I'm trying use Kerberos tokens directly in C# using the KerberosSecurityTokenProvider. Unfortunately, the documentation on its use is very limited and I've not had much success. I've written the following sample test application:
var oProvider = new KerberosSecurityTokenProvider("MACHINENAME",TokenImpersonationLevel.Identification);
var oToken = (KerberosRequestorSecurityToken)oProvider.GetToken(TimeSpan.FromHours(1));
Console.WriteLine(oToken.ValidFrom);
Console.WriteLine(oToken.ValidTo);
Console.WriteLine(oToken.Id);
var abRequest = oToken.GetRequest();
var sId = oToken.Id;
try
{
var oReceivedToken = new KerberosReceiverSecurityToken(abRequest, sId);
var oAuthenticator = new KerberosSecurityTokenAuthenticator();
var oCol = oAuthenticator.ValidateToken(oReceivedToken);
foreach (var o in oCol)
{
Console.WriteLine(o.Id);
}
}
catch(Exception e)
{
Console.WriteLine(e);
}
Where MACHINENAME is the name of my machine. It successfully gets a Kerberos Token, but when I try to validate it, I get:
System.IdentityModel.Tokens.SecurityTokenException: The AcceptSecurityContext failed. ---> System.ComponentModel.Win32Exception: The logon attempt failed
Which leaves me with a number of questions:
Is this the correct way to get/validate Kerberos Tokens in C#?
Why is it trying to perform a login if I am just saying I want to use the token for identification?
Is the error due to my code, or are there domain configuration issues that also need to be addressed?
Any comments on how to use your own Kerberos tokens in .NET?
Related
I'm trying to connect to SharePoint online in a console App and print the title of the site.
Its giving me the error : "The sign-in name or password does not match one in the Microsoft account system."
I have checked and made sure the username and password are 100% right.
I dont know what else to check
Heres my code:
private static void SPCredentialsConnect()
{
const string SiteUrl = "https://tenant.sharepoint.com/sites/mysite";
const string pwd = "appPassword";
const string username = "username#tenant.onmicrosoft.com";
SecureString securestring = new SecureString();
pwd.ToCharArray().ToList().ForEach(s => securestring.AppendChar(s));
ClientContext context = new ClientContext(SiteUrl);
context.Credentials = new SharePointOnlineCredentials(username, securestring);
try
{
var web = context.Web;
context.Load(web);
context.ExecuteQuery();
Console.WriteLine($"web title: {web.Title}");
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
}
Have your issue fixed? “The sign-in name or password does not match one in the Microsoft account system” Error will occur sometimes and fixed after a while with nothing changed.
AppOnly Authentication for sharepointonline can't be registed in Azure Active Directory.
It should be register in
https://contoso.sharepoint.com/_layouts/15/appregnew.aspx
And grant permission in
https://contoso-admin.sharepoint.com/_layouts/15/appinv.aspx
You can refer to following document
https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs
Consider using the PnP.Framework (a NuGet package), and use the AuthenticationManager object for SPO sites. This method bypasses MFA (which is mandatory in our organization, FWIW). You can find a lot more information and examples here, including steps on getting the client id and client secret for a site. Here is what we use to log into SPO sites:
using (ClientContext context =
new AuthenticationManager().GetACSAppOnlyContext(SiteUrl, clientID, clientSecret))
{
...
}
Also, once you connect, you should adjust the Context.Load to grab the title if you want to use that value right away. Here's what I used in my code:
context.Load(web, p => p.Id, p => p.Title);
context.ExecuteQuery();
Console.WriteLine($"Logged into source {web.Title} ({web.Id})");
Good luck!
Steve in Spain
I'm trying to write a windows service that will post to my Facebook Page with results when it runs.
I just downloaded Facebook C# SDK v6.0.10.0 and writing the windows application in .Net 4.0
I created a facebook application account and got the AppID and Secret code needed.
The end goal would be to have this windows service post on my facebook page wall as the page and not the application user.
I keep getting an error when I go to get the accounts for my facebook application.
string strAppID = "my app api id";
string strSecret = "my app secret code";
Facebook.FacebookClient fbClient = new Facebook.FacebookClient();
fbClient.AppId = strAppID;
fbClient.AppSecret = strSecret;
dynamic ac = fbClient.Get("oauth/access_token", new
{
client_id = strAppID,
client_secret = strSecret,
grant_type = "client_credentials"
});
string strAccessToken = String.Empty;
strAccessToken = ac.access_token;
if (!String.IsNullOrEmpty(strAccessToken))
{
fbClient = new Facebook.FacebookClient(strAccessToken);
fbClient.AccessToken = strAccessToken;
fbClient.AppId = strAppID;
fbClient.AppSecret = strSecret;
//Here is where it is bombing
dynamic fbAccounts = fbClient.Get("/me/accounts");
fbClient = new Facebook.FacebookClient(strAccessToken);
fbClient.AccessToken = strAccessToken;
fbClient.AppId = strAppID;
fbClient.AppSecret = strSecret;
dynamic me = fbClient.Get("**Name of the facebook page I am trying to post to**");
string strPageID = String.Empty;
strPageID = me.id;
string strPageAccessToken = String.Empty;
//Loop over the accounts looking for the ID that matches your destination ID (Fan Page ID)
foreach (dynamic account in fbAccounts.data)
{
if (account.id == strPageID)
{
//When you find it, grab the associated access token and put it in the Dictionary to pass in the FB Post, then break out.
strPageAccessToken = account.access_token;
break;
}
}
try
{
fbClient.AccessToken = strPageAccessToken;
var args = new Dictionary<string, object>();
args["message"] = "Testing 123";
fbClient.Post("/" + strPageID + "/feed", args);
}
catch (Facebook.FacebookOAuthException ex)
{
// oauth exception occurred
}
catch (Facebook.FacebookApiLimitException ex)
{
// api limit exception occurred.
}
catch (Facebook.FacebookApiException ex)
{
// other general facebook api exception
}
catch (Exception ex)
{
// non-facebook exception such as no internet connection.
}
}
The error I am getting is on the line:
dynamic fbAccounts = fbClient.Get("/me/accounts");
(OAuthException - #2500) An active access token must be used to query information about the current user.
see here: (OAuthException - #2500) An active access token must be used to query information about the current user
you are getting access token for the APPLICATION, not for a user.
Therefore, "me" does not make sense. You should supply ID there -
either your user ID, or your app ID, or any other ID your app has
permissions for.
dynamic ac = fbClient.Get("oauth/access_token", new
{
client_id = strAppID,
client_secret = strSecret,
grant_type = "client_credentials"
});
The above code may not work for version 6.0.
OAuth 2.0 - exchange code for access token
FacebookClient supports parsing only json responses. Due to this
reason “oauth/access_token” token will not work when using
FacebookClient.Get(“oauth/access_token”). Instead you will need to use
a method in FacebookOAuthClient.
You can find more details here: http://blog.prabir.me/post/Facebook-CSharp-SDK-Making-Requests.aspx
Hope this helps.
I'm using Facebook C# sdk with the code,
i'm trying to create a new score for a user
but i get this error:
(OAuthException) An active access token must be used to query information about the current user.
what am i missing?
protected void btnAddScore_Click(object sender, EventArgs e)
{
if (CanvasAuthorizer.Authorize())
{
var fb = new FacebookWebClient();
dynamic parameters = new ExpandoObject();
parameters.score = 77;
parameters.access_token = GetAppAccessToken();
try
{
dynamic id = fb.Post("me/scores", parameters);
lblPostMessageResult.Text = "Message posted successfully";
txtMessage.Text = string.Empty;
}
catch (FacebookApiException ex)
{
lblPostMessageResult.Text = ex.Message;
}
}
}
private string GetAppAccessToken()
{
var oauthClient = new FacebookOAuthClient
{
AppId = FacebookWebContext.Current.Settings.AppId,
AppSecret = FacebookWebContext.Current.Settings.AppSecret
};
dynamic result = oauthClient.GetApplicationAccessToken();
string appAccessToken = result.access_token;
return appAccessToken;
}
edit:
I got the answer form here:
http://facebooksdk.codeplex.com/discussions/279307
the new right code is:
if (CanvasAuthorizer.Authorize())
{
var fb = new FacebookClient(CanvasAuthorizer.FacebookWebRequest.AccessToken);
var oauthClient = new FacebookOAuthClient(FacebookApplication.Current);
dynamic parameters = new ExpandoObject();
parameters.score = 100;
dynamic ac = oauthClient.GetApplicationAccessToken();
parameters.access_token = ac.access_token;
dynamic result = fb.Post(CanvasAuthorizer.FacebookWebRequest.UserId + "/scores", parameters);
}
Answer:-
Actually for using SCORE Graph API you need the "Application access token" which is different than a normal access token
So if you want your task to be done GET an Application access token by using the following script.......
And then replace the generated application_access_token with old access_token, that's it
The below code is written in php try convert it in c# and then apply it
$APPLICATION_ID = "APP_ID";
$APPLICATION_SECRET = "APP_SECRET";
$token_url = "https://graph.facebook.com/oauth/access_token?" .
"client_id=" . $APPLICATION_ID .
"&client_secret=" . $APPLICATION_SECRET .
"&grant_type=client_credentials";
$app_token = file_get_contents($token_url);
After getting this application access token you can easily do this task.
When You Need An Application Access Token
You need to use a Facebook application access token when you have a process that acts on behalf of the application, rather than on behalf of a particular user. This happens when you access your Facebook Insights data for your app via the graph, and also when you want to create test Facebook users for your app.
Sadly, the documentation for this is buried in the authentication guide for the Facebook graph API.
Your application need to take "publish_actions" permission from user to update the score.
Refer to Create or update a score for a user section of the below documentation.
https://developers.facebook.com/docs/score/
I'm trying to use the Google+ API to access info for the authenticated user. I've copied some code from one of the samples, which works fine (below), however I'm having trouble making it work in a way I can reuse the token across app-launches.
I tried capturing the "RefreshToken" property and using provider.RefreshToken() (amongst other things) and always get a 400 Bad Request response.
Does anyone know how to make this work, or know where I can find some samples? The Google Code site doesn't seem to cover this :-(
class Program
{
private const string Scope = "https://www.googleapis.com/auth/plus.me";
static void Main(string[] args)
{
var provider = new NativeApplicationClient(GoogleAuthenticationServer.Description);
provider.ClientIdentifier = "BLAH";
provider.ClientSecret = "BLAH";
var auth = new OAuth2Authenticator<NativeApplicationClient>(provider, GetAuthentication);
var plus = new PlusService(auth);
plus.Key = "BLAH";
var me = plus.People.Get("me").Fetch();
Console.WriteLine(me.DisplayName);
}
private static IAuthorizationState GetAuthentication(NativeApplicationClient arg)
{
// Get the auth URL:
IAuthorizationState state = new AuthorizationState(new[] { Scope });
state.Callback = new Uri(NativeApplicationClient.OutOfBandCallbackUrl);
Uri authUri = arg.RequestUserAuthorization(state);
// Request authorization from the user (by opening a browser window):
Process.Start(authUri.ToString());
Console.Write(" Authorization Code: ");
string authCode = Console.ReadLine();
Console.WriteLine();
// Retrieve the access token by using the authorization code:
return arg.ProcessUserAuthorization(authCode, state);
}
}
Here is an example. Make sure you add a string setting called RefreshToken and reference System.Security or find another way to safely store the refresh token.
private static byte[] aditionalEntropy = { 1, 2, 3, 4, 5 };
private static IAuthorizationState GetAuthorization(NativeApplicationClient arg)
{
// Get the auth URL:
IAuthorizationState state = new AuthorizationState(new[] { PlusService.Scopes.PlusMe.GetStringValue() });
state.Callback = new Uri(NativeApplicationClient.OutOfBandCallbackUrl);
string refreshToken = LoadRefreshToken();
if (!String.IsNullOrWhiteSpace(refreshToken))
{
state.RefreshToken = refreshToken;
if (arg.RefreshToken(state))
return state;
}
Uri authUri = arg.RequestUserAuthorization(state);
// Request authorization from the user (by opening a browser window):
Process.Start(authUri.ToString());
Console.Write(" Authorization Code: ");
string authCode = Console.ReadLine();
Console.WriteLine();
// Retrieve the access token by using the authorization code:
var result = arg.ProcessUserAuthorization(authCode, state);
StoreRefreshToken(state);
return result;
}
private static string LoadRefreshToken()
{
return Encoding.Unicode.GetString(ProtectedData.Unprotect(Convert.FromBase64String(Properties.Settings.Default.RefreshToken), aditionalEntropy, DataProtectionScope.CurrentUser));
}
private static void StoreRefreshToken(IAuthorizationState state)
{
Properties.Settings.Default.RefreshToken = Convert.ToBase64String(ProtectedData.Protect(Encoding.Unicode.GetBytes(state.RefreshToken), aditionalEntropy, DataProtectionScope.CurrentUser));
Properties.Settings.Default.Save();
}
The general idea is as follows:
You redirect the user to Google's Authorization Endpoint.
You obtain a short-lived Authorization Code.
You immediately exchange the Authorization Code for a long-lived Access Token using Google's Token Endpoint. The Access Token comes with an expiry date and a Refresh Token.
You make requests to Google's API using the Access Token.
You can reuse the Access Token for as many requests as you like until it expires. Then you can use the Refresh Token to request a new Access Token (which comes with a new expiry date and a new Refresh Token).
See also:
The OAuth 2.0 Authorization Protocol
Google's OAuth 2.0 documentation
I also had problems with getting "offline" authentication to work (i.e. acquiring authentication with a refresh token), and got HTTP-response 400 Bad request with a code similar to the OP's code. However, I got it to work with the line client.ClientCredentialApplicator = ClientCredentialApplicator.PostParameter(this.clientSecret); in the Authenticate-method. This is essential to get a working code -- I think this line forces the clientSecret to be sent as a POST-parameter to the server (instead of as a HTTP Basic Auth-parameter).
This solution assumes that you've already got a client ID, a client secret and a refresh-token. Note that you don't need to enter an access-token in the code. (A short-lived access-code is acquired "under the hood" from the Google server when sending the long-lived refresh-token with the line client.RefreshAuthorization(state);. This access-token is stored as part of the auth-variable, from where it is used to authorize the API-calls "under the hood".)
A code example that works for me with Google API v3 for accessing my Google Calendar:
class SomeClass
{
private string clientID = "XXXXXXXXX.apps.googleusercontent.com";
private string clientSecret = "MY_CLIENT_SECRET";
private string refreshToken = "MY_REFRESH_TOKEN";
private string primaryCal = "MY_GMAIL_ADDRESS";
private void button2_Click_1(object sender, EventArgs e)
{
try
{
NativeApplicationClient client = new NativeApplicationClient(GoogleAuthenticationServer.Description, this.clientID, this.clientSecret);
OAuth2Authenticator<NativeApplicationClient> auth = new OAuth2Authenticator<NativeApplicationClient>(client, Authenticate);
// Authenticated and ready for API calls...
// EITHER Calendar API calls (tested):
CalendarService cal = new CalendarService(auth);
EventsResource.ListRequest listrequest = cal.Events.List(this.primaryCal);
Google.Apis.Calendar.v3.Data.Events events = listrequest.Fetch();
// iterate the events and show them here.
// OR Plus API calls (not tested) - copied from OP's code:
var plus = new PlusService(auth);
plus.Key = "BLAH"; // don't know what this line does.
var me = plus.People.Get("me").Fetch();
Console.WriteLine(me.DisplayName);
// OR some other API calls...
}
catch (Exception ex)
{
Console.WriteLine("Error while communicating with Google servers. Try again(?). The error was:\r\n" + ex.Message + "\r\n\r\nInner exception:\r\n" + ex.InnerException.Message);
}
}
private IAuthorizationState Authenticate(NativeApplicationClient client)
{
IAuthorizationState state = new AuthorizationState(new string[] { }) { RefreshToken = this.refreshToken };
// IMPORTANT - does not work without:
client.ClientCredentialApplicator = ClientCredentialApplicator.PostParameter(this.clientSecret);
client.RefreshAuthorization(state);
return state;
}
}
The OAuth 2.0 spec is not yet finished, and there is a smattering of spec implementations out there across the various clients and services that cause these errors to appear. Mostly likely you're doing everything right, but the DotNetOpenAuth version you're using implements a different draft of OAuth 2.0 than Google is currently implementing. Neither part is "right", since the spec isn't yet finalized, but it makes compatibility something of a nightmare.
You can check that the DotNetOpenAuth version you're using is the latest (in case that helps, which it might), but ultimately you may need to either sit tight until the specs are finalized and everyone implements them correctly, or read the Google docs yourself (which presumably describe their version of OAuth 2.0) and implement one that specifically targets their draft version.
I would recommend looking at the "SampleHelper" project in the Samples solution of the Google .NET Client API:
Samples/SampleHelper/AuthorizationMgr.cs
This file shows both how to use Windows Protected Data to store a Refresh token, and it also shows how to use a Local Loopback Server and different techniques to capture the Access code instead of having the user enter it manually.
One of the samples in the library which use this method of authorization can be found below:
Samples/Tasks.CreateTasks/Program.cs
I am having a problem retrieving the user's access token after he/she has authorized my Facebook application to access their information and post for them, etc... Facebook returns a code query string to my website, so I can receive the access token for the user. I use the following code to get the access code.
string AppKey = "[REMOVED]";
string AppSecret = "[REMOVED]";
var oAuth = new Facebook.FacebookOAuthClient();
oAuth.AppId = AppKey;
oAuth.AppSecret = AppSecret;
oAuth.RedirectUri = new Uri("http://www.mywebsite.com");
Label3.Text = Request.QueryString["code"];
try
{
var accessToken = oAuth.ExchangeCodeForAccessToken(Request.QueryString["code"]);
string accessTokenString = accessToken.ToString();
HttpCookie aCookie = new HttpCookie("MyWebsite_FBAccessToken");
aCookie.Value = accessTokenString;
Response.Cookies.Add(aCookie);
Response.Redirect("~/Process/ProcessToken.aspx");
}
catch (Facebook.FacebookOAuthException error)
{
Label2.Text = error.Message;
}
My code gets held up here:
var accessToken = oAuth.ExchangeCodeForAccessToken(Request.QueryString["code"]);
And I receive the following error.
(OAuthException) Error validating verification code.
Does this seem like there is a problem with my code, or does it look like there may be a setting problem with my Facebook application? I know my App ID and Secret are correct.