I've implemented the code from http://satalketo.com/2013/09/mvc-two-factor-authentication/
Two Factor Authentication in ASP.NET MVC
when user register he gets a Secret Key and shown a QRcode he can scan to Google Authenticator,
all works fine and well, accept when the user tries to Log In the system the key always different from the one he enters. function GeneratePin at server side generate different key from that he gets in the Google Authenticator mobile app. I have no idea whats wrong, tried to think maybe time zone isn't correct ,my time zone is Jerusalem UTC + 2
I've looked through my code a fair bit and I can't see any reason why this should be an issue. The only reason that I can come up with is that one of the two devices is more than 30 seconds out of sync with UTC.
I have updated the source code to include checking against the 30 second periods either side of the current one to try and deal with any situations like that.
You can find the updated code on GitHub, which would be the best place to download the entire solution. My article Two Factor Authentication in ASP.NET MVC has been updated to include the code for checking the period either side.
If this doesn't help please let me know with any additional information you can think of.
Related
I was creating an API for TD Ameritrade (my first time creating or dealing with APIs) and I needed to put in my own call back URL. I know that callback URL is where the API sends information to and i heard that I can just use my localhost API. I scoured the internet and I dont know how that would work and I was wondering if i can just use http://localhost?
Sorry if I seem like a noob because I am
In short, yes.
Follow the excellent directions at
https://www.reddit.com/r/algotrading/comments/c81vzq/td_ameritrade_api_access_2019_guide/. (Even with them, I spent excessive time on trial and error!)
Since stackoverflow has a limit of 8 links in a response, and the localhost text string looks like a link, I’m showing it with the colon replaced by a semicolon, i.e., http;//localhost to reduce the link count. Sorry.
I used the Chrome browser after first trying Brave, which did not work for, possibly because of my option selections.
Go to https://developer.tdameritrade.com/user/me/apps
Add a new app using http;//localhost (delete existing app if there is one).
Copy the resulting consumer key text string (AKA client_id or OAuth User ID).
Go to https://developer.tdameritrade.com/content/simple-auth-local-apps, follow instructions. Note: leading/trailing blanks were inserted by MSWord due to copy/paste of the auth code, which had to be manually deleted after wasting excessive time identifying the problem. The address string looks like:
https://auth.tdameritrade.com/auth?response_type=code&redirect_uri=http%3A%2F%2Flocalhost&client_id=ConsumerKeyTextString%40AMER.OAUTHAP
This returns a page stating the server refused to connect, but the address bar now contains a VeryLongStringOfCharacters in the address bar:
https;//localhost/?code= VeryLongStringOfCharacters
Copy the contents of the address bar, go to https://www.urldecoder.org/, decode the above, and extract the text after “code=”. This is your refresh_token
Go to: https://developer.tdameritrade.com/authentication/apis/post/token-0, fill out the fields with
grant_type=authorization_code
refresh_token=<<blank>>
access_type=offline
code=RefreshTokenTextString
client_id=ConsumerKeyTextString#AMER.OAUTHAP
redirect_uri=http://localhost
Press SEND.
If the resulting page starts with HTTP/1.1 200 OK, you have succeeded.
Try updating your redirect to:
redirect_uri=https://localhost
They may require https now and you need a colon instead of a semicolon. Everything looks correct. This process generally takes me more then one attempt, and 15 minutes to an hour to get my refresh token squared away every 90 days.
dont use #AMER.OAUTHAP in client_id
If you generate a new code and based on that try to get a new access token. it should work.
I've been using Netlify for storing 100% of my app (both frontend and backend) for the last three months. So far, so good.
The only problem now is that I need to store a custom property for each user (say, the phone number), and apparently Netlify Identity doesn't support this (only email, name and roles https://www.netlify.com/docs/identity/).
I don't want to change the whole app to migrate to another hosting provider just for this detail (actually, I can't, it's for a client and I just don't have time), because it works great, but at the same time I need it.
Can you think of any workaround to this? The less "hackish", the better, but I understand that I'm going beyond the intended use of Netlify Identity.
So it actually does look like Netlify's GoTrue API has a specific endpoint for updating custom user data. After a user is created, you can update metadata by including it as "data" within an authenticated PUT request to /user.
PUT /user
{
"data" {
"custom_key": "value",
}
}
See https://github.com/netlify/gotrue for more info.
There are dozens of ways to do this, so I'll talk about two generally applicable ways now:
the most "generally capable" one is probably using lambda functions: https://www.netlify.com/docs/functions . This lets you run dynamic code, such as "store to database hosted elsewhere" or "email to our office manager to update a spreadsheet" or even "commit to our closed git repo so it's available in-code" (last one is probably a worst practice, but is possible). You can similarly use a function to read that data back out without exposing API tokens (code example: https://github.com/netlify/code-examples/tree/master/function_examples/token-hider)
you could have the data gathered via a form submission (https://www.netlify.com/docs/form-handling). I'd probably use zapier.com to receive a notification of the form submission (https://www.netlify.com/docs/form-handling/#notifications). Zapier can of course connect to just about anything on the planet :) . Getting the data back out if you want to show it in your UI is a bit more of a challenge, but you could use the above mentioned functions if you need to connect to some private data store to pull it out. Or for an MVP, just not show it, only let people enter/update it ;)
I use social authentication in my ASP.NET Core application, one of which is LinkedIn authentication.
Looks like there's been some changes in LinkedIn API and now we seem to get some parameters with user images.
Here's a dummy full/original image URL I'd get from LinkedIn API. Any idea what these parameters mean? In particular, the one that begins with t?
https://media.licdn.com/dms/image/A1205CPGrwDzHZS_Apr/profile-originalphoto-shrink_900_1200/0?e=1525989600&v=beta&t=PNuO2bh5rNrIJv19PN1OXOjzDWcQgKdYCl1-ZVzgPOw
The reason why this is important is that when the user logs in, I compare the data that's already in the database with the new data coming from LinkedIn -- in my case, it's limited to user profile images i.e. both the smaller size image and the original one the user uploaded.
I've noticed that the image is always showing different. In closer analysis, I could see that these parameters, in particular the one that begins with t is where the difference is. This small change triggers an event in my code to update the user's images which could be a completely wasted database call. I could confirm this with my own LinkedIn login. Even though my image hasn't changed, the image URL for the original image is always different due to this difference in the t component.
The t parameter could be some type of time stamp which means it may always be different. I don't want to make that assumption, hence this questions.
I tried the below LinkedIn endpoint 'https://api.linkedin.com/v2/me?oauth2_access_token='.
For me, there are two images under "pictureInfo" section, "croppedImage" and "masterImage". I have tried to replicate the problem you have mentioned and could not replicate this for sometime. At some point, I have received a different image URN for "masterImage". After a no. of tests I understood the 'masterImage' is updating once in every hour. With this I have further tried to understand the parameters in the image URN.
From these,
v=beta is clear. Earlier it was v=alpha for few.
e appears to be a timestamp which relates to some expiration.
t is changing when e changes.
Given this analysis if you are using 'masterImage' to trigger a DB call, you may put regex matching criteria to identify actual change in image.
I'm developing a Mail add-in for composing emails in Outlook 365. The Javascript web app calls getUserIdentityTokenAsync() to obtain an identity token, which is then validated with the app's C# backend web service. The identity token validation in the service is based almost entirely on this sample.
On Wednesday last week I put up the app on a test server for a demo, and it worked as expected. This week when I go to use it I get this exception:
I tried logging out and logging back in but the error persists: why and how is this remedied?
EDIT:
I have caught it in the debugger, it's doing what it's supposed to, I just have to do some digging into why I'm getting these time values:
I guess judging by these values I can just increase the padding... but idk why it would work previously and not now??
EDIT2:
And now that I've updated the padding to be 10 minutes, I actually get back a legit claim that would've worked with the old code, but why the huge discrepancies between the "validFrom" and "now" times? It looks like they're not consistent, like the "validFrom" time fluctuates between ~5-10 minutes ahead or behind the current time.
It looks like the sample throws this error if the nbf claim in the token is later than they think it should be. How does the time in the error compare with the current time? I'm not sure if this is a bug in the sample or an issue with the token.
This is more of a design question.
I figured out how to use the facebook login via the Facebook SDK c#.
QUESTION: What is the best way to check whether the user is logged into FB or not each time the user goes to a different page?
Back on ASP.NET webforms, I could simply put in code to check FB login status in the code behind of a master page. This was good ... once and done. But I don't understand how to implement something similar in Asp.Net MVC 4.0.
Given that the _Layout.cshtml file (which acts like a master page) is only a view (hence, no code behind), what is the best way to code a way to check if the user is logged into FB each time a user goes to a different web page? Because I would think, adding this bit of code to each controller can't be the optimal design solution.
The only solution that I can think of involves using Javascript on the client side to do a WebApi call ... I guess the script will be bundled with all the other scripts so that it runs on each page. But I was hoping to find a solution on the server side ...
I'm pretty new to MVC, learning things as I go along ... tips appreciated ... thanks!
I can think of a couple of points that might help you devise a solution.
You can put code in your _Layout, but I agree that you want to be careful about doing so. You could create a helper or partial view and have your _Layout call it so that it's executed for every action. Your helper/partial would need to execute the required logic and then return something. The problem that I have with this is it's a lot of overhead every request.
You could do an AJAX call after the page is loaded (as you suggested). This means that the page still loads quickly. The problem I have with this is that you're now dependant on Javascript. It's also potentially a little hacky(?)
What about storing the user's status (logged on/off) in a session/cookie and also providing a 5 minute expiry. You can use the Helper/Partial method from before or have some logic fire in OnActionExecuting (or similar). Your logic should check to see if the status has expired and then connect to the Facebook API to update the status. This has the advantage of low overhead (i.e. not checking again until 5 minutes has passed).
I don't know of your exact situation so I can't say what method, if any, is best.