I am building an application in Unity (5.4.4f1) that uses the Google Maps API.
It works perfectly so long as I don't add the API key. If I add the API key which I have created using console.developers.google.com I get this error: "You are trying to load data from a www stream which had the following error when downloading. 403 Forbidden". On google's website it is stated that "If you're using the API under the standard plan, you must use an API key set up in a project of your choice.". So although everything works great without having the API key added at the end of the address, I'm worried google might decide to block the app at some point because it is making unauthenticated requests.
The url I am using for making requests is:
http://maps.googleapis.com/maps/api/staticmap?center=____&zoom=____&size=____&scale=____&maptype=____
but if I add "&key=____" at the end, it breaks
I get the same thing if I use it in an empty project with no addons to interfere with the request so it's not from that.
Any suggestions on how to fix it and is it ok to leave it without a key even when I release it to be used by the general public?
I found the solution to my question. To get the "&key=____" to work I had to change some project settings which Google has added for additional security.
For people having the same problem - to fix it you need to do the following: in Google's API Manager you should go to Library then Google Static Maps API (since I'm using that) and then switch to the tab "URL signing secret". There you click "Allow unsigned usage" and you are done.
I tried using the "&signature=____" generated by the secret but that only works if you manually input it on each url change. I didn't see the encryption formula being shown there so I don't think you can script it to happen automatically
Related
I am trying to test out the YouTube Data API V3 to Upload a Video to YouTube in C# using the example code supplied.
I am using the OAuth2 method. I have generated a Client ID / Secret successfully.
The issue I am having is that created a standard C# MVC ASP.NET project, and every time I run it it might say for example http://localhost:5151/.
We are on a private network so I usually have to use something like ngrok to receive anything from the outside world being sent directly to my server / machine.
Anyways, where was I? So every time I run my application it says in my url box http://localhost:5151/ but when I attempt to run the code in the sample I provided above, it fails to validate me as a user because they claim that the redirect uri's I have set up in the Google API dashboard are not the same as the url being used.
So for example, in my Google API Dashboard redirect uri list I have http://localhost:5151/. But the google misdirect uri error that comes back claims that I am running on http://localhost:6163/ .
So I think wait, that must be just a fluke. So I run my application again and now in the url it again says what I would assume it should: http://localhost:5151/, but I again get the same google error_mismatch_redirect_uri error but this time with a different port: http://localhost:6621/ !!
I'm not sure what settings are on our servers but it looks like in the background my application is starting up on some random port every time and thus google thinks the redirect uri's dont match! What can I do to fix this? Am I missing something trivial here?
UPDATE:
Tried using http://localhost:8080 per their documentation. Still didn't work.
Wow, after hours of searching I found the answer here: https://stackoverflow.com/a/28794316/7010468. Apparently you have to put http://localhost/authorize/ in your list of redirect-uris...
I am working on UWP app which requires users to login using social identity providers like Microsoft, Google etc.
I have followed the quickstart guide here which describes how the authentication can be added.
In the UWP Quickstart app the installed version of Microsoft.Azure.Mobile.Client is 3.1.0, if I upgrade this to the latest version i.e. 4.0.0, an error is thrown on the line LoginAsync(MobileServiceAuthenticationProvider.MicrosoftAccount) that LoginAsync has no overloaded methods that take 1 argument. To resolve this I added a SingleSignOn parameter to the method which is a boolean
var user = await App.MobileService.LoginAsync(MobileServiceAuthenticationProvider.MicrosoftAccount, true);
When I run the application the Microsoft login popup is shown successfully, however when the users logs in, the popup does not go away and control never returns to the app. Following is the screenshot:
If I close the popup manually then an exception is thrown :
Authentication was cancelled by the user
So is this a Microsoft.Azure.Mobile.Client Nuget package version issue or am I missing something here.
Any help would be much appreciated.
Ok, I'll answer to you question now, because I was able to solve it just a couple seconds ago.
So you are using UWP, I'm using Template 10 and I've been able to make it work on both, firstable update to v4.0.0 or v4.0.1 according to what i found out was because google authentication stopped allowing web views for authentication and the concern for Azure-Mobile-Net-Client team was that all OAuth provider would adopt that behavior in the future base on an article that you can find here if you are interested:
Modernizing OAuth interactions in Native Apps for Better Usability and Security
after this being said we are in the middle of a big change here, so in order to make it work you need to set your mobile app service to allow external redirects using url_scheme_of_your_app as shown on microsoft documentations tutorial.
So the step are the next ones:
1.- Go to Azure Portal
2.- Go to your MobileApp Service
3.- Choose Authentication/Authorization
4.- at Allowed External Redirect URLs write this: {urischeme}://easyauth.callback
(meaning that urischeme must be alphanumeric word beginning with a letter).
5.- Save changes.
Now after you have done that now you gotta work on your client
then if you are using UWP follow this tutorial:
Add Authentication to your UWP.
and that should be enough, if you are using template 10 all you gotta do is at OnStartAsync Method use this code:
if(startKind == StartKind.Activate)
{
ProtocolActivatedEventArgs protocolArgs = args as ProtocolActivatedEventArgs;
cloudService.ResumeWithUrl(protocolArgs.Uri);
}
you saved tons of code at the tutorial because you gotta write code at OnNavigatedTo() Method and at OnActivated() method at App.Xaml.cs
thats for the architecture in UWP and at Template 10 that acts like a wrapper of Application class and simplifies its usage.
Hopefully this helps you, also you will notice that when you first sign in at your app using urischeme it opens your default browser and stays open after successfully logged in.
Also singlesignon overload method doesnt work at all yet, they are still working on those issues.
hopefully my answer helps you!!!
I just wanted to add my solution for xamarin.forms on uwp, which should be actually same as we are doing redirecting and login on native level. I followed this article https://learn.microsoft.com/en-us/azure/app-service-mobile/app-service-mobile-xamarin-forms-get-started-users
but there was something confusing about url scheme of your app part when you define the return url.
Basically you define return url in 4 places and they sound like the same but they are different
1) you define on facebook developer page. it should (use https) https://myapi.azurewebsites.net//easyauth.callback
2) on the azure portal for allowed external redirect urls
add here 2: https://myapi.azurewebsites.net//easyauth.callback, myapp//easyauth.callback
3) uwp package manifest- declaration. add myapp as name
4) Login call to azure mobile services: Client.LoginAsync(provider, "myapp");
So basically myapp (this is name you choose) should be available in azure portal and same name used in your uwp project. otherwise even login is successful, you end up with this screen instead of redirected back to the app.
I'm trying to create an elearning system that has videos associated with lessons. When a user gets to a lesson a video needs to play. The videos should not play unless I authenticate that the user can play that video and can play it right now. I'm trying to accomplish this using the azure video player.
I can make this work with azure media services without encryption without issue.
However when I go to do the encryption, the samples are VERY week.
What I'm trying to do is encrypt the video so that it can play on all browsers and have everything that the azure video player needs.
Further, at the time that the user requests to play the video I want to use their authentication with our website to determine if the video should play, and then set the token on the media services.
I would have expected that media services would use oAuth 2 and I could point it at our endpoint with a specific claim required for the specific video the user requested and I would return an auth token or not. But it appears to work backwards from this.
So I've done the following:
Gone into the classic portal (because apparently this hasn't been updated to either use the new portal or the new way of doing storage...)
Created the Media Services account.
Gone to content protection as as best as I can figure from the videos enter Type token for both and json web token.
Under issuer for aes and playready I've put in the path to our oAuth provider, but I"m not at all sure what this should be and I can't find any documentation that explains what this should be.
Scope: Under ae, the samples have something similar to urn:Portal but under playready this has to be a full URI, which I can't figure out what's supposed to be there.
I created the verification keys for both types
I have no idea what to put in claims or how this is relevant.
License type = non-persistent
Passing Video Content to Unknown Outputs I have set to Allowed. I don't know what allowed with constriction does or how it should be setup.
Allow test devices is enabled for now.
Then in my encoding stuff I've put in the following after creating the asset from samples:
//Add encryption
var key = CreateEnvelopeTypeContentKey(context, finalAsset);
var tokenTemplateString = AddTokenRestrictedAuthorizationPolicy(context, key, audience, issuer);
CreateAssetDeliveryPolicy(context, finalAsset, key);
var tokenTemplate = TokenRestrictionTemplateSerializer.Deserialize(tokenTemplateString);
var rawKey = EncryptionUtils.GetKeyIdAsGuid(key.Id);
string testToken = TokenRestrictionTemplateSerializer.GenerateTestToken(tokenTemplate, null, rawKey);
But if I try and enable this stuff to get playready, wildvine AND BaselineHttp it all blows up and I cannot find examples of all 3 (which appear to be required for Chrome, Firefox and IE/Edge to work reliably) enabled and working in the code as you'd expect. (note the methods called above are directly from the samples)
Further I can't figure out how to use the verification keys from the portal in this code because I can't find any samples on this.
And presumably this sets up the asset to have it's own authentication. Although I can't tell. But what I want and need to do is have each asset be separately authentication by the asset and by the user and not have the bearer token be usable anywhere else.
At this point I'm completely lost, because the only code I can find to generate the JWT is the test stuff which obviously shouldn't be used in production.
What I'm looking for is code that doesn't use Azure AD and allows me to do my own, so that when a user wants to watch a video, they come to me, I say, yup, you're good, here's your token just for you and only you and no one else that is created just for you in C# in my web api that returns the token in the json response.
Then I want to set it in the security credentials (and put all of the permutations in!) so that it will just work on the browser in question (ie, edge, firefox, chrome, safari) and the player sends that along with the rest and the video just plays no matter what browser.
But since I can neither encrypt the video with the right keys, nor encrypt it for all permutations based on the samples nor find any example of creating the JTW properly based on the shared keys and whatever I need to store in my database based on the encryption process I'm stuck.
So is there a sample somewhere that takes you through this full process to make this work in any web browser when done and generate the encryption for all of them, and the token for the client on a per issue basis?
If not, can someone help answer these questions?
And if this is MS watching this, I'd suggest that you consider giving us the ability to have just the single url in the client, and pass our oAuth2 bearer token (not yours) and have you use that to single sign on with us, and demand a claim passing the asset id and getting a yea/nea to play the video with a timespan their authorized to play it on the specific client involved. If this is possible now, please provide a full sample or instructions on how this can be accomplished because it's very not clear at this point and everything is geared to AD which isn't useful and there are a ton of missing pieces.
Ultimately, I need to be able to live stream this content on the web and on mobile clients AND be able to download this content encrypted and play it on those same mobile clients offline but still encrypted and locked down. Those last pieces I don't have a clue how to do at this point and I can't find any documentation on either, but I'll ask that separately.
Thanks!
Bonus Reading
Resources found that are relevant but don't answer the question or only partially answer the question and break other parts:
Configure asset delivery policies with .NET SDK 🕗
Use AES-128 dynamic encryption and the key delivery service 🕗
Azure Media Player - Protected Content 🕗
Azure Media Player - Playback Technology ("Tech") 🕗
How to make Token authorized AES encrypted HLS stream working in Safari 🕗
Integrate Azure Media Services OWIN MVC based app with Azure Active Directory 🕗 (this one appears to be the closest but I've been unable to decouple it from Azure AD)
We don't have lot of samples to build customized Security Token Service (STS), because each business may have its own requirements and lots of customers are doing integration work (i.e. they already have a token issuer service).
As said, I am happy to help you to complete your workflow. You can email me at yanmf#microsoft.com and I could have a call to troubleshoot your workflow.
Cheers,
Mingfei Yan
I have a ASP .NET application that we give to our clients for them to deploy it in their web server and use it. My concern is that all of my ASPX pages source code is open
and our clients can open the ASPX/CS file and see the code in it.
I want to protect my code something like a Windows application by implementing some 15-20 days trial limitations. Also on the other hand the source code must have some third party dll so that whenever they try to deploy the fresh build, it will be available for limited period only.
The payment terms with our client is, First Source Code and then Payment. So I am thinking some in between way that the faith at both side remain as it is. How can I do this?
Publish your web application so that all the code behind files are compiled into a dll. This way they cannot easy see your code. They will however be able to use reflection to see the code using tools such as jetBrains dotPeeek.
Best Option
Host the site yourself but as this doesnt answer your question here are some other options
1st Option
If the client insists on hosting the site as they are concerted about owning the data then allow them to host the site and database but pull in the functionality from a centrally hosted site that you are in control of. You can even provide an api.
You provide the client with a hash code in the web.config and this gets validated against your site.
The hash gets made up from:
presalt
the web service address
the expiry date
client uniqueidentifier
any other info you want
postsalt
Encrypt the request and response of the web service and send via ssl.
The client hash will be sent in the request. Build a new hash with the same fields and validate this against the hash you received from the client. if it is not valid you don't provide the functionality.
Google maps requires that you register and get a hash code as they can then terminate your usage of the google maps api if you misuse it.
2nd Option
Another option would be to setup a web service call to a site that you host.
The deployed compiled web application would then build a hash using the response from your web service and match the generated hash with the hash you sent over in the response.
This means that if the client block traffic to your web service or tried to fake the response then the application will stop working.
Also add some logic to alert you if they have tried to fake the response. This obviously wont work if they block the call to your web service.
You wouldn't include the salts here as the client could read them if they decompiled your code.
3rd Option
Add two fields to your web.config:
the hash code which you have generated for the client
an expiry date.
If the client changes the expiry date to allow them more time then it will not validate and they will be locked out.
Opion 2 and 3 would allow the client to reverse engineer the hashcode if they really wanted to.
=====================================
I don't really see the need for it but if you want you can use some obsfucation tools like mentioned in the other post to make it harder for the client to read your code. But even if they can read your code they should not be able to create a valid hash code on their own.
I suggest you check out .NET Reactor and Intellilock. .NET Reactor will prevent decompilation of compiled code, however with aspx I'm not sure how this will work since it would need to be pre-compiled. Intellilock will provide the ability to set an expiration time. I've used both with standard executables but never ASPX so I'm not sure if they'll help.
Link: http://www.eziriz.com/
DotFuscator Community Edition is a possibility, but it's probably too basic for your needs.
I suggest you look at the commercial obfuscators on the market. Here's a list of some I found with a simple Google search. (This is not a recommendation of any of these tools.)
.NET Obfuscator from Red Gate Software (I've used their Reflector tool in the past and it was good.)
You could make your own. See this StackOverflow thread.
Here's a thread on MSDN
I am playing around with Google Music. I'm trying to see if I can write an app that will stream my music files uploaded to Google Music. So far, I've managed to authenticate myself using ClientLogin and access the music.google.com page. However, whenever I try to access http://music.google.com/music/services/loadalltracks, the page that contains all of my tracks in JSON format, I get a 401: Unauthorized error. However, if I pass the cookies containing SID and HSID, it works and I can access the page.
Does anyone know why It doesn't work with ClientLogin, outside of Google not supporting it with Music? Have you had similiar experience with other Google Services? In the event I can't get ClientLogin to work, is there anyway to work around it, using the SID? I don't know how the HSID is generated.
Since there is no official api for Google Music, you need full SSO credentials to use those endpoints. The easiest way to do this is to emulate a browser (with eg mechanize).
The way my unofficial Google Music api accomplishes this is a bit cleaner, but more work: use clientlogin to authenticate to the Music Manager service, then upgrade those credentials using tokenauth. This isn't really a public feature, but it's described by a third party here, and by a Google design doc here. The specific endpoints you need are in my code here (in clientlogin.py and tokenauth.py).
You'll want to send u=0 and xt=[value of xt cookie] in the querystring as well. The first argument specifies which account you're using (if you're signed into multiple), and the second is a xsrf token.
Well, as far as I can tell the reason sending the SID and HSID cookies makes the request work is because you're simulating the way a normal user is accessing the service.
You can't go the regular application way because that's not supported in google music (as far as my internet research showed, there's no API for google music).
Oh, and one thing: google discourages people from using ClientLogin and instead tells people to use OAuth ("ClientLogin [is] Google's proprietary authorization API ... you should avoid using [this] service." found at http://code.google.com/apis/gdata/docs/auth/overview.html) so in the future you might want to use that. Maybe it'll even work in this case (It sends a different token from ClientLogin - OAuth token instead of an Auth token) though I doubt that.
Anyway, I hope this cleared things up.