I´m getting a problem sending the authentication request with activated attribute exchange. It works with FF and Opera but IE seems to have a problem with it.
The error occurs within the request.RedirectToProvider(). The Url within the address bar shows the endpoints url.
Here is a code snippet where the authentication request is created and sent
using (OpenIdRelyingParty openid = this.createRelyingParty())
{
IAuthenticationRequest request = openid.CreateRequest(openid_identifier, realm);
;
var fetch = new FetchRequest();
fetch.Attributes.AddRequired(WellKnownAttributes.Contact.Email);
request.AddExtension(fetch);
// Send your visitor to their Provider for authentication.
request.RedirectToProvider();
}
I guess that inside RedirectToProvider() a POST is sent and short after a GET. By RFC a POST followed by a GET is not allowed. Unfortunately I don`t know how to validate it.
Does someone got the same problem?
On further investigation this seems to happen (based upon the providers logs):
The authentication request is sent via POST. The Provider answers with a redirect. This is how it happens that there is at first a POST and then a GET.
I dont think this is how the openId specification say to do it. Shouldnt there be a POST response if i request with a POST and a GET if I request with a GET?
Anyhow.. Is there a way to make the RedirectToProvider()-method sending the request via GET instead of POST?
Related
I've created a custom authentication for servicestack, which works well. The only problem is, that I get empty responses for every route, that requires authentication, when I am not logged in. How can I change this to return something like
{
"statuscode":"401",
"message":"Unauthorized"
}
Thanks!
The Status Code and the Status Description is already in the returned HTTP Response Headers which is the expected response from a HTTP API. If you're calling from a web browser (i.e. client that accepts HTML) you can implement a /login page (configurable with AuthFeature.HtmlRedirect) to show the user a login page.
Otherwise you can override OnFailedAuthentication() in your Custom AuthProvider to override what gets returned in a failed Auth response, be mindful of what you write in the response body as a JSON response only makes sense for clients requesting JSON responses.
I recently setup my windows server to run over HTTPS with an SSL certificate.and I have a problem to redirect HTTP request to https
I add this code in Global.asax
protected void Application_BeginRequest()
{
if (!Context.Request.IsSecureConnection))
Response.Redirect(Context.Request.Url.ToString().Replace("http:", "https:"));
}
but just GET request redirect and POST request failed.
please help me.
The best answer to this is to not redirect this as you desire, rather it would be to redirect to a secure version of the referrer which will submit to an HTTPS URI.
Redirecting a POST request does not forward the data. Your request may have been redirected this way, and your code threw errors due to form values being NULL
The data that was submitted originally was not encrypted when it was originally posted.
You should not ideally redirecting HTTP to HTTPS for POST request. Just don't allow POST request over HTTP. As you should aware POST request can't be use for bookmark or can't be cached.
So there is no meaning redirecting POST request to HTTPS.
I'm creating a twitter login api for our mobile web application. I got this 404 not found error as return message in console. this is the full url for twitter callback
https://api.twitter.com/?oauth_callback=http%3A%2F%2F127.0.0.1%3A4268%2Fmobileapp%2F&oauth_consumer_key=<keyhere>&oauth_nonce=7540630&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1396766598&oauth_version=1.0&oauth_signature=9TjVwKWGyqYEGYdfl1s56k%2BCaaY%3D
is there something wrong with the return url?
thanks
No, the problem is not in the return url.
The problems are:
You're sending the URL to https://api.twitter.com/ without any further URI to indicate the service that you're requesting. Since you are passing an oauth_callback, it's likely that you wanted to access https://api.twitter.com/oauth/request_token
You can't pass an oauth_callback to oauth/request_token using a GET request: you need to use a POST request instead.
Hopefully that explains for you what's wrong with this URL.
If you are having more problems accessing the Twitter oauth API, I suggest that you read this primer from Twitter on how to use this API:
Implementing Sign in with Twitter
I'm working on an application allowing users to sign in and register using Google and Yahoo through OpenID using ASP.NET MVC4, and the DotNetOpenAuth library. Google is working fine, and Yahoo was working fine for a few months as well until a few days ago.
For some reason, using my local version of IE 11, after authenticating with Yahoo, two responses are sent back to the web server, and each is validated in its own separate thread. One response is determined to be valid, and the other response is determined to be invalid because the first response is already validated. The responses are then sent back to the user, and depending on which one is sent first, two very different outcomes can occur.
Using Chrome and Firefox works correctly. Yahoo is returning only one response. Using different versions of IE on other machines (including 11) work correctly as well. Using fiddler, I've verified that the correct requests are being sent out. I've tried clearing my cache, disabling any addons, and changing document and browser modes using the dev tools, and no luck. Is there anything that can be causing two responses to be sent back?
The basic code to send the request is below. The config file is using all default values.
OpenIdRelyingParty openid = new OpenIdRelyingParty();
IAuthenticationRequest request = openid.CreateRequest(Identifier.Parse("https://me.yahoo.com"));
var fields = new ClaimsRequest();
fields.Email = DemandLevel.Require;
request.AddExtension(fields);
return request.RedirectingResponse.AsActionResult();
It turns out that the problem was that I was sending a request to tell Yahoo to redirect back to an unencrypted connection after authentication. If I tell Yahoo to return to an https url, rather than http, everything works correctly, and I only get one request coming back to the application.
I'm using HttpWebRequest to pull down XML, and POST data back to a 'WebService' and getting a 401 on the POST.
When creating the requests I've added Credentials and now tried a credentials cache and setting PreAutenticate to True, still getting the 401! :(
Watching the HTTP traffic on the router I set the get make an unauthenticated GET request.. it hits the 401 and then makes an authenticated GET and is allowed through. When I watch the POST I see it hit the 401... and it doesn't even try an authenticated POST.
This appears only on mobile phones (compact-framework 3.5 and 2.0 on WinMobile 6.1). The same .exe works perfectly on any desktop machines.
What am I missing? Please help!
Try setting the header manually:
http://devproj20.blogspot.com/2008/02/assigning-basic-authorization-http.html