I'm using JMeter to load test my web app. I created two HTTP Requests, one visit login page and the other, log into my account. The visit login page HTTP request works fine and returns 302 Found status. JMeter displays the login page and there 0% errors on that page.
However, when I try to login into my account using the POST Data I retrieved from Firebug POST, it doesn't work and returns a 500 status error.
I am having difficulty getting the logging into my account feature to work. I have tried to send a POST request with the following:
1) __RequestVerificationToken
2) languageDropDown (My web app requires it)
3) UserName
4) Password
but I am still getting the error.
I followed this tutorial as it's the only one on ASP.NET MVC web apps...
http://build-failed.blogspot.pt/2012/07/load-testing-aspnet-mvc-part-3-jmeter.html
But I didn't do the feedback form data because I don't need it. Just grab the general concepts and regular expression from that webpage and tried it on my app but it fails.
Why? How do I fix it?
Is it because I have cookies to store session and only unique users can login my web app at one time? I did add a cookie manager though.
BTW, this is on a deployed web application (not localhost).
Some photos, I blocked out all sensitive information (sorry) and some of the token's (Just in case?)
Are you sure you have static authentication token? May it dynamic?
Look at second video that deals with token at 5:37 min to understand how to extract dynamic authentication token.
Exept HTTP Cookie manager, try to add HTTP Cache manager
Related
I am trying to configure login using Auth0. As part of the initial steps, I created an application and added Allowed Callback URLs and Allowed Logout URLs. I have no hosted pages in /login, /login-results, /logout routes. I am just trying to learn working of Auth0 by getting the JWT token and test it in http://jwt.io/.
I tried to use the login UI flow which available out of the box in Auth0. I created the login URL as mentioned in this doc to hit this endpoint
GET https://YOUR_DOMAIN/authorize?audience=API_IDENTIFIER&scope=SCOPE&response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=https://YOUR_APP/callback&state=STATE
But I am getting this error while executing the endpoint which I created using the credentials of my application with above-mentioned callback URL.
http://127.0.0.1:8080/login-results#error=access_denied&error_description=Service%20not%20found%3A%20name
Endpoint which I generated:
https://fsnd-kavin.auth0.com/authorize?audience=audiencename&response_type=token&client_id={CLIENT_ID}&redirect_uri=http://127.0.0.1:8080/login-results
What is the actual issue? Am I missing any other configurations?
Service Not Found
This error message points to that you passed non existent API identifier as audience. Check that API is created in the API section of Dashboard.
We have developped a SPA SaaS and went to a soft production launch recently.
Everything was fine until one of our customers told us they had trouble using the app.
Once they open the app, the first request to our backend triggers their proxy credential prompt. Hopefully on the login request.
They have to enter their proxy credentials to let the request go. All subsequent requests are passing properly and they can use the app.
The problem is:
When they stop using the app, close the browser and then come back the day after, the persistent login tries to connect them to our backend, but the proxy credentials prompt is not triggered and the request fails. All subsquent requests fail also.
For it work again, they have to delete all app data in chrome (so the service worker is unregistered, the localstorage and cache are cleared). The next api call will trigger their proxy credentials prompt and they will be able to work again.
So is there any way for the app to know if the proxy is set or not ? Any way of triggering the proxy prompt if not set or whatever ?
I don't exactly know how those proxies work and we have zero access to the proxy settings.
It surely is something with the credentials expiration after some time but that's all we can figure out right now. Maybe we could monitor some params in the request headers ?
We are using VueJS with axios for the requests.
My guess is when user session credentials get expired, your UI is not handling redirection to login page. When the user login for the first time you should store that the user has logged in successfully in browser localstorage. If your server returns 401 error code, you can delete the flag and redirect the user to login page. You can achieve that using meta fields in router.
Check out this link on how to use meta fields https://router.vuejs.org/guide/advanced/meta.html
I am following this guide (https://learn.microsoft.com/en-us/skype-sdk/ucwa/authenticationusingazuread) in order to access Skype for Business. Everything goes fine till the last part but let's do step by step. I am building my .net console application to do this but in order to explain you properly the problem I am having I will show you directly the http calls through Insomnia (software used to make http calls).
Step 1:
GET request towards https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root
I hit 200 and as answer I receive this:
Step 2:
I use the user link.
So I send an http request to https://webdir1e.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth/user and I get a 401 Unauthorized (everything still correct).
In the header of the answer it points me to the Identity Provider to ask for authorization (authorization_uri)
Step 3: I use that link to authorize my app, which has its own client_Id (that I hide in the following screenshot).
This is how I compose the call:
If I send this http request I get redirected to the page where it asks my personal login and by inserting my credentials I succesfully login and hit 404, where in the answer I receive back my access token.
Step 5: I use the access token towards the same AutodiscoverService link of step 1. This is to register my application. I hit 200 and I receive back the link to access Skype for Business.
Finally (and this is where things go wrong) I send a POST request towards the applications link with the Bearer token, and I receive a 403 Forbidden. I think I am following correctly the guide but I can't figure out why I can access the resource at the last step.
EDIT:
The permissions are granted. I hide the name since it contains the name of my company. But it is the same of the domain of my login.
So the token you generated authorizes you to access resources at https://webdir1e.online.lync.com which you've done to fetch a new set of resources including the "application" resouce which is on a DIFFERENT host: https://webpooldb41e14.infra.lync.com.
You actually have to get another OAuth token now which authorizes you for the application resource and then you can POST to that to generate your session in UCWA.
As a side note... If you've defined your own single-tenant application in Azure that has been granted rights to SkypeForBusinessOnline then I think you should be targeting authorization and authentication endpoints of the form:
https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/authorize
https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token
Also I should add, if you're trying to write a trusted secure client that users in your company will use I would suggest looking up the Resource Owner Password Credentials auth flow. It allows you to directly hit the token endpoint I mentioned above and exchange username/password credentials for an access token. Then you can manage auto-discovery and application creation easily under the hood without getting re-directed back and forth to Azure.
https://learn.microsoft.com/mt-mt/azure/active-directory/develop/v2-oauth-ropc
I have a backend with Drupal.
Using Drupal Services to interact with. Which provides a rest server.
Created endpoint named 'api'.
Following sequence works in normal browser or any http client like postman :-
example.com/api/login (works).
api sends back user data (token,session id, session name etc).
Further any request I make, I send token as X-CSRF-Token (all requests work).
I can even logout the same session with the token received before.
IN IONIC APP :-
I can login and I also store user data (token, session data etc.) in local storage after login.
Here's the difference in app :-
When I send the same token back to server while making a request (say logout).
Server's response is "User is not Logged In."
Why does this happen?
Update :-
After logging in I tried getting the current token from the server, and it was different from the one I saved after successfully logging in.
Every time a different token is received.
I faced the same issue. Problem was i never set the cookie and chrome did this for me automatically.
Luckily i found this great site:
drupalionic.org
There are links to a view demos as well as good descriptions and code.
So what you have to do is:
- log in
- retrieve session data and set cookie
- perform subsequent requests with the cookie data and X-CSRF-Token in your header
Here is a flowchart:
Was this helpful for you?
Once again I am stuck! I am trying to implement a secure WebApi service with ASP.NET Identity using Individual Account. The WebApi service will be consumed by a mobile app developed with phonegap. My phonegap app uses facebook and twitter for login and I have implemented that on the client perfectly.
I have created a SPA project form the visual studio template and I have tested the login process monitoring the HTTP requests with fiddler and chrome dev tools. I have tried the following requests using postman
GET: http://localhost:49577/api/Account/ExternalLogins?returnUrl=/&generateState=true
RESPONSE:
[{
"Name": "Facebook",
"Url": "/api/Account/ExternalLogin?provider=Facebook&response_type=token&client_id=self&redirect_uri=http%3A%2F%2Flocalhost%3A49577%2F&state=jpePf27F3ufkCCEldFdoOVMEGBGTEO1CrRdUQ3bHEP01",
"State": "jpePf27F3ufkCCEldFdoOVHSGBGTEO1CrRdUQ3bHEP01"
}]
and then I call
GET: http://localhost:49577/api/Account/ExternalLogin?provider=Facebook&response_type=token&client_id=self&redirect_uri=http%3A%2F%2Flocalhost%3A49577%2F&state=jpePf27F3ufkCCEldFdoOVMEGBGTEO1CrRdUQ3bHEP01
which calls GetExternalLogin method of AccountsController. This then returns an instance of ChallengeResult when the user isn't authenticated.
This is where I an stuck.
Q1: ChallengeResult forces a 301 redirect to facebook login page with some querystring parameters. I don't want this, I want it to give me the parameters but let me handle the logging in my ajax request. I have tried commenting out this line of code
Request.GetOwinContext().Authentication.Challenge(LoginProvider);
but I end up getting a 401 with nothing else, how can I control what the response from ChallegeResult?
Q2. Also, I cannot quite figure out what next from here, after I get an access token from facebook, what webapi end point should I call for instance if I have already obtained the access token, what should I be passing to it?
I have googled all day but I cannot find anything that answers my question. Any help would be appreciated.
Thanks
UPDATE:
Regarding Q2; I have figured out the next step and that's
GET: http://localhost:49164/signin-facebook?code=...&state=...
This returns another 302 which redirects to
http://localhost:49164/api/Account/ExternalLogin?provider=Facebook&response_type=token&client_id=self&redirect_uri=http%3A%2F%2Flocalhost%3A49164%2F&state=7oGPd37EA-nmtXPtYEQ40qnretDeKjbPEM1gNkb2DuM1
which in turn returns another 302 which then redirects to
http://localhost:49164/#access_token=...
So how do I handle all there redirects from a mobile non browser client?
UPDATE
I am trying to find the controller action that handles
http://localhost:49164/signin-facebook?code=...&state=...
Can anyone help?
UPDATE
I have since posting this question learned alot about the facebool login flow, which maybe I should have done before!
I still have one question but I have created a different question for that here to keep down the clutter
The answer to this question is a very detailed one. So to make it easier, I am going to point you to a sample which shows you how you can have a SPA app and connect different clients (phone, tablets etc) and login with Social logins such as Facebook etc
https://aspnet.codeplex.com/SourceControl/latest#Samples/WebApi/Todo/ReadMe.txt