I am looking to generate pdf document for the given url. The client will send ids and using that ids server will create a url and use pdf generator to produce pdf. The pdf is generated but for the login page and not the desired page.
Client is angular 10, server is .net core 3.1
The authentication cookies are assigned to the pdf coverter but still no luck.
code
private FileContentResult PdfGenerate(int bookId, int? pageId)
{
//generate pdf for this url. This url can be accessed in the browser
string url = $"{ConfigHelper.AngularServer}/portal/{bookId}/{pageId}";
}
Currently I have tried with SelectPdf and Synfusion but login page is converted to pdf and not the page in the url.
The problem is that when you access the page specified, you are automatically forwarded to the login page, because you are not authorized. What you need it so get authentication token (authenticate yourself before hand) and then send the actual request with token added to the cookies/headers (whatever system is used for login).
For human-reading of page via browser, browser does this action for you automatically. You go to login page, you authenticate (enter login/password, press confirm), server confirms you are authorized and provides you some token details. This token is then added to each of your request towards the webserver.
Additional info: There is example how it works with some code https://fullstackmark.com/post/21/user-authentication-and-identity-with-angular-aspnet-core-and-identityserver .
However there are many articles over the internet and this topic is too broad to have fully qualified answer. We need to know what authorization is used, what is the login address & what requirements are for the authorization, etc.
Related
I am working on Selenium testing for a project that is accessed via JSP which uses SAML to authenticate the user. I cannot find a way to provide credentials through to the SAML page, which is accessed through a 302 redirect.
I want to log in to home.domain.com/run.jsp. When I visit the page, I get a 302 redirect to auth.domain.com/adfs/ls/wia?SAMLRequest=<long_token>, where I fill in the browser's dialog window with my credentials. After submitting them, I am redirected back to home.domain.com/run.jsp, but with access this time.
The common Selenium auth answer seems to be adding the credentials to the url (admin:passw0rd#home.domain.com/run.jsp), but that doesn't pass the credentials through the redirect, and I even get a warning: You are about to log in to the site "home.domain.com" with the username "admin", but the website dos not require authentication. This may be an attempt to trick you.
My workaround for this ended up waiting for the redirect, then add the credentials to the current url and re-load the authentication page. If somebody has a better answer, I'd accept it because this is definitely hacky.
driver.Navigate().GoToUrl("home.domain.com/run.jsp");
Thread.Sleep(1000); // wait for redirects
// if the SAML didn't automatically authenticate and return us to the homepage
if (driver.Url.Contains("SAMLRequest")
{
driver.Navigate().GoToUrl(driver.Url.Replace("://", "://admin:passw0rd#"));
}
I have a situation where i will have to download the file from the website. It is a secured site (https) and also It requires the client certificate authentication.
I have a client certificate and managed to get in. After logged in, when i tried to download the file, i am not able to download the file. In turn, the file contains the html with csrftoken. How to get this token id? In order to download the file i need this token. Could someone share what kind of authentication this, and how can i get the csrf token id using c#.
Thanks
It is not authentication. Its security to prevent cross site request forgery.
The technique is:
Any state changing operation requires a secure random token (e.g CSRF
token) to prevent against CSRF attacks.
Unique per user & per user session
Tied to a single user session
Large random value
Generated by a cryptographically secure random number generator
The CSRF token is added as a hidden field for forms or within the URL
if the state changing operation occurs via a GET
The server rejects the requested action if the CSRF token fails
validation
In your case the workflow should be near to this:
Client make a request (tipicaly a HTTP GET) to see info in their
screen.
The response HTML has a hidden field in the generated Form with
the CSRF token.
Client makes a POST when click on a button with the following data: File identification he
wants to download and the CSRF token.
Server checks that this token is valid for this POST.
Server sends the file bites to the response stream.
So, if you want to download a file programmatically with C# I think that you should do a GET first as if you were a webBrowser; retrieve the CSRF token parsing the responsed HTML and send a POST whith the file and the CSRF token.
I need to generate a Page Access Token for a webpage that I have, this token will be used by the webpage to post to its Facebook Page feed.
This is what I do :
Go to Graph API Explorer
Choose my app from the dropdown
Click Get Access Token
Choose correct permissions(manage_pages/user_events)
To get the Page Access Token I have to run me/accounts in the Graph API Explorer. This will show all the pages I got with a new Page Access Token (short lived(about 60 min)) to each one.
This Page Access Token will work just fine to use in my C# code to post to the feed.
Problem
When another user uses my webpage to post a post I need to generate a new Page Access Token(in code) and then use it to post the userpost to the site´s facebook feed. The problem is that I could clearly not be there to grant the post so how do I handle this?
I could obviously not run the me/accounts(in code) command to get the Page Access Token from here.
I have looked at extended Access Token but this will last 60 days and then it will be the same problem as above.
What you need is an Extended Page Token:
generate User Access Token with manage_pages and publish_actions
generate Extended User Token (valid for 60 days): https://graph.facebook.com/oauth/access_token?grant_type=fb_exchange_token&client_id=[app-id]&client_secret=[app-secret]&fb_exchange_token=[short-lived-token]
call /me/accounts with the Extended User Token to get Extended Page Tokens
Extended Page Tokens are valid forever, so you don´t need to generate a new one all the time.
Source (including information about all the Tokens): http://www.devils-heaven.com/facebook-access-tokens/
On https://developers.facebook.com/docs/pages/access-tokens
Getting Page Access Tokens
GET /{page-id}?fields=access_token&access_token={user_access_token}
The response will look like this:
{
"access_token": "{your-page-access-token}",
"id": "{page-id}"
}
I've wrapped some code around my project to enable user authentication. It seems to be using FormsAuthentication as well as .NetCasAuthentication. When a user wants to login, I redirect them to an external page whose URL is saved in
DotNetCasClient.CasAuthentication.FormsLoginUrl, and that, after a successful login attempt, sets the User.Identity object. So far so good.
Now, how do I properly sign the user out?
I've tried
FormsAuthentication.SignOut()
Expiring a couple cookies as suggested here
And even explicitly nullifying the User object: HttpContext.Current.User = new GenericPrincipal(new GenericIdentity(string.Empty), null);
But when I send another request to my application, it's still able to find that user's information somewhere.
Does CasAuthentication save to a cookie? Or is it more likely that it's in some unique location as defined by the external login page? I have the option of redirecting to the corresponding external logout page, but I don't know how to do that without redirecting to it and leaving my application, and I don't want to do that.
Thanks for reading.
I'm still not quite sure what was causing the phantom log out, but I was able to fix the issue I was having.
I included an iframe in my application's login and logout pages, whose sources (src) are pointed at the external login and logout pages, respectively. To tell CAS where to redirect to after validating FormsAuthentication credentials, I had to append at the end of the login iframe's src url a query string that looks like ?TARGET=http%3a%2f%2fsome.url.aspx
(The target url is escaped.
'%3a' is url encoding for a colon (:) and '%2f' is a forward slash (/))
So, say, the external login url was https://www.externalsite.com/login and I wanted to redirect to my welcome page http://www.mysite.com/welcome.aspx after logging in, my application's login page iframe src would need to be
`https://www.externalsite.com/login?TARGET=http%3a%2f%2fwww.mysite.com%2fwelcome.aspx`
After doing that, everything seems to be working fine.
I couldn't find documentation for the TARGET query string, but it seems to be related to the 'targetService' parameter described here.
I need to get automatically login to website from my windows application. I am doing it with HttpWebRequest but what i want is to
Click on the button in my application.
Open the Index page (page after getting login)
Reason : I don't want to enter user name and pasword, i just want to click button and any browser(default browser) open with index page (page after login)
Normal Example :
I open a link " http://mail.yahoo.com " it shows me a page asking my email address and
password.
I enter the email id and password and press Login.
It redirects me to my Mail box page.
What to Do ?
click on the button
Automatically send my email id or user name and password to the website
Open my Mail box page.
Hint :
get cookie from HttpWebRequest.
set it to the browser.
Open browser and pass the credentials to login automatcially
can anyone help me?
I also need to solve the same issue, and the problem is hint point 2 in your list.
ie. how to set a cookie in a browser, without limiting yourself to using a specific broswer.
The conclusion I am coming to, is that I need to use a standard 'Single Sign-On' logic, where we update the web-server to use short term tokens such as mentioned here...
http://msdn.microsoft.com/en-us/library/ms972971.aspx
In this case the steps would be something like:
1. In app - Logon with HttpWebRequest.
2. Get short-term token (the link suggests validity lifetime of just 2 seconds)
3. Open browser with url
http://MyWebsite>/SignNn?token=xxxxxxxxxxxxxxxxxxxxxxxxxxxx
4. Next I need to confirm if the SignOn process can return cookies correctly.
I dont think you can solve this in a generic way.
What usually happens in such scenarios is that the form within the web page is submited to web server, the web server reads the user name / password values from the form and authenticates the user against the underlying user managment repository.
You can write such a solution for specific sites, by analzying with a sniffer the posted form in the authentication pages, and then creating such an http message yourself and sending it to the relevant site.