Using Google oauth in a deployment - asp.net-core

I've set up an ASP.Net Core project to use Google OAuth signin from this tutorial
I created a client ID & secret using the settings 'Web server' with address 'https://localhost:5001/signin-google' and exposed the secrets to the app as described in the tutorial. I have a basic view which is just the minimum required HTML & JS to show a 'Sign in with Google' button and allow authentication (verified working on localhost).
I created a deployment in a docker container on a Raspberry Pi on the local network. When I navigate to the view with the Google sign in button and click it, I get an error of
Error: invalid_request
Permission denied to generate login hint for target domain.
In the error details it specifies the redirect URL as:
redirect_uri=storagerelay://http/x.x.x.x:8000?id=auth572720
where x.x.x.x is the address of the Pi on our local network
I am assuming this is because the client expects a redirect URL of 'https://localhost..etc' but is getting 'http://x.x.x.x'.
I am unsure how to solve this, it seems like I may need to create another token to enable authentication on my Raspberry Pi (e.g. create another 'web server' OAuth sign in using the re-direct address 'http://x.x.x.x.etc/signin-google' but when I try this I get an error of 'Must be a top private domain'.
All in all this is very frustrating, and I would appreciate any help.

There is no need to create a new credential, just add the new redirect URL to the existing credential.
The redirect URL domain must be a TLD. Choose something like localhost.mydomain.com and then add an entry in your /etc/hosts file to resolve localhost.mydomain.com to x.x.x.x

Related

Is it possible to add an IP address to the Google Console's list of allowed javascript authorised origins?

I have implemented the Sign in with google option in my web app. (JSP page, Tomcat server, localhost:8080)
Google sign-in works fine while running it in localhost, but the sign-in option is not working while running the web app using IP address, it results in "Access blocked: Sign in with google’s request is invalid". Error 400: redirect_uri_mismatch.
So I thought I need to add the IP address in the developer google cloud console as an authorized origin, But it won't allow IP as an authorized javascript origin.
How can I add my IP address(172.22....) as an authorised javascript origin, So that sign-in with google option works?
clich here to more details
Basically, I'm trying http://172.22.... instead of http://localhost:8080
Using private IPs is not allowed.
See https://developers.google.com/identity/protocols/oauth2/policies#secure-response-handling and the host section of https://developers.google.com/identity/protocols/oauth2/web-server#uri-validation.

How to change redirect_uri for Azure AD

I've got Azure ServiceFabric web-app (AspNetCore 3) hosted over reverse proxy (NGinx). The app use AzureAD (in company) authentication. I've Registered App for the AD and setup Redirect Urls. After publishing the APP and configuring DNS and reverse proxy I tried to authorize to my app but failed with error
AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: '...-...-...-...-...'.
I snifed the request and found that it redirects to the internal IP but not domain name
https://login.microsoftonline.com/aeb55839-c47b-4fea-8d95-912f673fa7ac/oauth2/v2.0/authorize?client_id=.....&redirect_uri=http%3A%2F%2F10.2.0.5%3A44321%2Fsignin-oidc...
It seems that I've looked everywhere but I cannot stil found where I can specify redirect url manually (only CallbackPath).
Does anyone solve the issue?
Update 1.
Add screenshot from Azure Portal
Update 2
Mannually add http://10.2.0.5:44321/signin-oidc to the Redirect Url, get a new exception
AADSTS500117: The reply uri specified in the request isn't using a secure scheme.
I wonder whether I have to make my ASF cluster secured to allow AD Authorization? It seems to me strange due to I want to secure traffic to reverse proxy only.
This error will occur when there is a mismatch of redirect URI being sent in the request to AAD while fetching the token and the one registered with the Application Registration Object in AAD portal.
In App Registration blade of AAD and look for the redirect URI section present under "Authentication" section of the registered application and update the redirection
URL. Please refer to the screenshot below:
update:-
The Reply url you are using in your code is http://10.2.0.5:44321/signin-oidc which is different from reply url defined in Azure AD i.e., https://dev-adm.project-llc.ru/signin-oidc. Please update the reply url in code or in AAD.

AAD Reply Url Issue with https

We have an on-prem asp.net core app that leverage AAD for authentication, the app is setup to run in both:
http://domainserver/app
&
https://domainserver/app
In Azure AD the reply url for the application is setup as
http://domainserver/app/signin-oidc & https://domainserver/app/signin-oidc
When using http url, the sign-in process works fine, however in https mode, we get the following error:
AADSTS50011: The reply address ‘https://domainserver/app/signin-oidc’
does not match the reply addresses configured for the application:
appguid . More details: not specified
The reply https url is setup in AAD for the App exactly as it appears in the error message, so I’m not sure why it says it’s not matching.
One reason I can think of is that the SSL certificate used for https is a local domain signed certificate, and somehow it’s causing the error. But I’m not sure if that’s the case since AAD is just responsible to redirect back to the specified url, should not really care or know about the validity of the SSL.
Here is the image showing the setting url, the redirect url and the error message url matches exactly. You just have to trust me the part that's blocked out are also the same. :)
Anyone got any ideas why this happens?
Protocol matters. Azure AD will treat http://website.com and https://website.com as different reply URLs. However Azure can only let your put in multiple Reply URLs in a same domain. There is a case solution may be helpful to you:
Issue: Using the Azure AD authentication option to sign into the Skype for Business (SfB) Web SDK and you are seeing an AAD error page . The error page should have this message:
"AADSTS50011: The reply address 'https://...' does not match the reply
addresses configured for the application <...>"
Solution:
You need to configure the main domain name where you're hosting your app as a reply URL in the AAD registration for your app and pass it as the redirect_uri when redirecting to AAD to allow the user to sign in.
You should be using code like this to redirect the user to enter her credentials to sign into Azure AD:
var href = 'https://login.microsoftonline.com/common/oauth2/authorize?response_type=token&client_id=';
href += client_id + '&resource=https://webdir.online.lync.com&redirect_uri=' + window.location.href;
window.location.href = href;
Note In the code above that we are using window.location.href as the value of the redirect_uri query parameter in forming the URL of the AAD endpoint where the user will sign in. This parameter tells AAD to redirect the client browser and the access token obtained by signing into AAD back to the page we're currently on - the main app page. However, AAD will only redirect the access token to URLs that are specified as Reply URLs in the app registration in AAD.
Follow these steps to check your configured Reply URLs and add additional ones:
Sign into portal.azure.com with an account that's an administrator on your tenant.
Navigate to Azure Active Directory in the left side bar > App registrations > Your app > All settings > Reply URLS.
Type the domain name where you're hosting your app and click Save.
This solution is from this document.
Update
According to your screenshot, your Reply URI is different:
https://domainserver/app/signin-oidc
is not in your Reply URL list,
in your Reply URL list is
https://domainserver/app/signin-odic
Go to change them as same URL .

App not listed in authorized apps in google account

When i try get access token via oauth (oauth screen with Allow button) on my local machine it works, but when i do the same on test server: i get oauth screen, i press allow and it's redirects to callback uri with code, and then app asking for token (i use PHP lib):
$client->authenticate($request->get('code'));
$access_token = $client->getAccessToken());
and i get null in response and application does not get authorized and it's not in authorized apps in google account.
I've checked redirect URLs listed in Google APIs - everything matches!
And i don't get any errors from google, it's just redirects to callback url and not adds application to authorized apps list.
But it works on local with same credentials. Any one can help me and guide where the problem can be?
Solved. I did not set redirect url before $client->authenticate($request->get('code'));

Configuring a custom port for the 'localhost' redirect URL in Google OAuth 2.0

I want to configure a custom port for the redirect URL in the Google Developer Console for the class of 'Installed Apps'.
Following the instructions in https://developers.google.com/accounts/docs/OAuth2InstalledApp , it turns out that this should be possible:
redirect_uri=http://localhost:9004&
Going to the Console ("console.developers.google.com"), "Credentials", and "Create New Client Id", I cannot find the field, where to enter a custom port number. Does anyone know how to do this?
Thanks!
In fact, The document you've read has answered you question:
When you create a client ID in the Google Developers Console, two redirect_uris are created for you: urn:ietf:wg:oauth:2.0:oob and http://localhost. The value your application uses determines how the authorization code is returned to your application.
http://localhost signals to the Google Authorization Server that the authorization code should be returned as a query string parameter to the web server on the client. You may specify a port number without changing the Google Developers Console configuration.
I tried this idea and it works.
Give consecutive ports or probable ports in credentials as
**Redirect URIs**
http://localhost:55738/YoutubeVideoList.aspx
http://localhost:8080/YoutubeVideoList.aspx
http://localhost:8081/YoutubeVideoList.aspx
http://localhost:8082/YoutubeVideoList.aspx
http://localhost:8083/YoutubeVideoList.aspx
http://localhost:8084/YoutubeVideoList.aspx
and don't forget to give correct redirectURI with port(anyone above) while calling the authentication process.