Where do I find the basic HTTP authentication credentials (username and password) in the incoming request to my server?
Is it somewhere in the Request object, or is there some other way to get them?
Running: IIS 7 - ASP.NET - .NET Framework 4 - C#
Basic authentication details will be in the Request.Headers, with the key: "Authorization"
It's a base64 encoded string, which you'll need to decode. Check out this post, there's a code sample in there that demonstrates picking that header apart.
Related
As a service provider (SP), i'm trying to create request for SLO using the URL redirect flow. After going through a lot of articles, this is what i came up with:
Create a logout request xml and digitally sign it
Convert the request xml to base64 url encoded string
Append the base64 encoded request xml to the SLO url as a querystring
Redirect page to the above constructed url (IDP)
IDP will then perform necessary SLO steps for all SPs at its end and
redirect back to our current application (which initiated the SLO
request)
Parse above response and show message in UI accordingly
However, when i got into the actual implementation, i'm faced with the following challenges, some of them not specific to SAML SLO.
To digitally sign the logout request xml, is it mandatory to
load/import the x509 certificate from .pfx file or can i use any
certificate from the certificate store which has private key?
For demo purpose, I've successfully signed the request using a certificate in my local system which has private key. This process appends the signature and pulic key information in the logout request xml.
I've encoded (Base64Url) the request xml but the resulting string length is too long (more than 4k chars), which would exceed the maximum length allowed in URL/GET request. Have i got this step wrong?
None of the articles/SAML spec mentions how the querystring should look like. Is the querystring parameter name defined by the SAML spec (which i could have missed) or is it dependent on the IDP?
All in all, i feel that SAML spec lacks articles with proper implementation which is making it extremely difficult to get the hang of it.
Note: I didn't include any of the codes i've written so far since my questions can be answered without them. However, if required, i can include them.
Few of the many referenced articles:
SSO, SAML and SLO
SAML Logout Request (SP -> IdP)
Sign XmlDocument with X509Certificate2 and Verify in C#
I would strongly suggest using an existing SAML library instead of rolling your own.
Some of these are free and you can examine the source code to see how to do it.
Or alternatively just use the stack itself!
I am trying to wade my way through learning IdentityServer so that I can implement single sign-on at my workplace. I have a POC service running locally and when I request the configuration, this is the configuration that displays:
{"issuer":"https://localhost:44345/core","jwks_uri":"https://localhost:44345/core/.well-known/jwks","authorization_endpoint":"https://localhost:44345/core/connect/authorize","token_endpoint":"https://localhost:44345/core/connect/token","userinfo_endpoint":"https://localhost:44345/core/connect/userinfo","end_session_endpoint":"https://localhost:44345/core/connect/endsession","check_session_iframe":"https://localhost:44345/core/connect/checksession","revocation_endpoint":"https://localhost:44345/core/connect/revocation","introspection_endpoint":"https://localhost:44345/core/connect/introspect","frontchannel_logout_supported":true,"frontchannel_logout_session_supported":true,"scopes_supported":["openid","profile","email","roles","offline_access"],"claims_supported":["sub","name","family_name","given_name","middle_name","nickname","preferred_username","profile","picture","website","gender","birthdate","zoneinfo","locale","updated_at","email","email_verified","role"],"response_types_supported":["code","token","id_token","id_token token","code id_token","code token","code id_token token"],"response_modes_supported":["form_post","query","fragment"],"grant_types_supported":["authorization_code","client_credentials","password","refresh_token","implicit"],"subject_types_supported":["public"],"id_token_signing_alg_values_supported":["RS256"],"code_challenge_methods_supported":["plain","S256"],"token_endpoint_auth_methods_supported":["client_secret_post","client_secret_basic"]}
As part of this, you can see:
"response_types_supported":["code","token","id_token","id_token token","code id_token","code token","code id_token token"]
However, when I send a request to the service, with responseType=id_token in the url, I get the error message:
The authorization server does not support the requested response type.
I have tried other responseType values but still get this error message.
I am basically a beginner at web security and IdentityServer, so I am sure I am missing something very basic.
This is pretty stupid. All of the examples online I have looked at for IdentityServer show the parameter as responseTypes (camel case). I think these examples must have all been done against an older version of the platform.
The correct parameter name to send is response_types.
The list of possible parameters that you can send to the authorization endpoint are listed on the following websites :
OpenId RFC : http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
Identity server doc : https://identityserver.github.io/Documentation/docsv2/endpoints/authorization.html
The correct parameter is "response_type" and not "response_types" :)
I am working on a university project in which I need to get some product information out of the database of outpan.com into a string or an array of strings.
I am new to coding, that's why I am needing quite a lot of help still. Does anyone of you know how to send a request & get the answer from a c#-environment (Windows Form Application)?
The description on outpan itself (https://www.outpan.com/developers.php) says to send the call by using HTTPS in curl, but what does it practically mean? Do I need to install extra libraries?
I would be glad, if someone could help me with this problem or provide me with a tutorial on how to make these curl calls to a database starting from a c# environment.
If there are more information needed about my settings, let me know.
The Outpan API uses Basic HTTP auth, so all the request will need to have a header like:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
In the request. In order to do that with C#, you could do the following:
var request = (HttpWebRequest)WebRequest.Create("https://api.outpan.com/v1/products/0796435419035");
var encodedString = Convert.ToBase64String(Encoding.Default.GetBytes("-your-api-key-here-:"));
request.Headers["Authorization"] = "Basic " + encodedString;
var response = request.GetResponse();
For a full description of the header, check out the wiki page http://en.wikipedia.org/wiki/Basic_access_authentication. Note that the base64 encoded string can be in the form [username]:[password], but the outpan api docs ( https://www.outpan.com/developers.php ) write that they do not use the password part.
Also see: Forcing Basic Authentication in WebRequest for a nice method wrapper for this logic.
Using this code to connect to OnVif service on my IP Camera in C# .Net 4.5.
Very next to that code, I am trying to get Device information as follows:
string str = client.GetDeviceInformation(out model, out firmware, out serial, out hardwareId);
And encouters this error:
An exception of type 'System.ServiceModel.Security.MessageSecurityException' occurred in mscorlib.dll but was not handled in user code
Additional information: The HTTP request is unauthorized with client authentication scheme 'Digest'. The authentication header received from the server was 'Basic realm="CBBA"'.
I tried this information about Basic realm. By adding an Http header WWW-Authenticate to the request with value Basic realm="Our Site". But no luck.
What the heck is that? How to fix it?
You are probably failing to handle the Digest Authentication. To handle things correctly, you should send a request to a not PRE_AUTH ONVIF method without using authentication, neither digest nor ws-usernameToken.
You can get one of the two following answers:
you get a 500 response with env:Sender ter:NoAuthorized which means that the camera does not support HTTP digest (which in fact, for profile S devices is not mandatory). In this case you have to use only WS-UsernameToken
you get a 401 response with the WWW-Authenticate header from the device. In this case you should follow the RFC 2617, evaluate all the necessary elements and resend your requests with the Authorization header.
Remember that an HTTP digest challange is always started by the camera, you can't just add it to the first request.
Check ยง5.12 of the Core specification, at least to know has a camera handles authentication.
I had a relevant issue - I had to authenticate with ONVIF cameras for which I did not know the authentication HTTP authentication modes (Basic/Digest). In my answer you can see how to properly iterate through all the HTTP authentication schemes or you can just take the code for Digest, hope it helps.
Is it okay if the server returns the API Key and Shared Secret Key when a client tries to login on the API using Basic Authentication? For example, if a user enter this link http://api.example.com/authorize?auth=some_encoded_Base64_string, the response will be:
Content-Type: application/xml
Date: Fri, 10 Nov 2006 20:04:45 GMT
Transfer-Encoding: chunked
Authorization: apiKey;secretKey
Will I have issues using this method? I wanted to be like this since the API core methods will only accept APIKey hashes and in order to obtain that they need to use the Basic Authentication as they're first step. I'm not gonna use OAuth here for now.
I'm trying out the new ASP.NET Web API for this project.
HTTP does not define an Authorization header in the response so if you need to define a custom header, use X- prefix.
Also from the design point, HTTP headers are to pass data which is orthogonal to the call. You seem to be trying to pass a piece of data which needs to be in the payload so I would refrain from using the headers.
I would pass this data in the payload.
If you use SSL and pass data in the URL, HTTP headers or payload it will be secure.