I have an internal API that I'm making available through Azure App Proxy with AAD Pre-authentication.
Now I want to call that API from a MessageCard HTTPPost action in Teams.
When I click on the action button I do not see any errors, and Fiddler shows me a 200 respose and I can see the token in the authorization header and the below in the body:
{"status":"Completed","actionId":"65d36e8b-e90a-4007-a556-bc4c74da8f1e","performedAt":"2019-12-03T16:23:45.0463267Z","properties":{"displayMessage":""}}
But nothing happens after that.
Am i missing something?
Can you test your API with Webhook.site and see if you are able to get proper response.
Related
I'm getting 403 error on each custom rest api while executing the sharepoint login.
Could you please share with me a solution with an example?
This error comes
{"error":{"code":"-2147024891,
System.UnauthorizedAccessException","message":{"lang":"en-US","value":"Access
denied. You do not have permission to perform this action or access
this resource."}}}
Most probably you need to add proper authentication context to each API request and the most common way to protect the API from unauthorized usage is requirement to have valid Authorization header.
Inspect the outgoing requests to your custom API using your browser's developer tool and pay attention to the request headers in the "Network" tab, I believe you should see the aforementioned "Authorization" header or Cookie header or something like this.
In your JMeter script you can add custom headers to your requests using HTTP Header Manager
JMeter should handle Cookies automatically given you add HTTP Cookie Manager to your Test Plan.
I'm trying to test my backend service which takes a Google reCAPTCHA token and verifies it before proceeding with the request, but each time I want to curl my backend service's endpoint I have to go to the site that is hosting the captcha checkbox, open the network tab in Chrome, click the button, and then manually copy the token from the response into my curl request. Is there a better/easier way to do this? I was hoping that the admin console might have something to help but I don't see anything in there.
In JavaScript you can get reCAPTCHA response by following
let grecaptchaResponse = grecaptcha.getResponse();
I am trying to get the response back from API using Postman native app in windows 10.
I am in my company system which uses proxy, so i need to pass proxy credentials for every request which i send from my system.
As per postman documentation, i set proxy settings but still getting 401: Unauthorized error.
Postman Proxy Settings
Other suggestion was to use Basic Authentication while sending a request. It doesn't help either:
Baisc Auth settings for Proxy in postman
I tried all the things in native app but it's not working.
The workaround is to use Chrome extension for Postman.
Please refer the steps below:
1.> Search for Postman Interceptor chrome extension
2.> Install the extension
3.> Launch postman extension
4.> Login using your google account Or register an account in postman.
5.> When you try to login, pop appear in which proxy userid and password needs to be entered.
6.> Once proxy settings has been updated, send the request. You should receive expected response back.
Happy coding :)
I'm building an MVC web app that uses the openID Connect hybrid flow to authenticate with Identity Server 3. The MVC web app contains jQuery scripts to get async JSON data from een ApiController. That ApiController is part of the same MVC web app.
I don't want that everyone is able to access the data from the API, so I want to secure the API as well. I added an [authorize] attribute to the ApiController. When requesting the API with a JQuery ajax request I get the following error message:
XMLHttpRequest cannot load
https://localhost:44371/identity/connect/authorize?....etc.
Response to preflight request doesn't pass access control check: No
'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'http://localhost:13079' is therefore not allowed
access. The response had HTTP status code 405.
But, when I do a request to the API method directly in browser, I will be correct redirected to the Login page of Identity Server..
So, what's exactly the problem here? I read something about that requesting the /authorize endpoint is not allowed via 'back-channel', but I don't understand what's the difference between 'front-channel' and 'back-channel'. Is it possible that I mixed up the wrong OAuth flows? Is the Hybrid flow not the correct one maybe?
I also find out that the API is often a seperate app, but is it always neccessary / best-practice to build a seperate API app that for example requires a bearer token?
Please point me in the right direction about this.
The authorize method on your identity server does not allow ajax calls. Even specifying CORS headers is not going to help you in this particular case. Perhaps you could return a forbidden response instead of a redirect and manually redirect the client to the desired location via window.location
You need to allow your IdentityServer to be accessed from other domains, this is done by allowing "Cross Origin Resource Sharing" or CORS for short. In IdentityServer the simplest way to allow this is in your Client configuration for your Javascript Client, see this from the IdentityServer docs on CORS:
One approach to configuing CORS is to use the AllowedCorsOrigins collection on the client configuration. Simply add the origin of the client to the collection and the default configuration in IdentityServer will consult these values to allow cross-origin calls from the origins.
The error you're seeing is the browser telling you that when it asked IdentityServer if it allows requests from your Javscript client, it returned a response basically saying no, because the origin (http://localhost:13079) was not specified in the "Access-Control-Allow-Origin" response header. In fact that header wasn't in the response at all meaning CORS is not enabled.
If you follow the quickstart for adding a JavaScript client from the docs here all the necessary code is detailed there that you need for the Client config and to setup IdentityServer to allow CORS.
I try to use the yammer api. I did everything like specified in the docs (https://developer.yammer.com/v1.0/docs/js-sdk):
I created my own Yammer app, with my website (https) domain set in the Javascript Origins
I use the login button to receive my Auth token.
I set the token with yam.platform.setAuthToken
But any following request with yam.platform.request fails with "No 'Access-Control-Allow-Origin' header is present" although I can see in the network console that the correct token is sent through the Authorisation Bearer Header.
I found out that my code was working when accessing my home-network. For accessing any other network that i am a member of, the Yammer app should be globalized, see yammer client application external networks 401
I think you don't need to set yam.platform.setAuthToken yourself - that is taken care of by yam.platform.getLoginStatus.
You can receive the token from the response object provided to the callback function passed to getLoginStatus if you need to, but if your JS queries the API from the browser itself, there is no need for that.