Is it possible to use a Confidential Client Application as part of a Console App in Visual Studio? I've been trying to do that, but when I to call a method using the IConfidentialClientApplication class I just built, I get the following error:
AADSTS53000: Device is not in required device state: compliant. Conditional Access policy
requires a compliant device, and the device is not compliant.
I've been trying to figure out what this means in my case. My machine is, in fact, compliant (and I have so far tried this out on two separate, compliant machines). I'm starting to think that given the description of Confidential Client Application found here: https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-client-applications, which states that Confidential Client Application's are, e.g., web apps on their own server, it isn't possible to use the ConfidentialClientApplication class effectively in a Console App through Visual Studio. Is this right? The error is a little bit hard to decipher, since it seems to suggest that my physical computer is the problem (but I don't think that is the case, here).
Edit: I thought I could code this up in Visual Studio Console App as a lightweight proof-of-concept, but maybe I need to spin up a server if I want to test this out fully.
A console app is a public client if you are triggering user authentication. You then use the loopback flow from RFC8252 as in this example C# code.
A daemon process on a backend server is another type of console app - with a hidden console window. These can be a confidential client and would use the client credentials flow, with a client secret. Sounds like this is not your use case though.
Related
I am attempting to create an application with a unique architecture. There will be an android app, a server, and a desktop client. The catch is, the server will be locally hosted by users (following the mopity architecture on linux). That is, each user will locally host their own server that only they use, which they can turn off whenever not using the client/android app.
This application requires the server to be able to send information to the android application, and it appears the only real solution out there is firebase cloud messaging (though please correct me if there are good alternatives). The issue seems to be that firebase requires the server to store and give the path to the private key json file. Distributing this key to all users is obviously not safe. I was wondering if there is any better solution to this problem?
What I've tried:
I created an android application and used the android studio tools to add firebase to the project and create a firebase project in the console.
I then downloaded the private key from the console and used that in my server code
The app and server can communicate, but this architecture doesn't seem ideal from a security standpoint.
Server (C#) firebase connection code :
FirbaseApp FBApp = FirebaseApp.Create(new AppOptions()
{
Credential =
GoogleCredential.FromFile(
"/path/to/json/file/firebase-adminsdk*.json"),
});
I would really like to be able to maintain this architecture if possible, but please let me know if this just simply isn't possible.
If you want the server to be able to access Firebase with administrative privileges, that server will need to have access to those credentials. This means it will have full access to everything in your Firebase project.
If you don't want the server to have such access, the server should never have access to those credentials.
The safe solution is to host the relevant functionality that you want the server to be able to call on a custom endpoint that you build, and that only you can deploy. This can either be in a server you control, or on something like Cloud Functions. The key here, is that only you (or your trusted collaborators) can access that server, so that others cannot take the keys from there, or change the code. This also allows you to tighten the authorization rules (e.g. who is allowed to send notification to whom) when needed.
I would like to add/start/stop/remove an application (IoT Core) just like the web interface or the Power Shell commands: "IotStartup" but from within a C# application running on the IoT Core itself.
Is there a c# API for this or do I have to implement the Power Shell commands inside my application?
Using the Device Portal API could work for you.
Here are the docs.
https://learn.microsoft.com/en-us/windows/uwp/debug-test-perf/device-portal-api-core
Device Portal APIs are intended for remote management, and may not work from within a UWP against localhost due to loopback restrictions in Windows (to prevent an app from attacking the device it's running on).
That said, the Windows.Management.Deployment.PackageManager class provides installation and removal APIs for apps. To launch an app, you can use Windows.System.Launcher. Note that PackageManager is a restricted capability, so the app won't be able to go into the Store without special permissions from Microsoft. It will work in sideloaded scenarios though.
There is no way to close an app from another app with existing APIs. However, Launching the app using the above, then connecting with an AppServiceConnection to manage it, you can send a "Close" message over the AppServiceConnection that causes the app to close itself.
I'm looking for a way to establish a simple communication between a c# web application and the operating system.
Since i'm working on Silverlight, i get everything i need to create files into any folder on the C:/ Disk. The problem is that we're going to migrate from Silverlight to Html 5 / C#
So i'd need a way to create files FROM any browser to any OS : Windows,Mac,Linux ..
I thought about using Microsoft Active X but that's not cross platforms.
I'm simply looking for a technology/plugin/software or anything that would allow me to do that, the less client interaction would be the best.
I think your need is in conflict with any common sense about security. If there was a simple way to create any file on any computer that loads your web app, just imagine how quickly all sorts of malware would spread.
But going back to your question - I think it will not be simple (btw. was it really simple in silverlight?). What I can imagine is to have some kind of service running on a client PC (the user would have to install it, or it could be corporate policy if your web app is targeted at corporate solutions). Then the service would listen on some TCP port and your web app could send requests to that port with the intent to create particular file with particular content. All the security concerns would be then implemented in mentioned service so that it doesn't get abused by hostile web apps
I have desktop application that can be installed on the users computer with "setup" msi file like any other application.
I'm developing web application and I need somehow to integrate the desktop application with the web application. Web application is developed using PHP (desktop application is developed using C#), and when clicking on one button on the web application, the desktop application needs to be launched.
Is there a way of doing this? I was thinking about a few scenarios:
-Maybe if possible to install the app directly on the server and to launch it from there?
-Maybe to be required the user to have the app installed on his computer and to call the app from there?
If possible I would prefer to not use the second approach because it's better if the third party to not be involved - it will be more user friendly if the application is launched directly. But any help will be appreciated because at this point I'm not sure if that is possible to be done at all.
You can install app at server an run it with exec() or "`" operator - but to control gui of app you need to use some like autoit ant etc.
If you ultimately decide to require your users to have the client application installed and expect majority of the users to be on Windows, you could register your application to handle specific scheme and parse its command line when started. More on this here:
http://msdn.microsoft.com/en-us/library/aa767914(v=vs.85).aspx
You'd register a custom scheme and then intercept in in the application's command line arguments. The whole URL will be passed as an argument, e.g.:
myapp://parameter1,parameter2
The browser will mostly ask whether or not the user trusts the application to handle this scheme with an option to remember this setting.
If you don't have access to the source code of the client application, you can develop a middleware, some sort of a launcher that handles the URL and then runs the client application after maybe modifying some configuration files based on the URL or otherwise controlling the third-party application to do as you with.
As for solution #1, I don't think C# matters if your application can run on Mono, so you should be able to just run it from PHP. However, this probably won't work on web hosting and you will have to get a VPS for that.
There are very good (security) reasons why it is hard to launch client-side processes from web browsers.
Do you have access to the source code of the C# app? If so, you could consider modifying it to take advantage of Microsoft ClickOnce deployment.
Some references:
http://msdn.microsoft.com/en-us/library/t71a733d.aspx
http://msdn.microsoft.com/en-us/library/t71a733d(v=vs.80).aspx
http://msdn.microsoft.com/en-us/library/6ae39a7c.aspx
http://www.codemag.com/Article/0902031
Here's an old article on deploying WinForms applications via ClickOnce with Visual Studio 2005: http://msdn.microsoft.com/en-us/library/ms953320.aspx
It can possibly be done with IIS but it can be cumbersome setting it up to run as the current user, especially since it would probably also need to run elevated for an app that needs to attach to the current user's desktop.
Easiest is to install a Windows LAMP distro (like WAMP: http://www.wampserver.com/en/) and then run the httpd.exe directly from an elevated (Admin) command prompt; do not run apache as a service!
Once you do this performing and exec("command"); call in php will bring up a desktop app as if it was invoked from an admin command prompt. Obviously you need to set up the apache server to be accessible from outside the local system, etc.
I've written a simple C# console app that gets executed by SQL Server Integration Services as part of a datawarehouse load (on Windows Server 2003).
Unfortunately the step that calls the .exe is failing because a Open File security warning dialog "The Publisher Could Not Be Verified. Are you sure you want to run this software" is shown.
I think I need to sign my console app, but this seems a little overkill for an internal application. Can I sign it without having to get an externally recognised certificate?
Thanks.
Yes, signing is easy, Just look up Project|Options|Signing. The combobox will let you pick a key-file or create one. It is always a good idea.
But signing may not be enough, the server may impose stricter rules so that you will need a certificate. I'm not 100% sure but you may be abkle to create your own and tell the server to trust it.
But try the signing first.