Once again I am stuck! I am trying to implement a secure WebApi service with ASP.NET Identity using Individual Account. The WebApi service will be consumed by a mobile app developed with phonegap. My phonegap app uses facebook and twitter for login and I have implemented that on the client perfectly.
I have created a SPA project form the visual studio template and I have tested the login process monitoring the HTTP requests with fiddler and chrome dev tools. I have tried the following requests using postman
GET: http://localhost:49577/api/Account/ExternalLogins?returnUrl=/&generateState=true
RESPONSE:
[{
"Name": "Facebook",
"Url": "/api/Account/ExternalLogin?provider=Facebook&response_type=token&client_id=self&redirect_uri=http%3A%2F%2Flocalhost%3A49577%2F&state=jpePf27F3ufkCCEldFdoOVMEGBGTEO1CrRdUQ3bHEP01",
"State": "jpePf27F3ufkCCEldFdoOVHSGBGTEO1CrRdUQ3bHEP01"
}]
and then I call
GET: http://localhost:49577/api/Account/ExternalLogin?provider=Facebook&response_type=token&client_id=self&redirect_uri=http%3A%2F%2Flocalhost%3A49577%2F&state=jpePf27F3ufkCCEldFdoOVMEGBGTEO1CrRdUQ3bHEP01
which calls GetExternalLogin method of AccountsController. This then returns an instance of ChallengeResult when the user isn't authenticated.
This is where I an stuck.
Q1: ChallengeResult forces a 301 redirect to facebook login page with some querystring parameters. I don't want this, I want it to give me the parameters but let me handle the logging in my ajax request. I have tried commenting out this line of code
Request.GetOwinContext().Authentication.Challenge(LoginProvider);
but I end up getting a 401 with nothing else, how can I control what the response from ChallegeResult?
Q2. Also, I cannot quite figure out what next from here, after I get an access token from facebook, what webapi end point should I call for instance if I have already obtained the access token, what should I be passing to it?
I have googled all day but I cannot find anything that answers my question. Any help would be appreciated.
Thanks
UPDATE:
Regarding Q2; I have figured out the next step and that's
GET: http://localhost:49164/signin-facebook?code=...&state=...
This returns another 302 which redirects to
http://localhost:49164/api/Account/ExternalLogin?provider=Facebook&response_type=token&client_id=self&redirect_uri=http%3A%2F%2Flocalhost%3A49164%2F&state=7oGPd37EA-nmtXPtYEQ40qnretDeKjbPEM1gNkb2DuM1
which in turn returns another 302 which then redirects to
http://localhost:49164/#access_token=...
So how do I handle all there redirects from a mobile non browser client?
UPDATE
I am trying to find the controller action that handles
http://localhost:49164/signin-facebook?code=...&state=...
Can anyone help?
UPDATE
I have since posting this question learned alot about the facebool login flow, which maybe I should have done before!
I still have one question but I have created a different question for that here to keep down the clutter
The answer to this question is a very detailed one. So to make it easier, I am going to point you to a sample which shows you how you can have a SPA app and connect different clients (phone, tablets etc) and login with Social logins such as Facebook etc
https://aspnet.codeplex.com/SourceControl/latest#Samples/WebApi/Todo/ReadMe.txt
Related
I'm trying to implement TikTok login kit into my app.
I'm following this guide https://developers.tiktok.com/doc/login-kit-web and i'm stuck on point 2.1 because after succesfully login the user, and succesfully grant app permissions from the user i'm beeing redirect to this url : https://open-api.tiktok.com/platform/oauth/undefined
I'm pretty sure my url is correct because if i insert in it some errors on purpose i get an error page .. like wrong client key, wrong response type, scope, redirect url ecc..
Anyone knows what am i doing wrong?
thanks!
Ok i figured it out.
it was my fault because i created a tiktok-app for applications but by using oauth in browser you nedd to create a web based tiktok-app.
I am trying to make a post call in Exact Online REST API. I'm trying to create a SalesInvoiceLine. I can perfectly do a GET call via my browser. I am logged in in Exact Online so I don't need authentication since this should be passed via a cookie. I tried POST via a browser. The browser prompts me to login, when I do nothing happens. I've also tried this in Postman:
I am 100% certain these initials are correct, I can login with them in Exact Online. What am I doing wrong?
If this is not the way, how can I post data to Exact Online? There are not that many concrete examples to find online.
You can't log on to the Exact Online REST API with Basic authentication, the mode you are using now.
The web service uses OAuth as authentication mechanism, meaning you have to acquire a token first. The steps to do so are outlined in the official documentation.
It will need some work on your end to register an app, get the flow up and running. Depending on your business needs, you might be helped with one of the apps for Exact Online by the company I work for.
You need to retrieve the CurrentDivision through GET Request https://{Base Uri}/api/v1/current/Me only from OAuth then you need to assign
CurrentDivision to whatever may be the API call .../api/v1/{CurrentDivision}/../....
Without authorization by Auth 2.0, neither is impossible.
To authorize the ExactOnline API calls you have to do the following:
Register the app in the developer portal. Bear in mind that you have to do a separate registration for French, UK or Dutch version of ExactOnline (this is indeed a pain).
In case you want your application to be used by other accounts than yours, you have to submit the app for validation, this usually takes 2-3 weeks.
EO uses standard OAuth 2.0 schema (very similar to what Google is using with their services). You have to use endpoint GET /api/oauth2/auth for building an authorization link and endpoint POST /api/oauth2/token for obtaining both access and refresh tokens.
Please bear in mind that many Auth 2.0 services are proving long-lasting refresh token. This is not the case of EO. The refresh token is invalidated every time when the access token is requested (endpoint POST /api/oauth2/token). With access token new refresh token is supplied, so make sure you update you refresh token as well.
The access token is placed in HTTP header as "Authorization: Bearer {{ACCESS_TOKEN}}"
In case you want to automate the EO API calls and do not want to code anything on your own, you can try one of the pre-build Exact Online API connectors, created by the company I work for.
I would like to develop a desktop application.
Sadly I got stuck at login. I want to use a web view which be SoundClound login end point.
https://soundcloud.com/connect?client_id=my_client_id&response_type=token_and_code&scope=non-expiring
Using the above I received error : "invalid_client: The configured redirect_uri of the client application is invalid."
Would be nice if API would tell you which parameters are required and which are optional. As I read about OAuth 2.0, redirect uri is optional. This caused me confusion when received this error. I also tried curl version, same kind of error.
If I tried to add a random redirect_uri won't pass either. (I'm aware this is about security.)
I found this answer, but I doesn't work and I think is error-prone: it requires 2 text fields and you're asking the user to provide their credentials (then you're able to do what you want with them...)
Soundcloud API authentication without a web browser
I would like to do the flow this way:
Open a web view with SoundCloud login end point.
User is providing his credentials to SoundCloud Server.
SoundCloud Server is sending me a token.
Something similar to OAuth 1.0.
Is possible or is there something similar to achieve my goal?
After another few hours of research and keep trying to login I figured it out.
It works with redirect_uri after I did the setup for it on page "Your apps" on SoundCloud.
I'm using JMeter to load test my web app. I created two HTTP Requests, one visit login page and the other, log into my account. The visit login page HTTP request works fine and returns 302 Found status. JMeter displays the login page and there 0% errors on that page.
However, when I try to login into my account using the POST Data I retrieved from Firebug POST, it doesn't work and returns a 500 status error.
I am having difficulty getting the logging into my account feature to work. I have tried to send a POST request with the following:
1) __RequestVerificationToken
2) languageDropDown (My web app requires it)
3) UserName
4) Password
but I am still getting the error.
I followed this tutorial as it's the only one on ASP.NET MVC web apps...
http://build-failed.blogspot.pt/2012/07/load-testing-aspnet-mvc-part-3-jmeter.html
But I didn't do the feedback form data because I don't need it. Just grab the general concepts and regular expression from that webpage and tried it on my app but it fails.
Why? How do I fix it?
Is it because I have cookies to store session and only unique users can login my web app at one time? I did add a cookie manager though.
BTW, this is on a deployed web application (not localhost).
Some photos, I blocked out all sensitive information (sorry) and some of the token's (Just in case?)
Are you sure you have static authentication token? May it dynamic?
Look at second video that deals with token at 5:37 min to understand how to extract dynamic authentication token.
Exept HTTP Cookie manager, try to add HTTP Cache manager
I'm trying to write a new application using the Flattr REST-API version 1 (not the beta v2). The application acquires a request token at first, which seems to work properly. But I run into a problem authenticating the user. The link created for authentication looks like this:
https://api.flattr.com/oauth/authenticate?access_scope=read,click&oauth_token=MY_REQUEST_TOKEN
Clicking the link everything seems alright. Information about the application and the scope requested is shown, but clicking "Authenticate", there's no pin code, but the following error from https://flattr.com/apps/pincode/MY_REQUEST_TOKEN:
Something went wrong. Please try again
BUT now the Application IS in the authorized application list of the user though that doesn't really help if the user can't get the pin code...
The Application type is set to client. It's the first time I try to work with the API so I'm not sure if I miss anything important? Would be grateful for some help.
Just as an update: We finally changed to API v2. Getting Authorization for our application feels a bit clumsy, as we set the redirecturi to some webpage, where we display the returned code and let the user copy&paste it into our client application... we kind of made our own pincode-flow :/
If possible, please use the v2 api, which uses oauth2 + bearer token.
However, the new API doesn't support authentication using the pincode flow.
As stated by Maike this is probably a bug that has surfaced yet again :(
I'll create an internal bug ticket and try to get it fixed.
The pincode isn't a feature planned. You can use the oauth2 "implicit grant" to authenticate the resources owner. This isn't documented at the moment but is possible.
When you do the request to https://flattr.com/oauth/authorize you pass the response_type token instead of code. This will append a access_token fragment in your callback URL. In your http client it might be possible to catch the 302 from our server and parse the access_token from the fragment.
All this requires a http client in your application whom you can control the flow inside your app.