you have to take the following assumption:
The user will complete the sign-in WITHOUT switching tabs/windows or doing other requests on your site.
Then you can do the following:
Once you detect the access of a protected site, store the full query in the session. This won't work at all if it's a POST request, you have to prepare for this problem (show them a warning site with a lik that they must login first).
Store a timestamp of when this request happend.
On your OpenID callback check whether the session variables are set and redirect the user to the stored query. Check the timestamp (don't redirect if the timestamp is older than 5 minutes or so). After that clear both variables from the session.
This will lead to odd behaviour if the user violates against the assumption, but I don't think there is any way you can circumvent that.