Im using azure mobile service for xamarin forms. I was using non-secureed services it was opened to use. Now client changed the service end point and now end points are secured only authorized user can access the endpoints, so now im logged in with Google account. I have followed the steps:-
Logged in with google account and received the access token.
Pass access token in get request header.
request.Headers["Authorization"] = "Bearer " + accessToken;
Response:-
The remote server returned an error: (401) Unauthorized.
If anybody have any idea please share with me.
You cannot use a Google token to authenticate directly. You swap the google token for a ZUMO token and then add the X-ZUMO-AUTH header with the value of the ZUMO token.
We generally assume you are using one of the client SDKs. However, since you are doing this directly, you will need to construct the request yourself. The endpoint is /login/google and the POST body should be an application/json with the contents {"access_token","your-google-token"}.
Two recommendations: 1) Use the Client SDK (you can over-ride the HttpClient using a delegating handler and a lot of this stuff is taken care of for you). 2) Upgrade to Azure Mobile Apps (Azure Mobile Services is being shut down this year, and all customers are being transitioned to Azure Mobile Apps).
I am not sure if this solves your problem, but in my case following code works (with the bearer token, HttpClient and Xamarin.Forms)
// Set the authorization Header in httpclient
DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", "your-access-token");
side-note: I have an own implementation for the API-communication (which just inherits from HttpClient)
Related
I have am trying to do a get request to api with blockcypher.com. In the docs they simply append the api token to the URL with ?token= or if it's part of multiple parameters &token=. What's the proper protocol for putting this in the headers to make sure that the token isn't sent in the URL for security reasons?
I already tried to do this formula
var client = _clientFactory.CreateClient(nameof(<Parent Function Name>));
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", <API Token Here>);
This didn't work. My blockcypher account claims that no requests to my API were sent when I use the above code.
If the API you're calling doesn't support the Authorization header, there isn't anything you can do. From looking at BlockCypher's docs, they only appear to support passing the token as a URL parameter. The Authorization header is very standard, so not supporting it is odd.
This isn't as big of a security risk as you might think, as long as you are only doing server-to-server communication (not a browser or mobile app). When you use HTTPS, the request URL is encrypted (see Is an HTTPS query string secure?).
We currently have a client(MVC .Net Core Web Application) and web API which is used to access Microsoft Graph calls, the authentication process uses Azure AD v2.0 endpoint. we can get this working if we do all of this in the client, however, as soon as we pass the token to the Web API this fails and doesn't even return a response to help us diagnose. below are loads of things we have tried, we have come to the conclusion our azure hasn't been set up correctly but unsure.
Process 1 Works
We forget the web API and do all actions inside the client, this method works but not what we are after so we know the code is not broken.
Process 2 Fails
Client Authenticates to Microsoft graph
redirects with code to the client
send the code to Web API to authenticate, get access token and refresh token
Fails returns nothing
Process 3 Fails
Client Authenticates to Microsoft graph
redirects with code to the client
send the code in the client to authenticate, get access token and refresh token
send access token and refresh token to Web API
use token to perform Microsoft graph action
Fails returns nothing
Azure Settings
Within Microsoft Azure, we have tried configuring the Microsoft Active Directory to follow this example. However, this uses WPF and can't get this to work. We follow it step by step and even the user is prompted with the API permissions be still doesn't work. I am happy to provide any further information to help diagnose this issue.
Our architecture we are trying to achieve.
Update
This is where we exchange the authorization code for an access token however, this gives no return response and times out after about 100 seconds, doesn't even continue.
HttpContent content = new FormUrlEncodedContent(new Dictionary<string, string>
{
{"code", code},
{"client_id", _clientId},
{"client_secret", _clientSecret},
{"redirect_uri", _redirectUri},
{"grant_type", _codeGrantType}
});
using (HttpClient client = new HttpClient())
{
var response = await client.PostAsync(_tokenServerUrl, content);
if (response.IsSuccessStatusCode)
{
//get token from body and update expiry time...
var token = await response.Content.ReadAsJsonAsync<OAuthToken>();
token.ExpiresOn = DateTime.Now.AddSeconds(token.ExpiresIn - 100);
return token;
}
Not sure if this is really silly question, but is it possible to access / utilize the Dropbox within the scope of a web API.
Take the following into consideration. I have a multi-tenant front-end application written in Angular. The back-end (multi-tenant) in a C# web API. The user can upload documents / files. The API will be responsible for uploading the documents to the storage provider. In this case it's Dropbox. The thing is, I have read that Dropbox no longer supports username / password auth. Thus OAuth is used were by the user needs to provide consent to the calling application. This only has to happen once. Since multiple users within a single tenant can utilize the online storage, I'm struggling to see how this would work through a web API...
Any suggestions?
Thanks!
Yes, you can utilize 3rd party API inside Web API. I have never used Drop box API, but as you are saying they use OAuth as authentication mechanism i can show you the code which calls the 3rd party API in this case it is (clarifai).
i am using HttpClientyou can use Dropbox .NET SDK. However if you want to stick to HTTP then here is the documentation for the same.
string token = "Oauth token received using some mechanism";
string requestPath = string.Format("v1/tag");
HttpClient client = new HttpClient();
client.BaseAddress = new Uri("https://api.clarifai.com/");
client.DefaultRequestHeaders.Accept.Clear();
client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
client.DefaultRequestHeaders.Add("Authorization", "Bearer " + token);
HttpResponseMessage response = await client.PostAsync(requestPath, content);
if (response.IsSuccessStatusCode)
{
var resString = await response.Content.ReadAsStringAsync();
// JSON Response
JObject resJsonObject = JObject.Parse(resString);
}
Now, As you have the concern to authenticate the user and get the token. Here is Dropbox example in which they show how to redirect a user on dropbox website to authenticate and get the temporary oauth token.
Take a look at Connect Action Method and AuthAsync Action Method in Home Controller.
Hope this helps you. If any doubt feel free to ask.
I have a mobile client (app) letting the user authenticate with google. So, the client receives an access token and some info (name, email etc) from google. Works fine!
I also created an ASP.NET Web API that the mobile app should comunicate with. On the client side I am adding the token to the HttpClient with:
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", "pretty_long_access_token_separated_by_two_dots");
Question 1: I'm trying to "decode" the access token on this site (to make sure it's all right): https://jwt.io/
The header and the payload is all right, but it seems like it's an "invalid signature" (says in the bottom). Should I worry about this?
On the server side, I added this to the Configuration method in the Startup class:
app.UseJwtBearerAuthentication( new JwtBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AllowedAudiences = new List<string> {"my_client_id"},
IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
{
new SymmetricKeyIssuerSecurityTokenProvider(#"https://accounts.google.com/", "my_client_secret")
},
});
The only thing I want to do with the token, on my server side, is making sure that only validated users from my app should be able to access my API-controller.
Question 2: Is UseJwtBearerAuthentication the right thing for me, or am I going in the wrong direction?
My problem is, I constantly get 401, unauthorized, when trying to access my WEB API controller.
If I am on the right track, I can try to explain more about the server side setup...
Any helt would be very appreciated!
If you are using a JWT token then you will need JWT instead of Bearer
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("JWT", "pretty_long_access_token_separated_by_two_dots");
The signature is used to validate the token as authentic and is therefore only required by the authentication server. If Google is your authentication server, then there should be an API endpoint you can call from your server to verify that the token is valid.
If your server is issuing the JWT token, then you will need to check that the token is valid by decoding the signature using the secret that was used to create it in the first place
If Google is issuing the JWT and you want your server to be able to self validate it, then you need to use another encryption type such as RS256 which will allow you to validate the signature using a public key issued by Google (I have no idea if they provide this method or not)
The reason https://jwt.io/ cannot validate your signature is because it was signed using a secret code. If you have this secret code then you are able to paste it into the textbox in the bottom right. If the secret is correct, and the token hasn't expired, it will show as being a valid JWT token.
I'm just finishing authorization and resource server for OAuth2, using DotNetOpenAuth 4.3.4. For testing, I created test client by implementing OAuth2Client.
Because I'm using DNOA for all the communication and request parsing, I'm not sure if I fully understand what is going on under the hood. But this knowledge is very important when I make documentation.
So, could you please explain to me, how client authentification works in DNOA? I use authorization code as grant_type and when I use my test client to exchange code for access_token, the DNOA somehow validate the client_secret and client_id. I downloaded source code for DNOA, but it not helped.
When I set breakpoint to Oauth2 controller(token method) and parse the request as HttpRequestMessage, i see the request contains "grant_type", "code" and "redirect_uri". But where are client_id and client_secret?
Also, can you tell me where I can find any usable documentation for DNOA? I need to create documentation, which will be valid and usable for all platforms, not just C#, which can use DNOA.
Related question:
I somewhere read, that we should not create authorization codes for unauthentificated clients, but this is exactly what DNOA does (since I receive authorization code even if secret is wrong). Is it ok?
Edit:
This is the request I'm trying to read. It is token request made by DNOA client. I can not see the client_id and client_secret under other parameters like "code", "redirect_uri" and "grant_type". I tought they have to be together. Maybe I'm missing something important from http requests and responses.
When I let DNOA to HandleTokenRequest(request) to continue, it is successfully authenticate the client application (fails when bad secret is set in DNOA client app config).
Edit 2
private readonly WebServerClient Client;
protected override string QueryAccessToken(Uri returnUrl, string authorizationCode)
{
var authorization = Client.ProcessUserAuthorization();
if (authorization != null)
return authorization.AccessToken;
else
return null;
}
This is my implementation of QueryAccessToken. It is from some sample. I think I created this at the beginning and did not change it, because it worked.
Going rought DNOA source I found out it is method from OAuth 1. THis can be the problem. But the question is, why it works ok with right client cerdentials and not working with bad ones.
Final edit
Looks like DNOA client uses http Basic authorization (client_id and secret are in header). But I need the DNOA server to be able to grab these parameters from POST.
If anyone know how to set DNOA to support client_id and client_secret in POST parameters, it would be awesome!
Thank you
The authorization code grant requires two steps.
The first step is the browser redirecting to the identity provider and displaying the logon ui. The authorization code is returned to the browser by the identity provider and then, from the browser to the client application. This step doesn't involve client secret! This is because the end user can debug this part of the flow and she should not learn the value of the client secret.
Then, when the client application has the onetime authorization code, it concacts the token endpoint directly (server-to-server) to exchange the authorization code for authorization token. This is where client id and client secret are used to verify that only legitimate client applications exchange codes for tokens.
The idea behind this flow is to protect the end user from exposing her password to the client application and also protect the client application from exposing its client secret to the end user.
Also note that the authorization code grant flow is the most complicated one as it involves both username/password (provided by the end user) and clientid/client secret (provided by the client application). There are other flows which allow to get the authorization token in slightly different way, namely:
resource owner grant which involves sending username/password directly by end user to the token endpoint of the identity provider. This flow is suited for desktop/mobile/native apps where the logon ui can be customized (but it also can raise suspicions and users could proably refuse to use it)
client credentials flow which involves sending clientid/client secret by the client application to the idntity provider. There is no end user but only the client application authenticating in the identity provider.
More on flows here:
http://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified
As for DNOA, I found it clean and understandable but the docs are lacking. Fortunately, examples are great and although barely documented, you can find almost everything there. Nonetheless, I was able to set up oauth2 identity provider and resource server in three days and support all four oauth2 flows. I am not going to dig deeply into details as this is not what your question is about, however, if you have DNOA specific questions, just ask.
Edit:: regarding your QueryAccessToken implementation, it seems that you are using the WebServerClient internally. In my code I just initialize its properties:
WebServerClient client = ...
client.ClientIdentifier = "client_id";
client.ClientCredentialApplicator =
ClientCredentialApplicator.PostParameter( "client_secret" );
With these two configured, both client_id and client_secret are sent to the token service with the client_secret passed in POST params.