How do I use the access_token from Xamarin.Essentials WebAuthenticator? - xamarin

I have a website set up step by step after the external login instructions.
I have added Support for mobile login after the xamarin webauthentication instructions.
Logging in works fine by now, but accessing a controller with [Authorize] attribute just won't happen.
Looking at the sample WebAuthenticator in Xamarin.Essentials. After receiving the access_token, how do I use it for another HttpClient request?
I was assuming it was a Bearer, so I tried:
client.DefaultRequestHeaders.Accept.Clear();
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", App.AccessToken);
I still get 401 from the service.
Same with postman. It is a bearer token from the properties when I receive it in aspnet.
It feels like something is missing in the web service configuration.
I tried adding .AddJwtBearer(); but same result so far...

The access_token is not a valid JwtBearerToken and is not indended for anything but calling google api's. It can't be used as identification between the app and the backend.

Related

How to silently renew Id Token using AddMicrosoftIdentityWebAppAuthentication to Call Downstream API

I am trying to implement the BFF-Gateway pattern (no tokens in the browser) to be used with a React SPA. The BFF is using AddMicrosoftIdentityWebAppAuthentication to handle login and issue a cookie to the SPA. And it is using YARP to proxy api requests to a downstream api. I'm using Azure B2C. Everything works perfectly until the BFF id_token expires in 1 hour. At that point, fetching the downstream api access token via GetAccessTokenForUserAsync (which is called in a piece of middleware) fails:
var scope = _configuration["CallApi:ScopeForAccessToken"];
var accessToken = await _tokenAcquisition.GetAccessTokenForUserAsync(new[] { scope });
ctx.Request.Headers.Add("Authorization", "Bearer " + accessToken);
Exception:
IDW10502: An MsalUiRequiredException was thrown due to a challenge for the user. See https://aka.ms/ms-id-web/ca_incremental-consent.
ResponseBody: {"error":"invalid_grant","error_description":"AADB2C90085: The service has encountered an internal error. Please reauthenticate and try again.\r\nCorrelation ID: 622d6bd6-d06e-4142-86f2-b30a7a17b3b5\r\nTimestamp: 2022-11-25 09:31:23Z\r\n"}
This is effectively the same as Call Downstream API Without The Helper Class example and this sample, except that I'm acquiring the access token in middleware, not a controller, so the downstream YARP requests contain the access token. BTW I get the same error if I do this inside a controller per this example. And I see no soluton to this in the sample.
There is a similar question here which references the sample referenced above, but for the B2C sample I see no solution to this problem.
I also found this sample and this explanation. But this uses Microsoft.Owin to configure auth, not AddMicrosoftIdentityWebAppAuthentication. This looks promising, but is a departure from most examples I see that use Microsoft.Identity.Web.
Can you please point to the correct soluton? I need call to be able to call _tokenAcquisition.GetAccessTokenForUserAsync after the id token expires without asking the user to reauthenticate and/or the SPA to having to reload.
At the moment I am handling this issue in the SPA by catching the exception from MSAL and redirecting back to the login endpoint in the BFF which initiates the challenge. This gets me a new id_token and cookie, but this is just a temp workaround as it's very disruptive to user to be redirected away from the SPA.

.Net MAUI WebAuthenticator CallbackUrl for social logins

I'm following this guide to setup authenticating with social logins using MSAL and Web Authenticator. The example call looks like this:
WebAuthenticatorResult authResult = await WebAuthenticator.Default.AuthenticateAsync(
new Uri("https://example.com/mobileauth/Microsoft"),
new Uri("myapp://"));
But what should the second URI parameter be? In the guide it says:
The URI the flow is expected to ultimately call back to, that is registered to your app.
So how do I register a URI like that to my app?? I've tried following this guide and have 'registered' my app in azure active directory but facebook/google etc won't accept urls of the form "myapp://" as valid redirect URIs... What am I missing?
Update
So the first half of the flow is working but I keep getting errors from the OAuth providers (the green highlight in the diagram isn't working).
This from Google:
And this from Facebook:
But I've added all these valid callback URLs:
I'm afraid that example is broken.
The second URI parameter represents where your app is listening to get the authentication result.
Actually, myapp:// is not a valid URI. You should try with something like myapp://callback.
Finally got to the bottom of it thanks to this old Xamarin issue: https://github.com/xamarin/Essentials/issues/1224#issuecomment-618192336
You have to set the "CallbackPath" property in the API config like so:
.AddGoogle(g => {
g.ClientId = "{Client ID}";
g.ClientSecret = "{Client Secret}";
g.CallbackPath = "/mobileauth"; //mobileauth is api controller
g.SaveTokens = true; })
And then tell the provider of that redirect e.g. adding "https://{API-URL}/mobileauth" in google console.

Cannot get refresh token for Chrome Web Store API to publish Chrome extension

I'm trying to upload and publish my Chrome Extension using Chrome Web Store API in Azure DevOps. I've been referencing the official Google guide but the problem is that it looks like it's outdated now. I'm failing at the step
To create the client ID and client secret, click on Create New Client ID, select Installed Application, and Other under Installed application type.
When I do this, I don't see option for "Other" in Application Type dropdown.
I've tried the following:
Choosing Web Application as Application Type
With this I'm not able to get an access code with this link:
https://accounts.google.com/o/oauth2/auth?response_type=code&scope=https://www.googleapis.com/auth/chromewebstore&client_id=$CLIENT_ID&redirect_uri=urn:ietf:wg:oauth:2.0:oob
it's resulting in "Error 400: redirect_uri_mismatch". If I add an authorized redirect URI in my Client ID settings, like 'localhost', and replace 'urn:ietf:wg:oauth:2.0:oob' in URL above with it, I'm able to invoke authorization process and get the code from URL. But when I try to make a curl request to https://accounts.google.com/o/oauth2/token to get the refresh token I don't receive a refresh token, I only get this:
{
"access_token": "",
"expires_in": 3599,
"scope": "https://www.googleapis.com/auth/chromewebstore",
"token_type": "Bearer"
}
Choosing Chrome App as Application Type
Pretty much the same happens here as in previous attempt, except I don't have to substitute the redirect URI in request for access code, but I also don't have Client Secret for this application type, so I just omit it. Anyways, it results in the same response that doesn't have refresh token.
When I enable Chrome Web Store API in dev console and try to create new credentials, it suggests to create API key instead of Cliend ID. But it doesn't look like this API can actually work with this key, I've tried sending it as query param, as a header, and I always get 401 result with "Login Required" message. But when I try to send a request with (invalid) token in a header I get meaningful response (smth like Invalid Credentials).
Apparently I do need to have access token to work with Chrome Web Store API but without refresh token I need to manually authorize my permissions and that's not acceptable because I need to use in my CI/CD pipeline. It looks like Google removed the option to just generate this info for such application types.
So, the question is, how can I get the refresh token to actually be able to continuously deploy the chrome extension?
Ok, so the trick here was to add two params to the request that you use to get the access code (not token):
&access_type=offline&approval_prompt=force
And so the link should be:
https://accounts.google.com/o/oauth2/auth?response_type=code&scope=https://www.googleapis.com/auth/chromewebstore&client_id=$CLIENT_ID&redirect_uri=urn:ietf:wg:oauth:2.0:oob&access_type=offline&approval_prompt=force
And Google should do better job in updating their docs.

How to provide login authentication for Web API in Xamarin App?

I am working on Xamarin Forms application and new to providing login authentication of the application. I have completed the design part of the application with using Entries for user id and password and button for Submit. Also, i am having web API and for authentication. Now how to connect that Web API in xamarin forms application for login.
Please guide or provide some use full samples...
Thanks in advance...!
I assume you've built out your authentication API already, and that you can make Fiddler or Postman calls directly to your controller, pass in a set of credentials, and return back a JWT / bearer token that you can then use for authenticated calls?
At this point, it's relatively simple then as you'll want to use build a proxy layer / API layer to make calls out to your API. These calls will simply mirror the ones you've made in Fiddler/Postman/your proxy of choice.
I used Refit to achieve this:
https://github.com/reactiveui/refit
Specifically, you can see on the "Setting request headers" section how they easily encapsulate it for you to pass your token.
Of course, your initial call should be to login, and then once logged in, take the JWT response back from your controller, set the token in your Keychain, and then pull it out of Keychain to set in the header.
Let me know specific questions you have? For example, which of the following do you need more info on?
Sending and parsing a response (serializing the response) from your Login action to set/assign a token in keychain?
Saving the token, and setting it in a header for subsequent calls?
Building a proxy layer using a framework like Refit to make generic outbound calls?

OAuth token parameter missing when using request_youtube API

I try to using youtube API in code ingniter and using librari from https://github.com/jimdoescode/CodeIgniter-YouTube-API-Library when i call request_youtube()from direct link the https://accounts.google.com/o/oauth1/auth sent massage like this :
400. That’s an error.
OAuth token parameter missing.
That’s all we know.
This the code of request_youtube() :
public function request_youtube()
{
$params['key'] = xxxxxxxxxxxx.apps.googleusercontent.com';
$params['secret'] = 'xxxxxxxxxxxx';
$params['algorithm'] = 'HMAC-SHA1';
$this->load->library('google_oauth', $params);
$data = $this->google_oauth->get_request_token(base_url().'index.php/example/access_youtube');
$this->session->set_userdata('token_secret', $data['token_secret']);
redirect($data['redirect']);
}
what wrong with my code...or any step i miss???
The library that you are using is deprecated probably because of which it is unable to make calls to the Google Servers and is returning 404 errors. You can still follow the original way of authentication using OAuth where you validate your app with the client id client secret and get the Auth code. With the Auth code making a POST request and getting a access token and a refresh token in exchange. For details please refer to this official Google Youtube Documentation on OAuth.

Resources