I am trying to test againt a service that implements the OAuth 2.0 authentication protocol and I want to run the automation without using any browser elements. Is that possible and if so how?
What i am currently doing is opening a browser and then sending user/key combination and then on redirect, I get the access token from the URL which I then use in subsequent REST calls. but this method takes a bit of time and may not be completely reliable for running lots of tests.
Is there any way that I can programatically handle the initial handshake, i.e, send the user/key, get the permission request page and then accept it through c# as well and finally get the access token without any browser in the middle?
Check out DotNetOpenAuth - http://www.dotnetopenauth.net/
You should be able to write automated test cases quite simply
You could try service account authentication for your test system. This approach replaces user interaction with cryptographically signed JSON Web Tokens (JWTs).
Google's implementation docs have some details.
Related
I am trying to access an asps website and download a file through a job in .NetCore.
When I try to log in with the password and user name it is failing.
I made the same request through postman and it added an authentication cookie in with DotNetNuke and a value.
In my code when I take this value postman gave me and add a header add header(cookie, .DotNetNuke=PostmanValue) the job works.
The only issue is that this authentication token isn’t persistent.
How can I generate this value each time I want to run the job? So I have to install something in .NetCore for DotnetNuke?
Thanks in advance
DNN's basic authentication is designed to work in a standard browser context, so when you login, the response contains the cookie value and you send that cookie value back with each future request.
Some portions of DNN can handle basic authentication, however, that really isn't a supported pathway so your successes might be limited based on this behavior.
If you are looking to download a file, that is in "Secure" folder types, it might be best to implement an API using JWT or otherwise that you can call directly from your external application, rather than trying to override or otherwise mimic the DNN proceses.
I currently have a .net core application that uses Identity Server 4 to authenticate users. We have two different applications; an MVC portion of our site that users can login to, and a SPA that users have to login to as well. Is it possible to make it so that anytime the user logs out of one of those areas, that it logs out of both?
This is the main idea of Single Sign-On. Not only single login, but also single logout. Identity Server 4 fully support this, but you just need to configure both your clients (the MVC app and SPA) with their proper configurations. This is the official documentation about signing out. It works.
EDIT
PS: Have in mind that Identity Server does not invalidate the access token, once you are logged out. In other words - if you, by any chance, still have the access token, you will be able to use it, as long as it is valid (its validity period has not expired). This is why usually the access token is set to have a shorter lifetime.
There are 2 front channel ways to acheive this and I'd recommend using both.
1) Front channel log out which uses an endpoint registered against each client. When you sign out of IDS4 (assuming it's implemented properly) it will make a request to the registered endpoint for each app that was signed into during the current session. http://openid.net/specs/openid-connect-frontchannel-1_0.html
2) The session monitoring spec which uses a bit of javascript and cross-domain iframe magic to notify the client app when the user's session changes on the IDP. Using this you can immediately respond to changes and do any cleanup you need to. http://openid.net/specs/openid-connect-session-1_0.html
As mentioned in m3n7alsnak3's answer this will not invalidate any JWT access tokens (you can use the revocation endpoint to revoke refresh or reference tokens however). Therefore I'd recommend having the client applications to the best job they can of clearing up any state they can, i.e. clearing all cookies, session/local storage etc.
I am looking for single sign on for my application which is built on javascript (no server side language).
Requirement:
Agent log in to Windows (user integrated to Active directory)
Open my web page
Based on who logged in to windows, my application goes to AD and pull some user
specify data (eg email, phone)
How shall I go about it?
As per my understanding I will require ADFS for this.
So:
User goes to my web page
My web page calls some Web services or web application (which is build on c#)
That will authenticate against AD FS and get claim
Either get phone number and email in claim or get username and query AD for phone and email
Return the data to my web page (build on javascript)
It seems there something wrong in my understanding!!
Please suggest more appropriate solution based on my requirement
Frankly, I can't think of a way to make it work without a server side processing. This is because the ws-federation protocol ADFS uses is not just about returning claims.
It is about returing a SAML token. The token contains claims but what is most important about it is that it is signed using the XMLDsig. How are you going to validate the token is a first big question. But there are surely external libraries that allow that.
But then, such authentication can easily be bypassed by modifying scripts in the browser. This is because the ws-federation stops where you get the token and then it is up to you to exchange the token for the actual identity. And this won't work when processed only at the client side.
ADFS 3 does not support the OAuth2 implicit profile, which would be an option, but still you would need to verify the token on the server to avoid session fixation.
You can setup something like AuthorizationServer that supports Oauth2/OpenID Connect implicit profile
http://leastprivilege.com/2013/09/19/adding-oauth2-to-adfs-and-thus-bridging-the-gap-between-modern-applications-and-enterprise-back-ends/
Another option is to use something like Auth0 (Disclaimer: I work for Auth0) which also supports OAuth2/OpenID Connect implciit profile. In that case you wouldn't need ADFS, there is a connector/agent that you install on your network that does not require opening firewalls or anything and it supports implicit profile that is suited to JavaScript apps. This is an example of a single page app tutorial (if you create an account it will tailor the doc with your credentials):
https://docs.auth0.com/singlepageapp-tutorial
I have recently finished creating a STS setup and need to expose some WCF service methods on the STS's themselves. So far the login sends a token to the claims provider, the claims provider sets all the clams and then hands the user back down to the front end so that's working fine. I need to implement some WCF functions that need to check that the user has a valid token to trigger the method. I have looked into it and have tried configuring WSFederationHttpBind with little success. It seems to ask the client for a certificate via "Windows cardspace" for some reason and I can't find a way to assign the already produced token with the WCF call from the client. Any pointers in the right direction would be great I've been racking my brains all day and clearly not searching for the right thing!
P.S The STS uses WIF to create/assign the tokens
When you say "It seems to ask the client for a certificate via "Windows cardspace" for some reason" do you mean that when the client calls the service operation you get a UI for CardSpace asking the user to select some credentials?
If so, to suppress this you need to set
channelFactory.Credentials.SupportInteractive = false;
A simple sample is avaialble in the WIF SDK. A slightly more complex one is available here: http://msdn.microsoft.com/en-us/library/ff359113.aspx
So I play an online game that's web based and I'd like to automate certain things with it using C#. Problem is that I can't simply use WebClient.DownloadData() because I need to be logged in to actually recieve the source. The other alternative was to use the built-in web browser control but that doesn't give me access to source code. Any suggestions?
I don't think NetworkCredentials will work in all cases. This only works with "Basic" or "Negotiate" authentication.
I've done this before with an internal website for some load testing, but sounds like you are trying to "game" the game. For that reason I won't go into details but the login to the site is probably being done in the form of an HTTP POST when you hit the login button.
You'd have to trap the POST request and replicate it in your code and make sure that your implementation maintains the session state as well, because if the game site is written well at all it will make sure that the current session has logged in before doing anything game related.
You can set the login credentials on the webclient using its Credentials property before calling DownloadData:
WebClient client = new WebClient();
client.Credentials = new NetworkCredential("username", "password");
EDIT: As mjmarsh points out, this will only work for sites that use a challenge-response method of authentication as part of a single request (I'm so used to dealing with this at work, I hadn't considered the other types!). If the site uses forms authentication (or indeed any other form of authentication), this method will not work as the authentication is not part of a single request - multiple requests are needed that you will need to handle yourself.
Network credentials will not work as mjmarsh has already pointed out.
While web scraping we come across lot of pages where login is needed. One of the approaches I use is install fiddler and monitor the POST and GET packets while manually logging in the site. This allows you to find out how the browser emulates the login. Then you need to recreate the same process by Code.
For example, most web servers use cookies to assume the session is authenticated. So you can use the credentials to post UserName and Password on the web site and record the Cookie. This cookie can then be used to access any further details on the web site.
Please check following link to check out more about Advanced Web Scraping:
http://krishnan.co.in/blog/post/Web-Scraping-Yahoo-Mail.aspx
In this blog, you will find how to authenticate into Yahoo account and then read the page after authentication.