I am writing an iPhone App that uses a HTTPS/SOAP service which needs user credentials. After I change the password used for these credentials from a valid to an invalid one I still get a valid response from the service, as if the password was never changed. When I restart the app (with the invalid password) the app immediately receives the expected '401' message.
Any hints what I might left out to code?
Thx :)
Never mind...
I accidentally created an NSURLCredential object with persistence NSURLCredentialPersistenceNone.
Silly me....
Related
I'm trying to call a Web API from a Web App, passing a token for identifying the user.
I'm following the docs here:
https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-web-app-call-api-acquire-token?tabs=aspnetcore
However, when I call the GetAccessTokenForUserAsync method, I always get an error AADSTS65001, stating that The user or administrator has not consented to use the application with ID '....' named '...'.
I really don't understand this error. What kind of consent are we looking for here? The application ID mentioned in the error message is the client app, and I double checked that the scopes accessed from the client app in the API are already consented.
What am I missing? I thought it should be quite straightforward - take the token received by the web app, send it to the web API, and let it authenticate it.
Is there any simple way of doing that?
Thanks!
So for future reference, the problem was that the scopes specified in the GetAccessTokenForUserAsync method were not prefixed with the API URL prefix (usually in the form of api://346363-35262ffe-23cwf3-ve523632t), and therefore Azure AD assumed I was trying to access my own app, which did not have such scopes.
After I changed the code to include the prefix in the scope, ie. _tokenAcquisition.GetAccessTokenForUserAsync(new[] { $"api://346363-35262ffe-23cwf3-ve523632t/Employees.Read" }) it worked like a charm.
I have been happily using the xoauth client to negotiate PKCE grants flows up to earlier today.
Tokens were obtained and refreshed, all was looking fine until I needed to amend my scopes and needed to re-consent.
Now I receive an error on the callback - http://localhost:8080/callback?error=access_denied&state=8AJEDHk6tlNX2E98Y3JuFmXmDrcS2DNB#_=_
This error would usually indicated that consent was canceled by the user but I am definitely pressing Allow.
I have:
Deleted the app and made a new one, tried a new Code Flow app, tried a trial organisation instead of the Demo organisation, all without luck.
However, it will succeed if I specify the bare minimum of scopes: openid and offline_access
Any ideas?
My Client ID is: 17B89D9AF3984680BCA620A3986AE8EB
Update: It does however work in a private browser window so I suspect something local. Will poke some more and close if so.
So that last piece makes it sound like some kind of browser / cache issue.
We did have another user where an ad blocker was causing the problem during the granting access page. Maybe that was you..? API team is looking into this further.
If you are continued to be blocked you can open a ticket by emailing api#xero.com
I’ve followed this tutorial https://apiai-aws-heroku-nodejs-bots.blogspot.co.uk/2017/07/steps-for-apiai-and-google-account.html but when I go and grab by debugging URL which happens to be https://assistant.google.com/services/auth/handoffs/auth/start?provider=allergology-5fa9c_dev&scopes=https://www.googleapis.com/auth/userinfo.email+https://www.googleapis.com/auth/userinfo.profile+https://www.googleapis.com/auth/admin.directory.resource.calendar&return_url=https://www.google.com/ and paste it into a new window I get Error 500 but no explanation.
I also tried from an incognito window. It does ask for my email and password but then returns the same error.
I’ve used Implicit Grant Type and I don’t have Add quick account linking enabled please ket me know if that’s not right?
When I try the CURL URL I get the message {“status”:{“code”:401,“errorType”:“unauthorized”,“errorDetails”:“Authentication parameters missing”}}
UPDATE - now when I try the basic Talk to Allergology action on the simulator I don’t even get the debug info anymore, but the message “Sorry this action is not available in simulation” :frowning:
Could you please help?
thanks
Morena
I've managed to work out what I need to do by following this answer How to authenticate user with just a Google account on Actions on Google?
In my case - Configure your project (in the cloud console) so that the Calendar API is enabled and that the OAuth2 client is correctly configured.
I also switched from Implicit Grant Type to Authorisation Code.
My app is almost working, I am now having other issues, but at some point the Access Token was coming through with the request.
My problem is as follows :
I have an application protected by a mobile security test involving a LDAP server. The corresponding realm is called LDAPrealm. I use the form-based authenticator + custom LDAP login module.
When the connection to the worklight server is lost and then re-established, I see that the current user is not authenticated in the LDAP realm anymore.
What I want is be able to re authenticate the user without having him enter credentials again.
However, since the user is still authenticated for other realms included by default in the mobile security test, the worklight server does not challenge the client again for credentials, which is causing j_security_check error when trying to submit credentials.
As a side note those credentials are stored in the encrypted json store for offline authentication and use of the app.
So my question is :
Is it possible to force the server to challenge the client again for this LDAPrealm and use submitLoginForm to re-log in?
More generally, is there a way to clear a user+device from all realms before trying to log in again?
Edit reasons : previous error was caused by a typo
In the case where the user first logs in online then loses connection then get connection again, calling
WL.Client.logout("LDAPRealm",{onSuccess:stealthed_relog});
and calling WL.Client.connect() later in stealthed_relog before sending credentials seems to wield the desired behaviour.
However, when the user logs in offline and then gets connection, when I try to use WL.Client.connect(), it says another instance of WL.Client.connect has already been called.
edit : for the log offline case, the application get challenged automatically shortly after that the connected event fires (cause of heartbeat? I do not really know), so you just have to use
login_clientside.submitLoginForm();
to successfully log in again.
If someone has a better way to implement auto-reconnecting in worklight with ldap server, feel free to post it and I'll unaccept my answer.
I'm trying to write a new application using the Flattr REST-API version 1 (not the beta v2). The application acquires a request token at first, which seems to work properly. But I run into a problem authenticating the user. The link created for authentication looks like this:
https://api.flattr.com/oauth/authenticate?access_scope=read,click&oauth_token=MY_REQUEST_TOKEN
Clicking the link everything seems alright. Information about the application and the scope requested is shown, but clicking "Authenticate", there's no pin code, but the following error from https://flattr.com/apps/pincode/MY_REQUEST_TOKEN:
Something went wrong. Please try again
BUT now the Application IS in the authorized application list of the user though that doesn't really help if the user can't get the pin code...
The Application type is set to client. It's the first time I try to work with the API so I'm not sure if I miss anything important? Would be grateful for some help.
Just as an update: We finally changed to API v2. Getting Authorization for our application feels a bit clumsy, as we set the redirecturi to some webpage, where we display the returned code and let the user copy&paste it into our client application... we kind of made our own pincode-flow :/
If possible, please use the v2 api, which uses oauth2 + bearer token.
However, the new API doesn't support authentication using the pincode flow.
As stated by Maike this is probably a bug that has surfaced yet again :(
I'll create an internal bug ticket and try to get it fixed.
The pincode isn't a feature planned. You can use the oauth2 "implicit grant" to authenticate the resources owner. This isn't documented at the moment but is possible.
When you do the request to https://flattr.com/oauth/authorize you pass the response_type token instead of code. This will append a access_token fragment in your callback URL. In your http client it might be possible to catch the 302 from our server and parse the access_token from the fragment.
All this requires a http client in your application whom you can control the flow inside your app.