Application built in: React and .NET web api
Process:
I have created GET Api in backend for download image from azure blob. In the request, User[Frontend] pass (login)auth token and Image URL to backend as queary string. After validation of auth token backend return binary data to app.
Sample URL: https://***:4412/file/downlaodFile?filePath=~/Uploads/Images/576659969_911903629_flower-color-400x391.jpg&authToken=da72e5bc0d35d692a4c85e8442366713fc9494c8cf56aa1f326560d06a24db5c16e562b82ad5f86e74d8e417c9695007922c9678c91ea234fa7675164eeb041b
Problem: After login if user copy that URL and send it to other people so they can also download Image because Auth token is valid for 15 mins.
How can I protect that URL..?
Thnaks!!
You want to put the auth token in the headers of the request; never ever put the auth token in the url for security concerns.
More information about the Authorization header can be found here https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization
Related
i register on https://bridgedataoutput.com/ for using bridge data api. as per documents
https://bridgedataoutput.com/docs/platform/API/zg-data#Zestimates
require access token. how I get access token ?
after login , I get detail of Client id, Client Secret and Server Token. i try server token but give me authorization error.
I try to do get request on this below API link
https://api.bridgedataoutput.com/api/v2/zestimates_v2/zestimates?access_token=P7cbhWXt2PLOGOHbctzuOJ1qF2mJYSSF7cI1IrUabGdt3u2IGMiFzu5XLCNk&address=%22123%20Main%20Street%22
Response
{"success":false,"status":403,"bundle":{"name":"AuthenticationError","message":"Invalid access_token format"}}
I had the same issue, and Bridge support said to use the Server Token as the access token. It needs to go in the URL, not as a header when I tried it. Here's an example.
https://api.bridgedataoutput.com/api/v2/OData/[DATASET_ID]/[RESOURCE]?access_token=[SERVER_TOKEN]
Zillow Public Records, Zestimates and Econimic Data does need additional approval. Please confirm in https://bridgedataoutput.com/data/feeds.
I have a code that authenticate using Azure AD
I'm using openIdConnect Lib to authenticate with azure AD.
The scenario as below:
user open the URL of the app.
the app redirect user to Azure AD to authenticate
get the id token & access token
then AzureActiveDirectoryAuthMiddleware get the context and continue the scenario
this scenario is happenning from the UI, i need to know if i need to pass step number 3 (id token & access token) from postman and the middleware will continue the flow, how i can do this flow?
because my app will be used from UI and from postman
Using c# owin
if you want to check/test the middleware(some REST endpoint) functionality using the tokens through Postman, then copy the AccessToken and open Postman, set the Authorization type as Bearer and add the AccessToken as BearerToken and test the REST call.
Please make sure that the token added should start with Bearer (example - Bearer xyzabc)
I'm trying to get a bearer authentication token from a browser web page.
I'm using selenium and previously I could login to our URL and the bearer token was displayed in a form field. Now it has changed and the token is hidden. How can I extract that token and store into a variable?
This was my previous code (i know it's not great but I am not a developer by any means)..
IWebElement tokenField = getDriver().FindElement(By.XPath("/html/body/div[2]/div[2]/div[2]"));
string token = tokenField.Text;
restClient.Authenticator = new OAuth2AuthorizationRequestHeaderAuthenticator(token, "Bearer");
request.AddHeader("Accept", "application/json");
Any help would be appreciated. I am very new to OAuth2 and just security in general.
Usually you won't be able to find sensitive data like auth token displayed in the FE.
If the token is hidden and you cannot take it from FE or DOM, you can login using API calls and from there to get the token which can be used in the further requests.
If you're working within a development team, you can ask a dev to guide you with this and provide login url and other necessary stuff.
I want to sign out a user in OneDrive API, I tried this, I sent the request:
var client = new RestClient("https://login.live.com/oauth20_logout.srf?client_id=762d0c10-xxxx-xxxx-xxxx-085a4a1743bc&redirect_uri=urn:ietf:wg:oauth:2.0:oob");
var request = new RestRequest(Method.GET);
request.AddHeader("Content-Type", "application/x-www-form-urlencoded");
IRestResponse response = client.Execute(request);
Console.WriteLine((int)response.StatusCode);
Console.WriteLine(response.IsSuccessful);
output:
302
False
my question is how to send a logout request
OAuth is inherently stateless so there is really nothing to "sign out" of. When you complete the OAuth flow you receive a token back. That token is used to authenticate the user every time you call the API. If you don't include the token in the Authorization header, the API will reject your request.
So to "sign out", simply wipe any stored access token values from your app's memory/storage and the app will no longer have access to that user's account.
I am afraid you did not follow the rules before performing the request:
Delete any cached access_token or refresh_token values you've
previously received from the OAuth flow.
Perform any sign out actions in your application (for example,
cleaning up local state, removing any cached items, etc.).
Only after can you make a call to the authorization web service using the url:
https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri={redirect-uri}
After removing the cookie, the browser will be redirected to the redirect URL you provided. When the browser loads your redirect page, no authentication query string parameters will be set, and you can infer the user has been logged out.
I have a situation where i will have to download the file from the website. It is a secured site (https) and also It requires the client certificate authentication.
I have a client certificate and managed to get in. After logged in, when i tried to download the file, i am not able to download the file. In turn, the file contains the html with csrftoken. How to get this token id? In order to download the file i need this token. Could someone share what kind of authentication this, and how can i get the csrf token id using c#.
Thanks
It is not authentication. Its security to prevent cross site request forgery.
The technique is:
Any state changing operation requires a secure random token (e.g CSRF
token) to prevent against CSRF attacks.
Unique per user & per user session
Tied to a single user session
Large random value
Generated by a cryptographically secure random number generator
The CSRF token is added as a hidden field for forms or within the URL
if the state changing operation occurs via a GET
The server rejects the requested action if the CSRF token fails
validation
In your case the workflow should be near to this:
Client make a request (tipicaly a HTTP GET) to see info in their
screen.
The response HTML has a hidden field in the generated Form with
the CSRF token.
Client makes a POST when click on a button with the following data: File identification he
wants to download and the CSRF token.
Server checks that this token is valid for this POST.
Server sends the file bites to the response stream.
So, if you want to download a file programmatically with C# I think that you should do a GET first as if you were a webBrowser; retrieve the CSRF token parsing the responsed HTML and send a POST whith the file and the CSRF token.