We Keep Coding

Intermittent ExchangeException when getting EWS mail folders using GetEWSClient in Aspose.Email

I have a Windows service that uses Aspose.Email to call Exchange365 using EWS to read the list of mailbox folders, select a folder and then read the messages. I'm using OAuth Client Credentials authentication.
It works great most of the time but intermittently (around 1-2% of calls) I get an error like this:
ExchangeException: An internal server error occurred. The operation failed.
at #=zJwR5hYhASPjEG51KcFP5cfaNW_E9xKzbKNrDvkouRDML.#=zbEiudxU=(Exception #=zXBxojZA=)
at #=zJwR5hYhASPjEG51KcFP5cfaNW_E9xKzbKNrDvkouRDML.#=zJxs8Enk=()
at Aspose.Email.Clients.Exchange.WebService.EWSClient.#=zeKhM5WV7jZFJ(String #=zwl3m1OEGe_npeTCLKA==, ICredentials #=z8dcYagA=, WebProxy #=zPxR7k20=, #=zobHVK5XZznS2TuzCjFYVkWlb_06X8KyvTg== #=zuLDkIL8cyRRE, #=zLSBmP6s5p40Nd06_7HFvrX6K9S$RdU6i23eiqR0t6nn3VKSIig== #=zPNhWaZtYKy02YJZNn6uibe8=)
at Aspose.Email.Clients.Exchange.WebService.EWSClient.GetEWSClient(String mailboxUri, ICredentials credentials, WebProxy proxy)
at Aspose.Email.Clients.Exchange.WebService.EWSClient.GetEWSClient(String mailboxUri, ICredentials credentials)
at EmailTest.Program.GetFolders(OAuthNetworkCredential credentials) in C:\Dev\Sandbox\EmailTest\Program.cs:line 72
at EmailTest.Program.<Main>d__0.MoveNext() in C:\Dev\Sandbox\EmailTest\Program.cs:line 42
or
ExchangeException: An internal server error occurred. The operation failed.
at #=zRSjcm9RrA3a6zmmitFu34UW3nW4gV823KL6N1k9mXXhY.#=zqfYcQSUW7xkI(WebException #=zMMH$jH0=)
at #=zRSjcm9RrA3a6zmmitFu34UW3nW4gV823KL6N1k9mXXhY.GetResponse()
at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at #=zKdOmVOFQs9ARtLG3Zlu_IvXd08LXFmI3_5D9s_gr4KsZjsevGw==.FindFolder(FindFolderType FindFolder1)
at #=zKdOmVOFQs9ARtLG3Zlu_ImWGLEjOliBGtOJU8_WNO6d9X7U9LuJoRwA=.#=zthDK7XA=(BaseFolderIdType #=zW0dJQvKwqFVf, String #=z7p_vI0c=)
at #=zKdOmVOFQs9ARtLG3Zlu_ImWGLEjOliBGtOJU8_WNO6d9X7U9LuJoRwA=.#=zthDK7XA=(String #=zxohf2Vezm7Vf, String #=z$vyJZib10Ez_, String #=z7p_vI0c=)
at #=zTAbjhrGUH9E0n8cOeUNrQiqgnbUhJNI_gUj7wuZ$HYDp.ListSubFolders(String #=zxohf2Vezm7Vf, String #=znaKuRg4Rx3vw)
at #=zTAbjhrGUH9E0n8cOeUNrQiqgnbUhJNI_gUj7wuZ$HYDp.ListSubFolders(String #=znaKuRg4Rx3vw)
at EmailTest.Program.GetFolders(OAuthNetworkCredential credentials) in C:\Dev\Sandbox\EmailTest\Program.cs:line 74
at EmailTest.Program.<Main>d__0.MoveNext() in C:\Dev\Sandbox\EmailTest\Program.cs:line 42
If I retry the failing call immediately afterwards, it works fine. So as a workaround I use a "retry" pattern with this call, but I don't like this and I want to know why it's failing. I made a cut-down version of my code for investigation purposes.
Here is how I'm creating the credentials:
private static async Task<OAuthNetworkCredential> GetAccessTokenWithClientCredentials()
{
var app = ConfidentialClientApplicationBuilder
.Create(Settings.ClientId)
.WithTenantId(Settings.TenantId)
.WithClientSecret(Settings.ClientSecret)
.Build();
AuthenticationResult authResult =
await app.AcquireTokenForClient(new[] { Settings.Scopes }).ExecuteAsync().ConfigureAwait(false);
return new OAuthNetworkCredential(Settings.Username, authResult.AccessToken);
}
and here's how I'm calling the folders:
private static string GetFolders(OAuthNetworkCredential credentials)
{
using (IEWSClient client = EWSClient.GetEWSClient(Settings.ExchangeWSUrl, credentials))
{
ExchangeFolderInfoCollection folders = client.ListSubFolders(client.MailboxInfo.RootUri);
return string.Join(", ", folders.Select(x => x.DisplayName));
}
}
This is using Aspose.Email 22.8 and Microsoft.Identity.Client 4.46.2.
ExchangeWSUrl is https://outlook.office365.com/ews/exchange.asmx
Scopes is https://outlook.office.com/.default

If your using the client_credentails flow you need to be using Impersonation and you should be setting the X-AnchorMailbox header to the mailbox you impersonating (I don't use apose but they have an example of it in their docs https://docs.aspose.com/email/net/utility-features/). This affect how a request is routed, that said mailboxes move around in the cloud often so availability is not always guaranteed and you should always expect some requests will fail if the mailbox is being moved.

Update: I haven't changed my code or version of Aspose at all, and the exception doesn't occur anymore.
My feeling is that Microsoft have changed something on the Exchange side to fix the issue, so happy days.

how to post on facebook wall for specific list of users using asp.net c#?

I am trying to post on specific group of users on facebook such as (close friends, or family, or college friend...) and I used the code bellow.
code that I used:
1
FacebookClient fpost1 = new FacebookClient(access_token);
fpost1.Post("/1234567890/feed", new { message = "test post"});
note: access_token is working correctly when I am doing some job before this exception.
I put my friendlist id instead of 1234567890, that you can get it from graph .../me?fields=friendlists
it did not work and gave me this error "(OAuthException - #2) An unexpected error has occurred. Please retry your request later."
2
FacebookClient fpost1 = new FacebookClient(access_token);
fpost1.Post("/me/feed", new { message = "it is very cold.", to="1234567890"});
this one work, but it post to "only me" as target.
thank you

It looks to me that what you are doing here...
FacebookClient fpost1 = new FacebookClient(access_token);
fpost1.Post("/1234567890/feed", new { message = "test post"});
is wrong. Because I believe that 1234567890 is a user-id, right? Not a friendslist-id. According to the documentation this edge/endpoint signature goes like....
/{user-id}/feed
where user-id is obviously a user id. The documentation states that...
Most nodes in the Graph API have edges that can be published to (such as Photos or Posts). All Graph API publishing is done simply with an HTTP POST request to the relevant endpoint with any necesssary parameters included. For example, if you wanted to publish a post on behalf of someone, you would make an HTTP POST request as below:
POST graph.facebook.com
/{user-id}/feed?
message={message}&
access_token={access-token}
Notice that it says "On Behalf of Someone". My understanding is that you are publishing on behalf of someone and to do that, this someone must have requested an access_token through your application. In other words, if this user hasn't logged in to your app and generated a valid access token you cannot publish on his/her wall

POST graph.facebook.com
me/feed?message="hello"&privacy={"value": "CUSTOM", "allow": "1234567890"}
where the 1234567890 is one of friendlists id

OpenIdProvider.GetRequest() returns null

As somewhat of a continuation of this question, I'm having problems with dotnetopenauth.
I navigate to my relying party code and create the request, however when my provider receives the request OpenIdProvider.GetRequest() returns null. I went through the code and as far as I can tell, this is because the openid payload (request.form) is not being delivered by my relying party; but I can't figure out why this is.
Code:
Relying Party:
public ActionResult Authenticate(string RuserName = "")
{
UriBuilder returnToBuilder = new UriBuilder(Request.Url);
returnToBuilder.Path = "/OpenId/Authenticate";
returnToBuilder.Query = null;
returnToBuilder.Fragment = null;
Uri returnTo = returnToBuilder.Uri;
returnToBuilder.Path = "/";
Realm realm = returnToBuilder.Uri;
var response = openid.GetResponse();
if (response == null) {
if (Request.QueryString["ReturnUrl"] != null && User.Identity.IsAuthenticated) {
} else {
string strIdentifier = "http://localhost:3314/User/Identity/" + RuserName;
var request = openid.CreateRequest(
strIdentifier,
realm,
returnTo);
var fetchRequest = new FetchRequest();
request.AddExtension(fetchRequest);
request.RedirectToProvider();
}
} else {
switch (response.Status) {
case AuthenticationStatus.Canceled:
break;
case AuthenticationStatus.Failed:
break;
case AuthenticationStatus.Authenticated:
//log the user in
break;
}
}
return new EmptyResult();
}
Provider:
public ActionResult Index()
{
IRequest request = OpenIdProvider.GetRequest();
if (request != null) {
if (request.IsResponseReady) {
return OpenIdProvider.PrepareResponse(request).AsActionResult();
}
ProviderEndpoint.PendingRequest = (IHostProcessedRequest)request;
return this.ProcessAuthRequest();
} else {
//user stumbled on openid endpoint - 404 maybe?
return new EmptyResult();
}
}
public ActionResult ProcessAuthRequest()
{
if (ProviderEndpoint.PendingRequest == null) {
//there is no pending request
return new EmptyResult();
}
ActionResult response;
if (this.AutoRespondIfPossible(out response)) {
return response;
}
if (ProviderEndpoint.PendingRequest.Immediate) {
return this.SendAssertion();
}
return new EmptyResult();
}
Logs:
RP: 1) http://pastebin.com/Pnih3ND7 2) http://pastebin.com/eBzGun9y
Provider: http://pastebin.com/YAUTBzHk
Interestingly enough the RP log says that localhost is untrusted...yet I added it to the whitelisted hosts in my web.config, and it was "working" yesterday...
EDIT: Okay, this is weird. Yesterday I was stepping through the DNOA source trying to find out what the problem is. I enabled log4net and it created the log file and left it blank. Today I set up log4net again - it logged fine but I had an error that didn't make sense (see above). I also wasn't able to step into the DNOA source. I removed and re-added the reference to dotnetopenauth.dll, and then my "original error" with the whitelisted hosts went away, I was able to step into the source, but the log file was blank again. And I stil have the problem with request.form not being populated...
EDIT2: Both my controllers are named "OpenIdController" (both on the RP and EP). My RP is running on localhost:1903, and my endpoint is running on localhost:3314.
EDIT3: After I made the changes you suggested things started working. The RP performs the discovery fine, but I have an issue when it actually makes the request.
The line IRequest i_request = OpenIdProvider.GetRequest(); works fine, but when I try to cast it: IAuthenticationRequest iR = (IAuthenticationRequest)i_request; it gives me the following error:
System.InvalidCastException was unhandled by user code
Message=Unable to cast object of type 'DotNetOpenAuth.OpenId.Provider.AutoResponsiveRequest' to type 'DotNetOpenAuth.OpenId.Provider.IAuthenticationRequest'.
Source=Portal
StackTrace:
at Portal.Controllers.OpenIdController.Index() in Controllers\OpendIdController.cs:line 35
at lambda_method(Closure , ControllerBase , Object[] )
at System.Web.Mvc.ActionMethodDispatcher.Execute(ControllerBase controller, Object[] parameters)
at System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary`2 parameters)
at System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary`2 parameters)
at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass42.<BeginInvokeSynchronousActionMethod>b__41()
at System.Web.Mvc.Async.AsyncResultWrapper.<>c__DisplayClass8`1.<BeginSynchronous>b__7(IAsyncResult _)
at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResult`1.End()
at System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult asyncResult)
at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass37.<>c__DisplayClass39.<BeginInvokeActionMethodWithFilters>b__33()
at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass4f.<InvokeActionMethodFilterAsynchronously>b__49()
This code is a bit of a hodge-podge between the two samples I found relevant. I want to set up an SSO type environment so the majority of the code I'm using is from \DotNetOpenAuth-4.1.0.12182\Samples\OpenIdWebRingSsoProvider\Code\Util.cs (ProcessAuthenticationChallenge function). However, since that function expects an IAuthenticationRequest but OpenIdProvider.GetRequest returns an AutoResponsiveRequest I figured I'd be able to cast it in order to use the properties and methods of the IAuthenticationRequest class. Obviously I was incorrect.
I'm not quite sure how to approach things at this point. Should I be using the sample code from the OpenIdProviderMVC sample? The key thing is that the login work like a single sign on, and the user is never actually prompted to enter an OpenId. I will only ever have one endpoint as well (although I will have multiple RP's).
Here's the link to the most recent RP logs: http://pastebin.com/enpwYqq3
EDIT4: I did what you suggested, and made some progress. My EP recieves the response and processes it as far as I can tell, but when it redirects back to the realm url it errors out.
012-10-10 13:55:01,171 (GMT-4) [25] ERROR DotNetOpenAuth.Messaging - Protocol error: An HTTP request to the realm URL (http://localhost:1903/) resulted in a redirect, which is not allowed during relying party discovery.
What exactly is the function of the Realm as opposed to the ReturnTo? Using the sample code, the Realm ends up being http://localhost:1903/ and the ReturnTo ends up being http://localhost:1903/OpenId/Authenticate which seems fine. Why does the EP need to make a request to the realm? I'd have thought that it should simply be sending the assertion to the returnTo once it finished processing. If I manually set the Realm to http://localhost:1903/OpenId/Authenticate then relyingParty.GetResponse() returns null.
I do have my application set up to redirect when someone accesses the base url (http://localhost:1903) - what code should I have running there to intercept the DNOA EP request?
New Logs:
RP: http://pastebin.com/L9K5Yft4
EP: http://pastebin.com/kBPWiUxp
I've also updated the code at the beginning of the question to better reflect the changes I've made.
EDIT5: Does the realm have to be the actual base URL of the application? That is, (http://localhost:1903)? Given the existing architecture in place it is difficult to remove the redirect - I tried setting the realm to the base OpenId controller (http://localhost:1903/OpenId) and testing manually did generate the XRDS document. However, the application seems to freeze, and the EP log reveals the following error:
2012-10-10 15:17:46,000 (GMT-4) [24] ERROR DotNetOpenAuth.OpenId - Attribute Exchange extension did not provide any aliases in the if_available or required lists.

Your RP has very suspiciously odd code. While it is normal (in fact required) for the return_to and realm to both have the same Uri authority, the fact that the user-supplied identifier that you're passing in as the first parameter to OpenIdRelyingParty.CreateRequest has the same host and port as your relying party is very odd. Normally the identifier you pass in would be a URL hosted by the provider. Now, I don't know if port 3314 is your RP or your OP, but either way, one of these port numbers in your RP code looks wrong.
Secondly, discovery on the user identifier fails with a null reference exception (according to v2 of your RP logs). That would prevent the login request from ever reaching your Provider. The fact that your Provider is getting called but with a non-existent OpenID request suggests that http://localhost:3314/OpenId/ is actually your OP Endpoint (the URL of your OpenID Provider's action method that reads OpenID requests). That would be inappropriate. The URL you should pass to your OpenIdRelyingParty.CreateRequest method's first parameter should, again, be a user's OpenID URL -- not an OP Endpoint. Check out the OpenIdProviderMvc sample's User controller for an example of how to set up a user OpenID URL. Then use that URL as the first arg to CreateRequest and I think you'll be good.
Thirdly, once your Provider receives a non-null request, you can't always cast it to IAuthenticationRequest. Not all OpenID messages are authentication messages. Some are part of the underlying OpenID protocol. If you look at the OpenIdProviderMvc sample's OpenID controller, you should notice that there are conditional casts to deal with the different message types. You should have similar message handling in your controller.
Since you're going for the SSO scenario, the significant difference in your controller would presumably be:
your controller never responds with a redirect to a login page, but rather "magically" figures out who the user is.
your controller should check the IAuthenticationRequest.Realm property against a whitelist of the RPs included in your SSO web ring, and only provide positive assertions when the Realm qualifies. This mitigates the attack where once your server is set up, anyone could set up a site that quietly uses your OpenID Provider to identify a user of a random Internet web site if they belong to your org, which would violate their privacy.
Fourthly, the HTTP request that the OP is sending to your RP's "realm" URL is part of a process OpenID calls "RP discovery". It's there to mitigate "open redirector" attacks. You should adjust your RP's base URL to not redirect, but rather return an XRDS document when the RP discovery request comes in. You can still redirect for the normal browser case. You can see an example of how to do this in the OpenIdRelyingPartyMvc sample's HomeController.

As you can see from the relying party log:
ERROR DotNetOpenAuth.Messaging - Protocol error: The URL 'http://localhost:3314/OpenId/' is rated unsafe and cannot be requested this way.
Your Provider is hosted on localhost, which on a production server is not a safe OpenID. So by default localhost is disabled. You can allow it for local testing by adding localhost to your whitelist by adding this to your web.config file (with the appropriate configSections at the top):
<dotNetOpenAuth>
<messaging>
<untrustedWebRequest>
<whitelistHosts>
<add name="localhost" />
</whitelistHosts>
</untrustedWebRequest>
</messaging>
</dotNetOpenAuth>

Facebook C# SDK OAuth Exception "ClientID required"

This question is, I think, similar to my previous one.
Using the latest C# Facebook SDK on .NET 4 I get an Exception with the message "ClientID required" with the following code on the last line:
var app = new DefaultFacebookApplication();
app.AppId = "appId";
app.AppSecret = "secret";
var fb = new FacebookWebContext(app);
fb.IsAuthenticated();
App ID and secret are properly set. The stack trace of the exception is the following:
System.Exception occurred
Message=ClientID required. Source=Facebook StackTrace:
at Facebook.FacebookOAuthClient.BuildExchangeCodeForAccessTokenParameters(IDictionary`2 parameters, String& name, String& path)
at Facebook.FacebookOAuthClient.ExchangeCodeForAccessToken(String code, IDictionary`2 parameters)
at Facebook.FacebookSession.get_AccessToken()
at Facebook.FacebookSession.get_Expires()
at Facebook.Web.FacebookWebContext.IsAuthenticated()
at Piedone.FacebookTest.Authorize() InnerException:
On the client side I'm using the JS SDK, initialized as following:
FB.init({
appId: appId,
status: true, // check login status
cookie: true, // enable cookies to allow the server to access the session
xfbml: true, // parse XFBML
oauth: true // enable OAuth 2.0
});
The users gets properly logged in with the JS login() method, as the alert in the following piece of code runs:
FB.login(function (response) {
if (response.authResponse) {
alert("logged in");
} else {
alert('User cancelled login or did not fully authorize.');
}
}, { scope: scope });
In the app settings on Facebook both the "Forces use of login secret for OAuth call and for auth.login" and "Encrypted Access Token" are turned on. As far as I know all this should enable the use of the OAuth 2 authentication.
Anybody has an idea what am I doing wrong? There really can't be any error in these few lines of code...
Thanks in advance for any help!
Edit:
The AccessToken property of FacebookWebContext throws the same error and HttpContext.CurrentNotification does:
CurrentNotification '(_facebookWebContextCache.HttpContext).CurrentNotification' threw an exception of type 'System.PlatformNotSupportedException' System.Web.RequestNotification {System.PlatformNotSupportedException}
This operation requires IIS integrated pipeline mode.
Since I must run the program from Visual Studio with its Development Server (as I'm currently developing the application) there is no way anything can be done about the latter exception, I suppose. Actually I also tried with Webmatrix's IIS express, but the problem persists.
It's also interesting, that in the FacebookWebContext the settings (app id, secret) are correctly set as well, the user Id and the signed request is also there...
Edit 2:
I also get the same error when using the SDK source. It looks that AccessToken and in the Session the Expires property throw the exception. I don't know if this is connected to the httpcontext issue above.

One more solution is add facebook settings to you web or app congfig
<facebookSettings appId="appid" appSecret="secret" />
after that create Auth class
var oauth = new FacebookOAuthClient(FacebookApplication.Current);
And it wil work as well

Finally I managed to solve the problem, but most likely this is a bug in the SDK.
The cause
The problem is that the FacebookApplication.Current is empty, as it does not get populated with data set in the FacebookWebContext ctor. This leads to the problem of the access token: in FacebookSession.AccessToken on line 119 FacebookOAuthClient is instantiated with FacebookApplication.Current, that of course is practically empty. So FacebookOAuthClient is throwing the exception as it doesn't get the application settings.
The solution
The workaround is to simply explicitly set the current FacebookApplication together with the instantiation of FacebookWebContext:
var app = new DefaultFacebookApplication();
app.AppId = "appId";
app.AppSecret = "secret";
var fb = new FacebookWebContext(app);
FacebookApplication.SetApplication(app); // Note this is the new line

Failed to Execute URL - any ideas?

I am seeing some entries of the following exception in my logs and dont know why or where its occurring:
Failed to Execute URL.
at System.Web.Hosting.ISAPIWorkerRequestInProcForIIS6.BeginExecuteUrl(String url, String method, String childHeaders, Boolean sendHeaders, Boolean addUserIndo, IntPtr token, String name, String authType, Byte[] entity, AsyncCallback cb, Object state)
at System.Web.HttpResponse.BeginExecuteUrlForEntireResponse(String pathOverride, NameValueCollection requestHeaders, AsyncCallback cb, Object state)
at System.Web.DefaultHttpHandler.BeginProcessRequest(HttpContext context, AsyncCallback callback, Object state)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Has anyone come across this before or could shed some light on it? I running a .net 3.5 c# web application on IIS7.

I just ran into this while using Windows Identity Foundation. The problem ended up being resolved by switching the application pool to use Integrated instead of Classic. It was failing when there was a trailing slash on the url and redirecting to the login page. Specifying the full page in the url didn't give the error.

I had the same error when using WIF in classic pipeline mode. Because we unfortunately cannot change the application to integrated pipeline mode, I've implemented a fix for the specific scenario that David Scott describes.
In global.asax.cs:
protected void Application_AuthenticateRequest(object sender, EventArgs e)
{
// Fix for "Failed to Execute URL" when non-authenticated user
// browses to application root
if ((User == null)
&& (string.Compare(Request.Url.AbsolutePath.TrimEnd('/'),
Request.ApplicationPath, true) == 0))
{
Response.Redirect(Request.ApplicationPath + "/Default.aspx");
HttpContext.Current.ApplicationInstance.CompleteRequest();
}
}
Before the authentication attempt, Application_AuthenticateRequest is called with a null User object. Only in that case, the code redirects from / to /Default.aspx (my app is Asp.Net web forms). This fixed the problem for us.

I also had this issue when I was using WIF with .NET 4.5 application in Classic mode. User was geting authenticated from ADFS and then user getting this error. Previously I was sending E-Mail-Addresses -> E-Mail-Address as the claim. Adding another claim rule as E-Mail-Addresses -> Name resoled this issue for me.