dotnetopenauth with AzureAD b2c - webforms

I am using dotnetopenauth (version 4) to obtain an accesstoken for my Api. This works perfectly fine but i cannot figure out how i can read the profile information for the user (which is send back by Azure AD b2c).
The first leg of the flow is a request to the authorization endpoint. (basically a get request)
After the authorization the callback url is called. In my case this is callback.aspx.
On this callback page i'm running the following dotnetopenauth code:
var authorization = Client.ProcessUserAuthorization();
This will do another post again to the token endpoint. The response looks like this:
{"access_token":"xxxx","token_type":"Bearer","not_before":1519920056,"expires_in":3600,"expires_on":1519923656,"resource":"6ee73e1a-6e96-4ed6-b7f8-a52c1379317a","id_token_expires_in":3600,"profile_info":"eyJ2ZXIiOiIxLjAiLCJ0aWQiOiIyYjIzMTFmMy04ZWNlLTQ3MzMtOWVlNS04ZWMxNzJiOTRjMDMiLCJzdWIiOm51bGwsIm5hbWUiOiJBbGZyZWQgQnJvY2tvdHRlciIsInByZWZlcnJlZF91c2VybmFtZSI6bnVsbCwiaWRwIjpudWxsfQ","refresh_token":"eyJraWQiOiJjcGltY29yZV8wOTI1MjAxNSIsInZlciI6IjEuMCIsInppcCI6IkRlZmxhdGUiLCJzZXIiOiIxLjAifQ","refresh_token_expires_in":1209600}
As you can see the profile_info is included (as a base64 string). But the IAuthenticationState has no property or function to get this information:
Is there a way to get this extra response data with dotnetopenauth?

Related

How to silently renew Id Token using AddMicrosoftIdentityWebAppAuthentication to Call Downstream API

I am trying to implement the BFF-Gateway pattern (no tokens in the browser) to be used with a React SPA. The BFF is using AddMicrosoftIdentityWebAppAuthentication to handle login and issue a cookie to the SPA. And it is using YARP to proxy api requests to a downstream api. I'm using Azure B2C. Everything works perfectly until the BFF id_token expires in 1 hour. At that point, fetching the downstream api access token via GetAccessTokenForUserAsync (which is called in a piece of middleware) fails:
var scope = _configuration["CallApi:ScopeForAccessToken"];
var accessToken = await _tokenAcquisition.GetAccessTokenForUserAsync(new[] { scope });
ctx.Request.Headers.Add("Authorization", "Bearer " + accessToken);
Exception:
IDW10502: An MsalUiRequiredException was thrown due to a challenge for the user. See https://aka.ms/ms-id-web/ca_incremental-consent.
ResponseBody: {"error":"invalid_grant","error_description":"AADB2C90085: The service has encountered an internal error. Please reauthenticate and try again.\r\nCorrelation ID: 622d6bd6-d06e-4142-86f2-b30a7a17b3b5\r\nTimestamp: 2022-11-25 09:31:23Z\r\n"}
This is effectively the same as Call Downstream API Without The Helper Class example and this sample, except that I'm acquiring the access token in middleware, not a controller, so the downstream YARP requests contain the access token. BTW I get the same error if I do this inside a controller per this example. And I see no soluton to this in the sample.
There is a similar question here which references the sample referenced above, but for the B2C sample I see no solution to this problem.
I also found this sample and this explanation. But this uses Microsoft.Owin to configure auth, not AddMicrosoftIdentityWebAppAuthentication. This looks promising, but is a departure from most examples I see that use Microsoft.Identity.Web.
Can you please point to the correct soluton? I need call to be able to call _tokenAcquisition.GetAccessTokenForUserAsync after the id token expires without asking the user to reauthenticate and/or the SPA to having to reload.
At the moment I am handling this issue in the SPA by catching the exception from MSAL and redirecting back to the login endpoint in the BFF which initiates the challenge. This gets me a new id_token and cookie, but this is just a temp workaround as it's very disruptive to user to be redirected away from the SPA.

Google Identity for server-side web app - redirect URI mismatch

I'm attempting to set up the Code Model for Google authentication, so that my user can oauth with Google and my app can retrieve their Calendar data. I'm stuck on step 5 here, where I'm supposed to exchange the authorization code for refresh and access tokens. I'm using nestjs in the backend and React in the frontend.
What I've done already that's working:
User clicks a button on my web app's page
Client sets up google.accounts.oauth2.initCodeClient with the /calendar scope, in ux_mode: popup
User is shown the Google popup and can auth thru that
Client receives a response from Google containing the authorization code
Client makes a POST call to my backend to send it just that authorization code
In step 5, the client makes the POST call to localhost:4000/auth/google-test. In the backend, I'm using the googleapis package and have:
export const oauth2Client = new google.auth.OAuth2(
process.env.GOOGLE_CLIENT_ID,
process.env.GOOGLE_CLIENT_SECRET,
'http://localhost:4000/' // <- note, I'm not sure if this is corect
);
And in the relevant controller route, I'm doing:
#Post('google-test')
public async googleTest(#Body() bodyReceived: any): Promise<any> {
let { code } = bodyReceived
let { tokens } = await oauth2Client.getToken(code)
oauth2Client.setCredentials(tokens);
console.log('Tokens: ' + tokens);
return
The error I'm getting is related to oauth2Client.getToken(code), and the error is a redirect_uri_mismatch. In GCP for the credentials for this app, I've added all of these as "Authorized redirect URIs":
http://localhost:3000/home
http://localhost:4000/auth/google-test
http://localhost:4000
What am I doing wrong?
It took a bit more Googling, but turns out that the right answer is to have my server make the token call with the redirect uri as "postmessage".
This SO question gives a bit more context. A somewhat unbelievable message, but it seems to work for my app.
It is evidently that what is happening is that the redirect URI does not match with the one in the GCP. This usually happens because backend tools such as Nestjs may be appending a trailing '/' to the URL and it may be interpreted as being part of the redirect_uri value.
You can try by temoving any trailing '/' via this following method oauthurl.replace(/\/$/, '')
Moreover, you can pass the generated auth URL to a meta tag. And check the html header to confirm what is the URL value.

Is it possible to get google api access token by using any REST API Client

I am looking for tips or tutorial where I can fetch data from youtube data api.
By using only api key, I can use any rest api client in order to fetch many informations from https://www.googleapis.com/youtube/v3/channels.
And now, I would like to get auditDetails which needs authorization token https://developers.google.com/youtube/v3/docs/channels/list#auth.
[Edit]
By following the steps below (Using OAuth guides), I can now make request but I have an error 400 which is redirect_uri_mismatch:
The redirect URI in the request, http://localhost:9874, does not match the ones authorized for the OAuth client
In my console developer configuration, I set the redirect authorized url to http://localhost/authorize.php
So I do not understand why during the authentification, it uses http://localhost:9874

openiddict - The specified authorization code is invalid

I have written a web API in .NET core 2.0 and using openiddict. When testing the external login use case, the following steps are followed.
User calls into account controller specifying their external login provider which starts the Challenge process.
/api/account/externallogin?provider=Facebook
The result of the Challenge process calls back to API (ExternalLoginCallback) with successful result and redirects to the following API endpoint to return an authorization code to the client via the redirect_uri.
/connect/authorize?client_id=myClient&response_type=code&scope=offline_access&redirect_uri=http://myClient/signin-oidc";
The client receives the code via the redirect_uri with code appended as shown below
http://myClient/signin-oidc?code=CfDJ8Agzs3e68m5Ev0zC5okWI7--_T13E-ULHqeUlzgmEWBcPj6PYBBzAWu0kssa0wl3OcYX-YG0jCzhLZr2Wajvjc_zJTsmK12rmRjPAzqbqu9OuMjDX-wzNQYMI0cpLW1ZuumvPZHiRP5hxWAVpgH1pu5VwdcQBTBpyOPOP0JD2Wba1VAF9iopN1YIquLkvtVXnJEEKhb1apqfJAkA_NNk2lSRxFBkq6rFn9wLEOt2y9b0fOqsJ0sqmA1jbhJVfiVPaaI8z3J8HnzFtMwNHTwgpU8gAjk9ZTeTuP86nxQZl8R-P7LgEvOs8AgTR1g_WBSZgwtPfpULV3Ib7iUn8BQ4PiDhcwVR3Wed9Utnmbx5w8iDV9-jo4QRleuH8QWmZxXqr2nyeeCKqC01VHoEGl1KJak1jcxzFg7ooZAM_yrD207n0jy-hX9dvyl6XezSND5-ltjWjM1b96iK_74X8Euf4YVlhcV2bWPzBmgBSWQydOfT_xv3HNmXQcWwXjlEcCaxzdAKTconRDUuycBsdLS1Je6cME5deT9fzp98Lt6ryuVGNtkkqGg0LcKv49JmPyiBHrQfQUOUQg8fXkCYrf7k8FG5N8e-k3X1P3NEcYFcMchxF_1s1T2lUGAfmJ3P8Yqd9j26PF-gWzQHwkcdz1ptwbIXmF-tHuQK8zmIHoa5ErB3lR5bffsZmmG77NpTT-yq82Bbl5yf32RXKunqf5rQrVF7cWX0eM1h-EDgeHiMwx2IOYkHcxK6JLcRlggDfG__wMn_vEsQwW5UJaKU1VywT3hBGvS-zmbseparILu8hGDL5DrpmLpE3a5obWsp1yCM33fb7ciYmWuwQXKldG7MWXg#=
Client immediately extracts the code from the URL and posts to the following endpoint to receive access/refresh tokens, but receives an error of invalid grant with error description of The specified authorization code is invalid.
/connect/token
The following values are submitted in the post to request access token:
grant_type = authorization_code
code =
CfDJ8Agzs3e68m5Ev0zC5okWI7--_T13E-ULHqeUlzgmEWBcPj6PYBBzAWu0kssa0wl3OcYX-YG0jCzhLZr2Wajvjc_zJTsmK12rmRjPAzqbqu9OuMjDX-wzNQYMI0cpLW1ZuumvPZHiRP5hxWAVpgH1pu5VwdcQBTBpyOPOP0JD2Wba1VAF9iopN1YIquLkvtVXnJEEKhb1apqfJAkA_NNk2lSRxFBkq6rFn9wLEOt2y9b0fOqsJ0sqmA1jbhJVfiVPaaI8z3J8HnzFtMwNHTwgpU8gAjk9ZTeTuP86nxQZl8R-P7LgEvOs8AgTR1g_WBSZgwtPfpULV3Ib7iUn8BQ4PiDhcwVR3Wed9Utnmbx5w8iDV9-jo4QRleuH8QWmZxXqr2nyeeCKqC01VHoEGl1KJak1jcxzFg7ooZAM_yrD207n0jy-hX9dvyl6XezSND5-ltjWjM1b96iK_74X8Euf4YVlhcV2bWPzBmgBSWQydOfT_xv3HNmXQcWwXjlEcCaxzdAKTconRDUuycBsdLS1Je6cME5deT9fzp98Lt6ryuVGNtkkqGg0LcKv49JmPyiBHrQfQUOUQg8fXkCYrf7k8FG5N8e-k3X1P3NEcYFcMchxF_1s1T2lUGAfmJ3P8Yqd9j26PF-gWzQHwkcdz1ptwbIXmF-tHuQK8zmIHoa5ErB3lR5bffsZmmG77NpTT-yq82Bbl5yf32RXKunqf5rQrVF7cWX0eM1h-EDgeHiMwx2IOYkHcxK6JLcRlggDfG__wMn_vEsQwW5UJaKU1VywT3hBGvS-zmbseparILu8hGDL5DrpmLpE3a5obWsp1yCM33fb7ciYmWuwQXKldG7MWXg#=
redirect_uri = http://myClient/signin-oidc"
cient_id = myClient
client_secret = mySecret
scope = offline_access role email openid

How to exchange Google one-time authorization code for a refresh token without callback (intranet)?

I'm working on a intranet-based application and I want to use Google services. Currently I have successfully implemented Google Authentication with "Sign-In for Websites" using JavaScript client-side authentication. My users can now sign in or sign up with their Google accounts.
Now I want to use Google API to create and share Google Sheets with my users. These documents will be created with a specific Google account and then shared with my users.
This is why I want to use this server-slide flow to get a one-time authorization code and exchange it for a refresh token:
https://developers.google.com/identity/sign-in/web/server-side-flow
This refresh token will be stored in my database allowing me to user Google services on behalf of this offline user.
Using JavaScript library, I was able to get the one-time authorization code that I send to my server with a AJAX request.
auth2.grantOfflineAccess({'redirect_uri': 'postmessage'}).then(grantOfflineAccessCallback);
var grantOfflineAccessCallback = function(authResult) {
var auth_code = authResult.code;
// Exchange the one-time authorization code for tokens
$.post(...);
}
On server-side I use Google API PHP Client (v2.0.0-RC6) to acquire an access and refresh token.
$this->client = new Google_Client();
$this->client->setClientId($this->clientId);
$this->client->setClientSecret($this->clientSecret);
$this->client->setAccessType('offline');
$this->client->setApprovalPrompt('force');
$response = $this->client->fetchAccessTokenWithAuthCode($oneTimeCode);
I wasn't able to exchange the authorization code.
Client error: `POST https://www.googleapis.com/oauth2/v4/token` resulted in a `400 Bad Request` response:
{
"error": "invalid_request",
"error_description": "Missing parameter: redirect_uri"
}
On this page we can read:
On the server, exchange the auth code for access and refresh tokens.
Use the access token to call Google APIs on behalf of the user.
On the JAVA example code:
REDIRECT_URI: // Specify the same redirect URI that you use with your web
// app. If you don't have a web version of your app, you can
// specify an empty string.
Because the application I working on is an intranet application, I tried to specify an empty string for this redirect_uri parameter before calling fetchAccessTokenWithAuthCode() method:
$this->client->setRedirectUri('');
... result in Redirect URI must be absolute.
Can we use this hybrid server-slide flow without callback URL?
Is there any solution to my problem?
Thanks,
Edit:
redirect_uri is where the user will be redirected to after he signed in. This URL must be registered in the Google Project (developers console). So redirect_uri is NOT the callback...!
Problem is now solved with:
$this->client->setRedirectUri('http://same.url.as.in.developers.console/');

Resources