I don't know if you can help me understand the right way forward with this issue. I need to provide a little bit of background first.
I have a VB.Net Console Utility that uses the Google V3 Calendar API. This utility has the following process to authenticate:
Private Function DoAuthentication(ByRef rStrToken As String, ByRef rParameters As OAuth2Parameters) As Boolean
Dim credential As UserCredential
Dim Secrets = New ClientSecrets() With {
.ClientId = m_strClientID,
.ClientSecret = m_strClientSecret
}
'm_Scopes.Add(CalendarService.Scope.Calendar)
m_Scopes.Add("https://www.googleapis.com/auth/calendar https://www.google.com/m8/feeds/ https://mail.google.com/")
Try
credential = GoogleWebAuthorizationBroker.AuthorizeAsync(Secrets, m_Scopes,
"user", CancellationToken.None,
New FileDataStore("PublicTalkSoftware.Calendar.Application")).Result()
' Create the calendar service using an initializer instance
Dim initializer As New BaseClientService.Initializer() With {
.HttpClientInitializer = credential,
.ApplicationName = "~~~~~~~~~~"
}
m_Service = New CalendarService(initializer)
rStrToken = credential.Token.AccessToken.ToString()
rParameters.AccessToken = credential.Token.AccessToken
rParameters.RefreshToken = credential.Token.RefreshToken
Catch ex As Exception
' We encountered some kind of problem, perhaps they have not yet authenticated?
Return False
End Try
Return True
End Function
This part of the application process works fine. The data store file gets created and once the user has authenticated it all seems to just work find from there on. The user will be able to update the calendar without any further authenticating on there part.
Now, I also have a part of my MFC (the main application) project that sends emails for the user. This uses the following CkMainManW library.
For the most part that works too. If the user has correctly set up their credentials it is fine. However, if they are using GMail, then I do things slightly differently. This is to avoid the need to have the "Allow third party apps" option to be ticked in the Google account.
So, for GMail users, we send emails like this:
mailman.put_SmtpUsername(strUsername);
mailman.put_OAuth2AccessToken(strGoogleToken);
As you can see, I use the OAuth2AccessToken. This actual value passed is the credential.Token.AccessToken.ToString() value stored from when the user authenticated. Now, I have since understood that this actual token only lasts for one hour. This would explain why some users have to repeatedly run my calendar authentication again to get a new access token.
Clearly, when I do the calendar authentication which uses the data store file, it does something under the hood the avoid the user being asked all the time to authenticate.
Now, I have read this tutorial about using the Chilkat Library for this. I notice now that in the sample code it has a comment:
// Now that we have the access token, it may be used to send as many emails as desired
// while it remains valid. Once the access token expires, a new access token should be
// retrieved and used.
So, with all the background, how do I resolve my issue? So I have a data store file that contains the original access token from when they authorised and a refresh token. This file was created by the VB.Net command line module.
By the sounds of it, the Chilkat routine needs an access token that is valid. So, what is the right way for me to get an updated access token from the refresh token, so that when I send emails it won't fail after an hour?
Update
I am getting myself confused. I changed my code so that it called the DoAuthentification call above to get the refresh token and access token. But I am finding that the actual data store file is not getting revised. The text file is not being revised.
I have to revoke access and then do the authentication to get the data store file revised. And it is only once it has been revised that the access token will work for sending emails.
I think I have found the solution. I saw this answer:
https://stackoverflow.com/a/33813994/2287576
Based on the answer I added this method:
Private Function RefreshAuthentication(ByRef rStrAccessToken As String, ByRef rStrRefreshToken As String) As Boolean
Dim parameters As New OAuth2Parameters
With parameters
.ClientId = m_strClientID
.ClientSecret = m_strClientSecret
.AccessToken = rStrAccessToken ' Needed?
.RefreshToken = rStrRefreshToken
.AccessType = "offline"
.TokenType = "refresh"
.Scope = "https://www.googleapis.com/auth/calendar https://www.google.com/m8/feeds/ https://mail.google.com/"
End With
Try
Google.GData.Client.OAuthUtil.RefreshAccessToken(parameters)
rStrAccessToken = parameters.AccessToken
rStrRefreshToken = parameters.RefreshToken
RefreshAuthentication = True
Catch ex As Exception
RefreshAuthentication = False
End Try
End Function
I am not sure if I need to pass in the existing access token or not before refreshing. But either way, the tokens get updated and I can proceed with sending emails.
FYI, in the end it became apparent that I did not need any bespoke Refresh at all because the system manages it for you under the hood.
Private Async Function DoAuthenticationAsync() As Task(Of Boolean)
Dim credential As UserCredential
Dim Secrets = New ClientSecrets() With {
.ClientId = m_strClientID,
.ClientSecret = m_strClientSecret
}
Try
credential = Await GoogleWebAuthorizationBroker.AuthorizeAsync(Secrets, m_Scopes,
"user", CancellationToken.None,
New FileDataStore("xxx.Calendar.Application"))
' Create the calendar service using an initializer instance
Dim initializer As New BaseClientService.Initializer() With {
.HttpClientInitializer = credential,
.ApplicationName = "yy"
}
m_Service = New CalendarService(initializer)
Catch ex As Exception
' We encountered some kind of problem, perhaps they have not yet authenticated?
' Can we isolate that as the exception?
m_logger.Error(ex, "DoAuthenticationAsync")
Return False
End Try
Return True
End Function
I have not required any bespoke Refresh of tokens for a long time now.
Related
I recently started developing using IdentityServer4. What I want to achieve is to have a number of independent web applications that use the same authorization server, my identity server.
My problem is how to make sure, that all my independend web applications have obtained and display the up to date user information (like firstName,lastName,avatar etc) which are stored in my IdentityServer4 database
I am aware that I should implement the IProfileService interface, to make sure that user-info endpoint will return all additional user info, but I dont know where to call this api request from my web applications. I have created a function that looks like this:
var t = await HttpContext.GetTokenAsync("access_token");
if (!String.IsNullOrEmpty(t))
{
var client = new HttpClient();
var userInfoRequest = new UserInfoRequest()
{
Address = "https://localhost:5001/connect/userinfo",
Token = t
};
var response = client.GetUserInfoAsync(userInfoRequest).Result;
if (response.IsError)
throw new Exception("Invalid accessToken");
dynamic responseObject = JsonConvert.DeserializeObject(response.Raw);
string firstName = responseObject.FirstName.ToString();
HttpContext.Session.SetString("User_FirstName", firstName);
string lastName = responseObject.LastName.ToString();
HttpContext.Session.SetString("User_LastName", lastName);
HttpContext.Session.SetString("User_FullName", firstName + " " + lastName);
if (responseObject.Image != null && !String.IsNullOrEmpty(responseObject.Image.ToString()))
{
string im = responseObject.Image.ToString();
HttpContext.Session.SetString("User_Image", im);
}
}
to get user Info from web applications.
My problem is when and how to call this function, every time the user redirects logged in from identity server to my web application, and how to make sure that Sessions will keep user associated data, for as much as the user remains logged in to my web application.
You can call Token Introspection endpoint to get all user info from #identityServer4.
I am facing the below error while generating token for service account for the Hangout Scope - https://www.googleapis.com/auth/chat.bot.
Where i receive 400 response code after making a post request to this url -
https://www.googleapis.com/oauth2/v4/token
the params are
Content-Type:application/x-www-form-urlencoded
httpMode:POST
body:grant_type=jwt-bearer&assertion=assertion-token
Note:This was completely working fine. Suddenly am facing this issue.
cross verified: jwt generation,service_account_id and etc...
Error Response : { "error": "invalid_scope", "error_description": "Some requested scopes cannot be shown": [https://www.googleapis.com/auth/chat.bot]}
code for generating assertion:
//FORMING THE JWT HEADER
JSONObject header = new JSONObject();
header.put("alg", "RS256");
header.put("typ", "JWT");
//ENCODING THE HEADER
String encodedHeader = new String(encodeUrlSafe(header.toString().getBytes("UTF-8")));
//FORMING THE JWT CLAIM SET
JSONObject claimSet = new JSONObject();
claimSet.put("iss","123#hangout.iam.gserviceaccount.com");
claimSet.put("sub","one#domain.com");
claimSet.put("scope","https://www.googleapis.com/auth/chat.bot");
claimSet.put("aud","https://oauth2.googleapis.com/token");
long time = System.currentTimeMillis() / 1000;
claimSet.put("exp",time+3600);
claimSet.put("iat",time);
//ENCODING THE CLAIM SET
String encodedClaim = new String(encodeUrlSafe(claimSet.toString().getBytes("UTF-8")));
//GENERATING THE SIGNATURE
String password = "secretofkey", alias = "privatekey";
String signInput = encodedHeader + "." + encodedClaim;
Signature signature = Signature.getInstance("SHA256withRSA");
String filepath = "/check/PrivateKeys/hangoutPKEY.p12";
KeyStore kstore = KeyStore.getInstance("PKCS12");
fis = new FileInputStream(filepath);
kstore.load(fis, password.toCharArray());
KeyStore.PrivateKeyEntry pke = (KeyStore.PrivateKeyEntry) kstore.getEntry(alias, new KeyStore.PasswordProtection(password.toCharArray()));
PrivateKey pKey = pke.getPrivateKey();
signature.initSign(pKey);
signature.update(signInput.getBytes("UTF-8"));
String encodedSign = new String(encodeUrlSafe(signature.sign()), "UTF-8");
//JWT GENERATION
String JWT = signInput + "." + encodedSign;
String grant_type = URLEncoder.encode("urn:ietf:params:oauth:grant-type:jwt-bearer");
reqBody = "grant_type=" + grant_type + "&assertion=" + JWT;
public static byte[] encodeUrlSafe(byte[] data) {
Base64 encoder = new Base64();
byte[] encode = encoder.encodeBase64(data);
for (int i = 0; i < encode.length; i++) {
if (encode[i] == '+') {
encode[i] = '-';
} else if (encode[i] == '/') {
encode[i] = '_';
}
}
return encode;
}
Does anyone have any idea, where am going wrong?
Short answer:
You are trying to use domain-wide authority to impersonate a regular account. This is not supported in Chat API.
Issue detail:
You are using the sub parameter when building your JWT claim:
claimSet.put("sub","one#domain.com");
Where sub refers to:
sub: The email address of the user for which the application is requesting delegated access.
I noticed that, if I add the sub parameter to my test code, I get the same error as you.
Solution:
Remove this line from your code in order to authorize with the service account (without impersonation) and handle bot data:
claimSet.put("sub","one#domain.com");
Background explanation:
Chat API can be used for bots to manage their own data, not to manage end-user data. Therefore, you can only use a service account to act as the bot, without impersonating an end-user.
From this Issue Tracker comment:
At the present moment, Chat API can only be used to manage bot-related data (listing the spaces in which the bot is included, etc.). Using domain-wide delegation to manage regular users' data is not currently possible.
Feature request:
If you'd like to be able to access regular users' data with your service account and domain-wide delegation via Chat API, you are not alone. This feature has been requested before in Issue Tracker:
Accessing the Google Chats of regular users using domain-wide delegated permission and service account credentials
I'd suggest you to star the referenced issue in order to keep track of it and to help prioritizing it.
Reference:
Using service accounts
Delegating domain-wide authority to the service account
Preparing to make an authorized API call
I am building an .net 4.5 MVC application which connects to a Shibboleth-based SAML IdP, to provide single-sign-on functionality. To do this I am using the Kentor.AuthServices.Owin middleware.
The IdP service in question requires use of encrypted assertions, which the latest build of Kentor.AuthServices doesn't support. Instead I had to use the Raschmann-fork of it here https://github.com/Raschmann/authservices/tree/78EncryptedAssertion (v0.8.1), then tried ..Raschmann/authservices/tree/Release (v0.10.1).
(Using ..Raschmann/authservices/tree/master (v0.12.1) - or indeed any of the KentorIT Kentor.AuthServices builds - results in loginInfo being null within ExternalLoginCallback.)
Using the above allows me to login/register on the application via the IdP. However, when ExternalLoginCallback is called, the ExternalClaims or Claims objects within loginInfo.ExternalIdentity don't contain any claims.
I have captured and decrypted the SAML response from the IdP and have confirmed that it is sending information (such as firstname, lastname, DoB, etc.) back to my application once I have logged in.
How can I access the SAML data that is being returned?
ConfigureAuth within Startup.Auth.vb:
Public Sub ConfigureAuth(app As IAppBuilder)
' Configure the db context, user manager and signin manager to use a single instance per request
app.CreatePerOwinContext(AddressOf ApplicationDbContext.Create)
app.CreatePerOwinContext(Of ApplicationUserManager)(AddressOf ApplicationUserManager.Create)
app.CreatePerOwinContext(Of ApplicationSignInManager)(AddressOf ApplicationSignInManager.Create)
app.UseCookieAuthentication(New CookieAuthenticationOptions() With {
.AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
.Provider = New CookieAuthenticationProvider() With {
.OnValidateIdentity = SecurityStampValidator.OnValidateIdentity(Of ApplicationUserManager, ApplicationUser)(
validateInterval:=TimeSpan.FromMinutes(30),
regenerateIdentity:=Function(manager, user) user.GenerateUserIdentityAsync(manager))},
.LoginPath = New PathString("/Account/Login")})
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie)
app.UseTwoFactorSignInCookie(DefaultAuthenticationTypes.TwoFactorCookie, TimeSpan.FromMinutes(5))
app.UseTwoFactorRememberBrowserCookie(DefaultAuthenticationTypes.TwoFactorRememberBrowserCookie)
app.UseKentorAuthServicesAuthentication(New KentorAuthServicesAuthenticationOptions(True))
AntiForgeryConfig.UniqueClaimTypeIdentifier = Global.System.IdentityModel.Claims.ClaimTypes.NameIdentifier
End Sub
ExternalLoginCallback within AccountController.vb:
<AllowAnonymous>
Public Async Function ExternalLoginCallback(returnUrl As String) As Task(Of ActionResult)
Dim loginInfo = Await AuthenticationManager.GetExternalLoginInfoAsync()
If loginInfo Is Nothing Then
Return RedirectToAction("Login")
End If
Dim externalIdentity = Await AuthenticationManager.GetExternalIdentityAsync(DefaultAuthenticationTypes.ExternalCookie)
' Sign in the user with this external login provider if the user already has a login
Dim result = Await SignInManager.ExternalSignInAsync(loginInfo, isPersistent:=False)
Select Case result
Case SignInStatus.Success
Dim user = Await UserManager.FindAsync(loginInfo.Login)
If user IsNot Nothing Then
'user.FirstName = loginInfo.ExternalIdentity.FindFirst(ClaimTypes.Name).Value
'user.Email = loginInfo.ExternalIdentity.FindFirst(ClaimTypes.Email).Value
Await UserManager.UpdateAsync(user)
End If
Return RedirectToLocal(returnUrl)
Case SignInStatus.LockedOut
Return View("Lockout")
Case SignInStatus.RequiresVerification
Return RedirectToAction("SendCode", New With {
.ReturnUrl = returnUrl,
.RememberMe = False
})
Case Else
' If the user does not have an account, then prompt the user to create an account
ViewBag.ReturnUrl = returnUrl
ViewBag.LoginProvider = loginInfo.Login.LoginProvider
Return View("ExternalLoginConfirmation", New ExternalLoginConfirmationViewModel() With {
.Email = loginInfo.Email
})
End Select
End Function
The owin pipeline is quite complex. To debug this I'd suggest that you insert a small breakpoint middleware immediately before the UseKentorAuthServicesAuthentication() call.
app.Use(async (context, next) =>
{
await next.Invoke();
});
Sorry for using C#, but I assume you can find the equivalent VB syntax.
Run the application and authenticate. Right before you trigger the Idp to post the response back, put a breakpoint on the closing bracket of the code snippet above. Then investigate the content of the context.Authentication.AuthenticationResponseGrant. That's the actual output form Kentor.AuthServices. Are the claims present there?
If they're not, then there's a bug in AuthServices. Please report it as an issue on the GitHub Issue tracker and I'll have a look.
If the claims are indeed present at that point, but lost later, you may be a victim of the Owin Cookie Monster.
I am using "RememberMe=true", and would like my service client to re-use the open session if it's available. I got the bulk of the code from the link below - this code works but authentication fails every time at first and re-authenticates. Do I have to send the ss-pid cookie somehow?
One more note: this is a WinForms client accessing my servicestack service.
ServiceStack JsonServiceClient OnAuthenticationRequired
My code
Private Shared _UserName As String = "xxxxx"
Private Shared _Password As String = "yyyyy"
Private Shared _clientAuthenticationRequested As New Action(Of WebRequest)(AddressOf InteractiveAuthentication)
Public Shared ReadOnly Property ServiceClient() As JsonServiceClient
Get
If _serviceClient Is Nothing Then
_serviceClient = New JsonServiceClient(ServiceContext.ServiceUrl)
_serviceClient.OnAuthenticationRequired = _clientAuthenticationRequested
_serviceClient.UserName = _UserName
_serviceClient.Password = _Password
//service requiring authentication
Dim v = _serviceClient.Get(Of Tonto.Svc.Model.AppConstants)(
New Tonto.Svc.Model.AppConstants())
End If
Return _serviceClient
End Get
End Property
Private Shared Sub InteractiveAuthentication(sourcerequest As System.Net.WebRequest)
Dim v = _serviceClient.Send(Of ServiceStack.AuthenticateResponse)(
New ServiceStack.Authenticate() With {
.UserName = _UserName,
.Password = _Password,
.RememberMe = True})
End Sub
You can't have the client remember your session between the creation of clients out of the box. The RememberMe option will not work here, as the client does not have a persistent cookie store like a web browser.
You can however access the cookie store of the client, after you have authenticated then read the session value cookie, and restore it in future client instances. Essentially you provide the persistence layer.
Sorry it's c# not VB. But I think the concept should be clear enough.
var host = "http://localhost:9001";
JsonServiceClient client = new JsonServiceClient(host);
// Authenticate with the service
client.Post(new Authenticate { UserName = "test", Password = "password" });
// Read the session cookie after successfully authenticating
var cookies = client.CookieContainer.GetCookies(new Uri(host));
var sessionCookieValue = cookies["ss-id"].Value;
// Store the value of sessionCookieValue, so you can restore this session later
client = null;
So if you were to save the ss-id value to a file, you can restore the value when the application is started, then add it back into the client's cookie store before making requests.
// Another client instance ... we will reuse the session
JsonServiceClient anotherClient = new JsonServiceClient(host);
// Restore the cookie
anotherClient.CookieContainer.Add(new Cookie("ss-id", sessionCookieValue, "/", "localhost"));
// Try access a secure service
anotherClient.Get(new TestRequest());
I have been digging on facebook authentication for a week. I came across so many things such as facebook_connect, Facebook C# SDK from CodePlex and other ways to connect with facebook which are absolute now. Finally after reading http://developers.facebook.com for many times, I did manage to have a login button and get user's information for facebook using the new and standard Graph API stuffs. There are in Javascript such as.
var uid = response.authResponse.userID;
var accessToken = response.authResponse.accessToken;
var name = response.name
var username = response.username
var gender = response.gender
On another world, I have Login Control and asp.net Form authentication managing the whole website.
Protected Sub Login1_Authenticate(ByVal sender As Object, ByVal e As System.Web.UI.WebControls.AuthenticateEventArgs) Handles Login1.Authenticate
Dim userName As String = Login1.UserName
Dim password As String = Login1.Password
Dim result As Boolean = UserLogin(userName, password)
If (result) Then
e.Authenticated = True
Else
e.Authenticated = False
End If
End Sub
Private Function UserLogin(ByVal userName As String, ByVal password As String) As Boolean
//validate user // if valid, return true
//return false if invalid user
End
I can't remove all form authentication from the existing website. Facebook login should be value added feature to the website. Now the few bits I don't get is ...
How to authenticate the asp.net Form authentication when someone Login to the website using facebook Login.
How do I pass all the value in the javascript to aspx.vb to connect to database and store the information.
I understand I would need to create a new table in the database, probably called FacebookUsers. But I can't think a way that facebook authentication and asp.net Login control to work together. My website is in VB.net by the way.
*How do I pass all the value in the javascript to aspx.vb to connect to database and store the information*.
Check out the following articles they may help you out a bit.
http://www.codeproject.com/Tips/371917/Get-user-Facebook-details-in-ASP-NET-and-Csharp
1.-Don't create a new table just add a new field to your current users table...
2.-Name the Field FaceBookUID or FB_ID.
3.-Store the facebook user id .
4.-Set the default Value of the FACEBOOK UID to 0.
5.-Now you'll have a unique value between a regular user and a FacebookUser.