Getting error using Firebase popup authentication in Word add-in - authentication

I was already using Firebase for authentication for other (related) projects and would like to stick with it.
Using Firebase with a Word add-in seems challenging. On Windows you're stuck with IE11 and on Mac (crucial for me) the browser used to load a taskpane is webkit, not the default browser.
I can get authentication on Windows to work just fine if I use signInWithRedirect (Google and Facebook).
But this won't work on Mac. Using signInWithRedirect opens a new tab in the default browser, which doesn't share cookies/data with the webkit browser the add-in actually uses.
When I switch to signInWithPopup, I get:
There is no application set to open the URL about:invalid%23zClosurez.
On Windows I get a popup IE11 window, for a split second, and it contains about:invalid%23zClosurez for a URL.
I have appdomains called out in my add-in XML manifest:
<AppDomains>
<AppDomain>https://writeitwithme-a114a.firebaseapp.com</AppDomain>
<AppDomain>https://www.firebaseapp.com</AppDomain>
<AppDomain>https://www.googleapis.com</AppDomain>
<AppDomain>https://www.facebook.com</AppDomain>
</AppDomains>
Any help appreciated. Worst case I drop to using manual registration, via Firebase, for Mac, but seems unfortunate to have to give up.

Just documenting for anyone finding this later.
I couldn't figure out how to use Firebase social login when creating an add-in for Mac. Every authentication window opened in the default browser, not the webkit engine used by Word on Mac. Sticking with manual login worked.
IE11 is always finicky when using localhost. I test elsewhere, then push files live and then try IE11 and social + manual login (via popup) works just fine.

I found the following resources from Microsoft docs that made this easier for me:
https://learn.microsoft.com/en-us/office/dev/add-ins/develop/dialog-api-in-office-add-ins
Basically you need to make a call to open up a dialogue box:
Office
.context
.UI
.displayDialogAsync(
'https://myDomain/myDialog.html',
{height: 30, width: 20, displayInIframe: true}
);
Then you can make your own page that does a login flow and passes a message (likely a credential of some kind) back to your plugin via the messageParent method:
Office.context.ui.messageParent(googleProfile);
From there you can do the following to sign in with the credential provided in your add-in:
firebase.auth().signInWithCredential(credential)
Also, be very careful with how you construct the URL of the dialogue box. I lost hours not knowing that the _host_Info param from the origin URL would mess stuff up (I was constructing my new URL from the origin URL). Figured it out in this github issue: https://github.com/OfficeDev/office-js/issues/378

Related

C++Builder TWebBrowser doesn't work with Google OAuth login

I maintain an application written in C++Builder 2009. Part of it involves using a TWebBrowser control (based on Internet Explorer) to send users to a Google login page in order to obtain an OAuth key. This has worked well for a while, but now Google, bless their hearts, has implemented some kind of security upgrade, and now my users get to a page that says "Couldn't sign you in, this browser or app may not be secure". FYI, I am already setting a Registry key that is supposed to make IE run in version 11 emulation mode.
I do have a couple of workarounds: If the user runs IE first in admin mode, signs on, leaves it up while running my application, we don't get the problem. Second, I can start up the default browser - Chrome, IE, whatever - and send them to the URL for OAuth, then it avoids the error message.
The problem with this solution is that without being able to hook into TWebBrowser events, I don't have any way to automatically retrieve the OAuth key - it is necessary for the user to cut/paste it into my application. I'd like to avoid these clunky solutions.
I should also mention, this problem occurs only for certain Gmail accounts. I have no idea what the difference is between accounts that work and don't work. Any ideas on that?
So, is there any way to configure IE or TWebBrowser so this security issue is bypassed? Or, if I was to update to a modern version of C++Builder and use TWebBrowser (or something else?), would this problem be avoided? Any other ideas to fix this problem?
The latest C++Builder supports Google's Chromium engine, it's probably safe to say it'll be compatible with Google's security upgrades.
Powerful Chromium Based WebView Component To Host Web Content In Your Delphi/C++ Builder FireMonkey Apps

Sitefinity 11: unable to access Content -> Blogs or other Dynamic Module sections

I am using sitefinity 11 Trial version. I have come across a very strange issue.
I am trying to use Content -> Blogs section, when I click that option in menu, I am redirected to "Sitefinity/adminapp/content/blogs" page. Where it keeps loading, after a while it reloads the page not URL becomes "Sitefinity/adminapp/" then after some time URL becomes "/Sitefinity/adminapp/auth/oidc/sign-in#id_token=XXXXXsomevalue" then it keeps reloading there for always.
I have tried to "switch new interface" on/off but that didn't help either.
I also have created a Dynamic Module but same problem with that too.
I searched about this issue but no help. I also came across the link but this was about customising the Admin backend screens.
Please guide me the right path.
Thanks
Very strange, I opened the sitfinity admin section in Internet Explorer. there I got the message that this browser is not supported, please switch to Classic mode. I again set the "switch new interface" to off in IE.
And I am able to access the Manage screens.
Then I cleared the browsing history on Chrome, re login into sitefinity admin section unselected the "Remember me" checkbox. And I can use the screens in chrome also.
Another thing to check is what type of authentication mode you are using. (In Administration > Settings > Advanced > Security, the AuthenticationMode drop-down). Along with IE not being supported by the new Interface (which Edge, Chrome and Firefox are), the new interface also works best with Claims Authentication, which is Sitefinity's preferred authentication mode. We found that when we switched from Forms Authentication to Claims that we had some similar functionality back even while in the new interface. (Note that in Claims Authentication you'll use a different URL for logging in: https://sitename/Sitefinity instead of https:/sitename/Sitefinity/login with Forms Authentication).

FirebaseSimpleLogin not working in Windows 8 app

I asked a question earlier about if it was possible to use Firebase in a Windows 8/WinJS app. #MichaelLehenbauer told me that I just needed to add the following line to my code in order to fix a bug in firebase.js:
Firebase.INTERNAL.forceWebSockets()
This worked great and allowed me to read and write to my Firebase. However, now I am trying to get auth working in Windows 8 and running into many issues. I am trying to use the Facebook login but when I call auth.login("facebook"), my app loses focus and a new tab in the modern Internet Explorer app (not the desktop app) is opened with the typical Facebook login prompt. If I put in my credentials and hit login, nothing happens. I need to go back to my app but then it fires up a new IE tab and the process starts again. Instead of opening a new IE tab, Firebase should internally be opening an in-app dialog like seen in the top image here.
So, since I couldn't get the Firebase Facebook login working in WinJS, I tried doing the Facebook login myself and then create Firebase users using the email/password auth. However, when I run:
auth.login("password", {
email: "me#example.com",
password: "password"
});
I get the following warning (which is the same warning I received from firebase.js befoore Michael suggested to me to force web sockets):
APPHOST9601: Can’t load <https://auth.firebase.com/auth/firebase?&firebase=[my_firebase]&transport=jsonp&email=me%40example.com&password=password&callback=FirebaseSimpleLogin._callbacks._firebaseXDR13889674277557>. An app can’t load remote web content in the local context.
I'm not sure if this is another web sockets issue or not, but it looks like FirebaseSimpleLogin is just not working very well in Windows 8 apps. Are there any workarounds to these problems? Even better, is there any plan to provide full support out of the box with Windows 8?
Windows 8 is now supported out of the box with Firebase Simple Login.

Testing Facebook app on VB.NET WebBrowser - IFrame Access Deined - Cross-Domain Scripting

I have a facebook iframe app I'm trying to test using a WebBrowser Control on a form in VB.NET 2010. Whenever I try to access the WebBrowser.Document.Window.Frames frame object on a document where my app is showing in the broswer, I get an Access Denined exception. Reading around on the web, I see people saying that this is to keep scripts in a document from accessing content in iframes that are pulling content from another domain, as per 'http://msdn.microsoft.com/en-us/library/ms533028.aspx', for security reasons.
While I totally understand why this is done for the general public, how can I disable it on my machine so that I can run these tests? I can't properly test my app without doing it in the facebook iframe and using the WebBrowser control is the only way I know to do this test programmatically.
Any ideas? I'm on windows server 2003 and ie8, .net4.0, if that helps. I own the domain where the app is, and its in AS.NET MVC2, so if there's anything I can do to the web code to enable this??? I also removed the Internet Explorer ENhanced Security COnfiguaration component, but that didn't help.
Thanks,
Philip
Have you tried changing your Internet Explorer settings to enable cross domain scripting?
I believe the VB.Net Web Browser control inherits settings from the local copy of IE.
Try this:
From Internet Explorer, choose Internet Options from the Tools menu.
On the Security tab of the Internet Options dialog box, select the Local Intranet Web Content Zone and then click Custom Level.
Locate the Miscellaneous/Access Data Sources Across Domains setting, and then select Enable, as shown in Figure 2.
Click OK, and then click Yes to the warning dialog box that appears.
Click OK to close the Internet Options dialog box.
Also try adding the Facebook https Url into your trusted sites.
As a last resort disable Native XMLHttp in IE and attempt to revert back to an older version of the XMLHttp object.

Facebook Connect button not showing up in Safari/Chrome

My implementation of Facebook Connect (just a simple login button, fb:login-button) works perfectly on Firefox and IE.
But the same button is not showing up in Safari/Chrome (Webkit).
Here's what's ironic. In my debugging effort, I saved the page (that contains fb:login-button) up as a static page and then load it in Safari. And the button shows up, everything works!
The exact same page (with the exact same HTML source) rendered by my PHP has no way for bringing up the button.
I'm trying hard to support Webkit here but I'm close to giving up. Can anybody help?
I found one more way this can occur (the blame-myself-for-being-stupid way); it's probably not common, but in the event is saves anyone else the hassle, here it is:
This symptom can also be caused by various security tools blocking facebook resources.
In my case, I'd installed Facebook Disconnect ages ago in Chrome as a plugin and forgotten all about it being installed. I also had a second installation of Chrome that was seemingly identical (but did not have Facebook Disconnect). The first would properly load the fb:login-button, and the other would not; took me ages before I looked at the plugins, because Facebook Disconnect didn't have an icon and so its presence was pretty easy for me to miss.
Here's what you'll see if some sort of security plugin is preventing facebook resources from loading. Just look at the html that renders in the browser using developer tools.
In a normal chrome session you'll end up with something like this:
<fb:login-button><a class="fb_button fb_button_medium"><span class="fb_button_text">Your text here</span></a></fb:login-button>
But in the version with facebook's resources disabled you'll end up with this:
<fb:login-button>Your text here</fb:login-button>
Like I said, pretty obvious in retrospect.
Had the same problem but it was not related to anything like a plugin or malformed content. It seems if you enable country filtering on your facebook page it has an issue with the like button, this should be fairly obvious. Facebook gets your location from your profile and not your IP address.
Make sure to disable country locking if you plan on using the social plugins.
This can be due to having ClickToFlash installed. Either disable it, or check "Automatically load invisible Flash views" in the ClickToFlash settings.
What we found out is that Safari (and maybe some older versions of Chrome or other WebKIT browsers) have a problem with Facebook's code using the innerHTML JS function if your page arrives with an XHTML response header (application/xhtml+xml).
Using text/html solves the issue.
In case of JSF2, which we use, the implementing the fix was as simple as wrapping the FB button like this:
<ui:composition xmlns="http://www.w3.org/1999/xhtml"
xmlns:fb="http://www.facebook.com/2008/fbml"
xmlns:f="http://java.sun.com/jsf/core">
...
<f:view contentType="text/html">
<fb:login-button>Login using Facebook</fb:login-button>
</f:view>
Facebook bug report here:
http://bugs.developers.facebook.net/show_bug.cgi?id=5545
I had this problem with the Facebook button not showing at all and it took me forever to figure out what it was. Luckily after days of hair pulling I will now share the answer with everyone. In my situation I simply didn't have xfbml enabled. In my FB.init I had it set to false:
FB.init({
appId : 'app_id', // App ID
status : true, // check login status
cookie : true, // enable cookies to allow the server to access the session
xfbml : false, // parse XFBML
oauth : true // enable OAuth 2.0
});
I changed this to "true" (xfbml) and the login buttons works great now! :P Good luck!
This happened when I had the wrong domain in callback_url in config/facebooker.yml. Apparently it uses that to load the js files.
I had the same problem but I resolved it by making sure the URL in my app settings was exactly the same as the one for my site (i.e. it didn't work when I accessed my site without the www.).
I have tried every suggested solution here and it didn't work for me. But now I finally found the solution.
Facebook requires now a secured (https) for Canvas (Secure Canvas URL). The unsecured one will be deprecated soon.
Here is the main difference, Chrome doesn't like https connections with invalid certifications. On a localhost, it is very likely you have stunnel installed to allow https connection for the localhost. Firefox is ok with the self created SSL certificate and allows you to add an exception when trying to access that site. Chrome doesn't allow it out of the box.
When I load my app in Chrome the page is blank and I dont see any login button.
Click F12 and click the Netwrok tab in Chrome:
You see that the post request to your localhost is cancelled. DOUBLE Click on it.
Now you would see that chrome is blocking the localhost because of the certificate:
click on proceed anyway.
Now to back to your other tab and reload the page:
Chrome works now like Firefox and shows the login button.