HttpWebRequest to Okta result in Forbidden 403 - httpwebrequest

I'm currently stumble on frustrating Forbidden 403 error when doing simple GET WebRequest to Okta. I've added my application url into Okta Admin > Security > API as CORS. Below is my code
string requestURL = "https://myokta.oktapreview.com/api/v1/users/me";
HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(requestURL);
request.Method = "GET";
request.Timeout = 120000;
request.ContentType = "application/json";
WebResponse response = request.GetResponse(); // exception Forbidden 403
I could copy paste the requestURL in internet browser and get the json response without any problem. And if I don't have session, it also return error code E0000005 - Invalid session.
If I cannot do it through WebRequest, any suggestion on which client to use in okta.core.dll ?
Please help me and any help would be very much appreciated. Thank you ...

Thanks for the info. There isn't any out-of-the-box solution for your use case, but I would strongly suggest that you switch to OpenID Connect. I have a .NET sample with a Single Page Application and a web API that demonstrates how you can deserialize the JWT token in the Web API to retrieve the user's identity. You can find at https://github.com/rlondner/okta-aspnet-spa_webapi-oidc/

When enabling CORS, please make sure that you type out the correct url.
For instance if you are running https locally, 'http://localhost:8080/' would be the correct url to enable. You also have to enable 'https://developer.okta.com' in Okta's developer console.

Related

HTTP dataset credential error

In Azure Data Factory V2, I created a new http dataset an added a url and basic login details to connect to a https endpoint, when use the the Test Connection the response is "Connection successful"
When i try to "Preview data" it fails, the message from more is
The credential to read http file is invalid. Activity ID:89ae4de1-e6be-46fd-abb9-39360fe5323b.
How do i find out more about this error?
When I try the same url and basic login details in Postman I get back the expected results.
thanks
In Azure data factory, if basic auth type is specified, the http connector honor basic auth protocol, that means:
* It would send out a request without any credential first
* when the http server return 401 response with correct WWW-Authenticate header, it will continue enclose credential into next http request
So if your http server can't handle the request, you will get unauthorize error.
Postman can do it because postman ignored the first http request and send out the second one directly.
you can manually add header to your request:
Authorization: Basic ......
If you don't know how to generate it, you can copy it from postman, after passing credentials.
Best,
Pawel

how to refresh google access token with refresh token without SSL?

I have faced a problem to refresh google access token on server side.
RestTemplate restTemplate = new RestTemplate();
MultiValueMap<String, String> params = new LinkedMultiValueMap();
params.add("client_id", clientSecrets.getDetails().getClientId());
params.add("client_secret", clientSecrets.getDetails().getClientSecret());
params.add("refresh_token", this.refreshToken);
params.add("grant_type", "refresh_token");
String result = restTemplate.postForObject(requestUrl, params, String.class);
Response I got from google authentication server is just 403 status code.
and message is like this
{"error":"internal_failure","error_description":"SSL is required to perform this operation."}
Is that compulsory to use SSL on my server just in order to refresh access token ?
It's been tested on my local server and does not attach any SSL to it.
References for this code is from below URL.
https://developers.google.com/identity/protocols/OAuth2WebServer#offline
I solved this issue by adding 'https' protocol instead of 'http' protocol for google api
I had called like
http://www.googleapis.com/oauth2/v4/token
but for SSL call
https://www.googleapis.com/oauth2/v4/token
is required to refresh access token

office365 autodiscover 401 via POX API but successful over testexchangeconnectivity.com

I have a situation where I am trying to handle auto discover in an iOS app (GOD I HATE auto discover with a passion). I'm at this point where I have followed through several sequences of redirects and email aliases, and the auto discover is now pointing me to an Office 365 URL (this user has been migrated to Office365).
I'm seeing a HTTP redirect to https://autodiscover-s.outlook.com, and I'm POST-ing the standard POX to https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml with the user's credentials. I'm getting a 401 in return. I'm also getting a 401 when I curl this manually.
My POST is to https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml. This is authenticated using the users email and password (I'm using AFNetworking 2.0, so I'm using the HTTPRequestSerilizer authentication mechanism)
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">
<Request>
<EMailAddress>user#Service.domain.com</EMailAddress>
<AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>
</Request>
</Autodiscover>
The response that I get is:
Domain=AFNetworkingErrorDomain Code=-1011 "Request failed: unauthorized (401)" UserInfo=0x8be9280 {
NSErrorFailingURLKey=https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml,
AFNetworkingOperationFailingURLResponseErrorKey=
{
URL: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
}
{ status code: 401,
headers {
"Cache-Control" = private;
"Content-Length" = 0;
Date = "Thu, 06 Mar 2014 05:00:49 GMT";
RequestId = "ee723790-60db-4008-b800-7d44d9884498";
Server = "Microsoft-IIS/7.5";
"Www-Authenticate" = "Basic Realm=\"\"";
"X-AspNet-Version" = "2.0.50727";
"X-DiagInfo" = BLUPRD0810CA020;
"X-Powered-By" = "ASP.NET";
} }, NSLocalizedDescription=Request failed: unauthorized (401)}
I get the same error when I try to CURL the same post data with the same user and password.
However, when I go to testexchangeconnectivity.com, I see the following, which I don't receive through the POX APIs:
Test Steps
The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://autodiscover-s.outlook.com/Autodiscover/Autodiscover.xml for user user#Service.domain.com.
The Autodiscover XML response was successfully retrieved.
Additional Details
An HTTPS redirect was received in response to the Autodiscover request. The redirect URL is https://pod51008.outlook.com/Autodiscover/Autodiscover.xml.
Is there something wrong that I'm doing? I think the credentials work, because the initial auto discover to the user's on premise domain resolves fine and sends me online. The fact that curl also doesn't work leads me to think that there is some special office365 authentication that I'm not doing properly.
Any ideas?
I discovered the problem. I received an email address change from Autodiscover indicating that I should go from user#domain.com to user#service.domain.com. I then re-built the auto discover urls using user#service.domain.com. However, I was authenticating with user#service.domain.com, not user#domain.com. This is why I received 401.
I hate auto discover. None of this is documented anywhere (http://msdn.microsoft.com/en-us/library/jj900154(v=exchg.150).aspx).
I can't figure out what is going on without seeing every request and response. What is the structure of the Office365 URL?
Did you try an un-authenticated GET request to "http://autodiscover." + domain + "/autodiscover/autodiscover.xml"? In Autodiscover for Exchange, there is a Phase 3 sub section that describes this. This article captures much of the requirements for implementing auto discover for a client.
I think Michael meant to link to Handling Autodiscover error messages. However, it doesn't explicitly note that you should not change your user name in your credentials when you get a redirect to another email address. You only change it in the EMailAddress element. Thanks for the feedback, and sorry for the confusion!

Vimeo API AuthorizationUrl Without Login

I'm using Vimeo API to get video on a web application context and i have a simple question (i hope :P )
It´s possible to do a request for application authorization using oAuth protocol and via the following link: https://vimeo.com/oauth/authorize?oauth_token=XXXX, WITHOUT force the user to login in browser?
I noticed that if I'm not logged on Vimeo, when I go to https://vimeo.com/oauth/authorize?oauth_token=XXXX, Vimeo redirects me to the login page...
Thanks.
I found it =)
You can create the access token using the application credentials or using the login data. In this case you don't have to make a authorize call.
Example (taken from comments):
String vimeoAPIURL = "vimeo.com/api/rest/v2?video_id=213";
OAuthRequest request = new OAuthRequest(Verb.GET, vimeoAPIURL);
request.addQuerystringParameter("format", "json");
request.addQuerystringParameter("method","vimeo.videos.getUploaded";
request.addQuerystringParameter("user_id", "user137");
request.addQuerystringParameter("full_response", "true");
request.addQuerystringParameter("method","vimeo.videos.getThumbnailUrls");
service.signRequest(accessToken, request);
Response response = request.send();
Syso(response.getCode());
Syso(response.getBody());

Authentication headers not sending in HttpWebRequest

I am connecting to a service using a HttpWebRequest. In the service logs, there are Authentication errors being logged, even though the information is correct. The vendor who set up the server with the service, has said that .NET does not send the authentication headers on the first try.
_Req.Credentials = new NetworkCredential(username, password);
When the request is sent, the server responds with needing the headers, which the request then sends. Is this correct, and is there a way to send it on the initial request?
See this question pointing to the answer in this article: add headers manually (even the first time).
HttpWebRequest request;
request.PreAuthenticate = true;