I have a case with an Order System (ASP.NET Core 2.2 with Identity Server 4 auth)
where I post form-data to an external Api from a Controller for Payment purposes.
The remote Api is configured with a return-url (after Payment is processed)
Problem is when the user is returned to my system they are no longer authenticated so they are automatically redirected to the identity-server and automatically re-autheticated (as the Cookie is still valid) but in this process the returned data from the api is lost. I can see the data (and the complete request) in my logs, but the Controller-method for the return-url is never accessed (as before that point the middleware has detected the user is not authenticated, or this is my assumption.)
If I cannot capture the returned data I cannot save the results from the Payment attempt.
(For testing purposes I have set [AllowAnonymous] attribute on the return-url controller method, but this did not work. It still redirected to the identity-server.)
How does one solve this as I cannot handle this in the controller method as this is never accessed ?
(The remote Api does allow for custom parameters to be passed and then returned as query-strings to the return-url.)
Thanks
//Jonas
[Edit] : The response is posting some user-data like address etc to the web-service (it is not a rest API, sorry for mixing words). The user then gets a HTML response from the remote webservice with a form to post the creditcard info. At this point they are no longer on our site, after post they are redirected to the return-url on our site. This is where they are no longer authenticated, but I assume they still have the cookie, as they are automatcally logged in without needing to input username and passw again. (so I guess in a sense they are still authenticated, but the system is not able to get the user info. User info is filled again after re-route to the identity server and back.)
Related
I am following this guide (https://learn.microsoft.com/en-us/skype-sdk/ucwa/authenticationusingazuread) in order to access Skype for Business. Everything goes fine till the last part but let's do step by step. I am building my .net console application to do this but in order to explain you properly the problem I am having I will show you directly the http calls through Insomnia (software used to make http calls).
Step 1:
GET request towards https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root
I hit 200 and as answer I receive this:
Step 2:
I use the user link.
So I send an http request to https://webdir1e.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth/user and I get a 401 Unauthorized (everything still correct).
In the header of the answer it points me to the Identity Provider to ask for authorization (authorization_uri)
Step 3: I use that link to authorize my app, which has its own client_Id (that I hide in the following screenshot).
This is how I compose the call:
If I send this http request I get redirected to the page where it asks my personal login and by inserting my credentials I succesfully login and hit 404, where in the answer I receive back my access token.
Step 5: I use the access token towards the same AutodiscoverService link of step 1. This is to register my application. I hit 200 and I receive back the link to access Skype for Business.
Finally (and this is where things go wrong) I send a POST request towards the applications link with the Bearer token, and I receive a 403 Forbidden. I think I am following correctly the guide but I can't figure out why I can access the resource at the last step.
EDIT:
The permissions are granted. I hide the name since it contains the name of my company. But it is the same of the domain of my login.
So the token you generated authorizes you to access resources at https://webdir1e.online.lync.com which you've done to fetch a new set of resources including the "application" resouce which is on a DIFFERENT host: https://webpooldb41e14.infra.lync.com.
You actually have to get another OAuth token now which authorizes you for the application resource and then you can POST to that to generate your session in UCWA.
As a side note... If you've defined your own single-tenant application in Azure that has been granted rights to SkypeForBusinessOnline then I think you should be targeting authorization and authentication endpoints of the form:
https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/authorize
https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token
Also I should add, if you're trying to write a trusted secure client that users in your company will use I would suggest looking up the Resource Owner Password Credentials auth flow. It allows you to directly hit the token endpoint I mentioned above and exchange username/password credentials for an access token. Then you can manage auto-discovery and application creation easily under the hood without getting re-directed back and forth to Azure.
https://learn.microsoft.com/mt-mt/azure/active-directory/develop/v2-oauth-ropc
I am using identityserver4 for all configured clients with "AccesssTokenType=1" i.e. reference type.
I have one web app hosted for server, and other one for clients.
I used default identityserver settings, which generated two cookie, one for session Id "idsrv.session", and other one for authentication "idsrv".
In logout I do signout
await HttpContext.SignOutAsync(IdentityServerConstants.ExternalCookieAuthenticationScheme);
await HttpContext.SignOutAsync(IdentityServerConstants.DefaultCookieAuthenticationScheme);
however it gives error when I call with "idsrv.session"
await HttpContext.SignOutAsync(IdentityServerConstants.DefaultCheckSessionCookieName);
Issue / Steps to reproduce the problem
1st Iteration : Login on my client website which redirects to my identityserver application. I now interceprt the request and response using "Burp Suite". I copy the complete response which has redirect URL's and cookie details.
I signout/logout from client website.
2nd Iteration : I tried login again, and intercepted the request and response using Burp Suite, by passing wrong credential. While Intercepting the response I just copied the cookies from previous request (which was successful in my first iteration), and observe that identityserver has successfully validated the user using the cookie value, ignoring the wrong credentials in this iteration.
Even I tried invalidating and deleting cookies in my signout/logout method, but looks like identityserver still recognises it as the valid ones.
Brock Allen directed me to the corrrect solution. According to him :
This is the real issue you're asking about -- when you signout, you want the cookie to no longer be valid, even in the scenario when it's stolen and replayed. This is not something IdentityServer can address, because we use Microsoft's cookie authentication to achieve signin. You would have to fix this by changing the default usage of their component. You can do it by implementing "server-side cookie" (a term that I dislike) by implementing an ITicketStore: https://github.com/aspnet/Security/blob/master/src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationOptions.cs#L136
Details Here
https://github.com/IdentityServer/IdentityServer4/issues/2565
I have a backend with Drupal.
Using Drupal Services to interact with. Which provides a rest server.
Created endpoint named 'api'.
Following sequence works in normal browser or any http client like postman :-
example.com/api/login (works).
api sends back user data (token,session id, session name etc).
Further any request I make, I send token as X-CSRF-Token (all requests work).
I can even logout the same session with the token received before.
IN IONIC APP :-
I can login and I also store user data (token, session data etc.) in local storage after login.
Here's the difference in app :-
When I send the same token back to server while making a request (say logout).
Server's response is "User is not Logged In."
Why does this happen?
Update :-
After logging in I tried getting the current token from the server, and it was different from the one I saved after successfully logging in.
Every time a different token is received.
I faced the same issue. Problem was i never set the cookie and chrome did this for me automatically.
Luckily i found this great site:
drupalionic.org
There are links to a view demos as well as good descriptions and code.
So what you have to do is:
- log in
- retrieve session data and set cookie
- perform subsequent requests with the cookie data and X-CSRF-Token in your header
Here is a flowchart:
Was this helpful for you?
I'm using JMeter to load test my web app. I created two HTTP Requests, one visit login page and the other, log into my account. The visit login page HTTP request works fine and returns 302 Found status. JMeter displays the login page and there 0% errors on that page.
However, when I try to login into my account using the POST Data I retrieved from Firebug POST, it doesn't work and returns a 500 status error.
I am having difficulty getting the logging into my account feature to work. I have tried to send a POST request with the following:
1) __RequestVerificationToken
2) languageDropDown (My web app requires it)
3) UserName
4) Password
but I am still getting the error.
I followed this tutorial as it's the only one on ASP.NET MVC web apps...
http://build-failed.blogspot.pt/2012/07/load-testing-aspnet-mvc-part-3-jmeter.html
But I didn't do the feedback form data because I don't need it. Just grab the general concepts and regular expression from that webpage and tried it on my app but it fails.
Why? How do I fix it?
Is it because I have cookies to store session and only unique users can login my web app at one time? I did add a cookie manager though.
BTW, this is on a deployed web application (not localhost).
Some photos, I blocked out all sensitive information (sorry) and some of the token's (Just in case?)
Are you sure you have static authentication token? May it dynamic?
Look at second video that deals with token at 5:37 min to understand how to extract dynamic authentication token.
Exept HTTP Cookie manager, try to add HTTP Cache manager
Say the page where user can update his own profile: profile_update.php?id=1234567...(user's Google id).
Question:
How can I restrict access with the returned authResult or me? (I mean which item in the object will help that, not how to get these item out).
or Do I still need to build a server side $_SESSION for that?
You could do some validation on the client side using the auth result, but you'd also want to verify that the request you get on the server side is from who you think it is from to prevent cross-site request forgery attacks. So you'd need something that validate that the POST that update the profile came from an authenticated user, not just that the POST data was in the correct format. So typically, your form will send a specific code (a CSRF token) and that same token must be present in the user's cookies (or a server side session token, which in PHP can be accessed via $_SESSION).