I am working on implementing oauth in a Win32 app. I can host the web browser control in my app and, using IWebBrowser2 interface, am able to navigate to the specified oauth link.
When login succeeds, the server sends the response as a json document that contains the authorization token that I need.
I have seen C#/WPF examples where the client code captures the token in WebBrower.DocumentCompleted event.
I am wondering how I can reach to document-completed event in my C++ application. All I have is IWebBrowser2 object at the moment. Regards.
1) WebBrowser2.QueryInterface(IConnectionPointContainer, ConnectionPointContainer)
2) ConnectionPointContainer.FindConnectionPoint(DIID_DWebBrowserEvents2, ConnectionPoint)
3) ConnectionPoint.Advise(Self, ConnectionPointCookie)
4) Self must implement IDispatch
5) Inside Self.Invoke you will catch all events include DISPID_DOCUMENTCOMPLETE.
6) Don`t forget to call ConnectionPoint.Unadvise at the end of your work.
Related
We are creating a Xamarin Forms app, only Android for now, which connects to a web API also created by us (ASP.Net Core). I have managed to get OpenId Connect authentication working by:
Using Azure as the identity provider.
Using Android custom tabs to show the Microsoft's login page.
Detect when the custom tab is redirected to our redirect URL.
Get the id token and use it as the authentication bearer token sent to our web API.
Using JwtBearer authentication in the web API.
The problem appears when the id token expires. We want to get a new one without asking the user any question.
To do that, we repeat the authentication process by adding the prompt=none, id_token_hint=THE_TOKEN and login_hint=THE_USER parameters in the authentication request, as defined in the OpenId Connect specification, and supported by Azure.
During that request, we have an issue with the redirect URL:
If the redirect URL has a custom scheme (like myapp://...) Azure responds with an interaction_required error.
If the redirect URL has an HTTPS scheme, then Azure responds successfully (including the necessary parameters to continue the process), but I am not able to detect the redirect URL in the Android custom tab. So my app gets stuck in the custom tab trying to load my invalid redirect URL.
The explanation for #2 is that HTTPS URLs are handled by the browser (Chrome in this case), so it does not trigger any action that I can detect from my app. This seems reasonable.
I also tried to detect custom tab navigation events from Xamarin, trying to detect the event "manually", but failed. Such events are never triggered.
Now, as for #1, I do not have any reasonable explanation. So my question is:
Is there any way to make Azure accept a redirect URL with a custom scheme when trying to refresh an id token by using the standard prompt=none OpenId Connect parameter?
I am working on Xamarin Forms application and new to providing login authentication of the application. I have completed the design part of the application with using Entries for user id and password and button for Submit. Also, i am having web API and for authentication. Now how to connect that Web API in xamarin forms application for login.
Please guide or provide some use full samples...
Thanks in advance...!
I assume you've built out your authentication API already, and that you can make Fiddler or Postman calls directly to your controller, pass in a set of credentials, and return back a JWT / bearer token that you can then use for authenticated calls?
At this point, it's relatively simple then as you'll want to use build a proxy layer / API layer to make calls out to your API. These calls will simply mirror the ones you've made in Fiddler/Postman/your proxy of choice.
I used Refit to achieve this:
https://github.com/reactiveui/refit
Specifically, you can see on the "Setting request headers" section how they easily encapsulate it for you to pass your token.
Of course, your initial call should be to login, and then once logged in, take the JWT response back from your controller, set the token in your Keychain, and then pull it out of Keychain to set in the header.
Let me know specific questions you have? For example, which of the following do you need more info on?
Sending and parsing a response (serializing the response) from your Login action to set/assign a token in keychain?
Saving the token, and setting it in a header for subsequent calls?
Building a proxy layer using a framework like Refit to make generic outbound calls?
I'm developing an app with Ionic 3 and Angular 4, and also implementing Login With Facebook button (and logic).
I don't understand how to secure this process.
The API returns the user's email + id and then I need to send them to my server to register / log in the user.
But how can I be sure that nobody "fake" the ajax call with those user email & id? And skip the whole Facebook Button process?
I don't get it at all - no matter what the API returns - I need to send it to the server via AJAX, and anyone can fake this process and send specific parameters with AJAX.
A good way is to send the Access Token to the server and make the API call to the Facebook API there. You can/should activate "Require App Secret" in the App settings:
Only allow calls from a server and require app secret or app secret
proof for all API calls.
The answer is - backend!
You should always verify the token in the server side to prevent "hacks" like you said
I am writing an application that requires authentication using the OAuth2 Protocol. I have managed to use the Web Server App authentication mechanism and it's working quite well, the only problem is that I am handling the redirect_url within the program itself and I don't want the browser to make the request in a new tab.
If it were possible, the ideal solution would be that google server would send the request to me directly, or that it would open and close the browser tab/window.
Perhaps this approach is not the most appropriate, if so please let me know how to do this better.
Fair warning, haven't used oAuth like this but I do have an idea:
Can't you just open the oauth request in a pop-up with window.open()?
Getting the parent of the popup is then as easy using window.opener.
After OAuth validation you could refresh the parent with:
window.opener.location.reload();
You could then simply use window.close() to close the popup.
This way no new tabs will be opened and your application will remain the active tab.
Yes its possible I am actually doing just that in my .Net application using a web browser control. You have tagged this Google Oauth so I am assuming you are doing this with Googles auth servers. I suspect you are using one of Googles client libraries which are built to open it in a new browser window by default. The Google .Net client library for example is designed to do this.
The trick may require that instead of using a web credentials you use native or other type credentials which do not require a redirect URI. These credentials are normally used for installed applications but they can be used for web. It may be possible to do it with web credentials but I think its going to depend a little on what you are doing exactly.
Google Oauth2 flow:
The first step in the flow is creating the URL for the user to authenticate. This is a webpage there is nothing you can do to change that. So your application will need to be able to display a webpage to the user.
https://accounts.google.com/o/oauth2/auth?client_id={clientid}.apps.googleusercontent.com&redirect_uri=urn:ietf:wg:oauth:2.0:oob&scope=https://www.googleapis.com/auth/analytics.readonly&response_type=code
by supplying urn:ietf:wg:oauth:2.0:oob you are basically telling the auth server to just return the code to where you sent it from.
The code is returned to you and you will need to swap it. This call is a HTTP POST.
https://accounts.google.com/o/oauth2/token
code=4/X9lG6uWd8-MMJPElWggHZRzyFKtp.QubAT_P-GEwePvB8fYmgkJzntDnaiAI&client_id={ClientId}.apps.googleusercontent.com&client_secret={ClientSecret}&redirect_uri=urn:ietf:wg:oauth:2.0:oob&grant_type=authorization_code
response
{
"access_token" : "ya29.1.AADtN_VSBMC2Ga2lhxsTKjVQ_ROco8VbD6h01aj4PcKHLm6qvHbNtn-_BIzXMw",
"token_type" : "Bearer",
"expires_in" : 3600,
"refresh_token" : "1/J-3zPA8XR1o_cXebV9sDKn_f5MTqaFhKFxH-3PUPiJ4"
}
Now you have a refresh toke and an access token. you can refresh your access token using another HTTP POst call.
https://accounts.google.com/o/oauth2/token
client_id={ClientId}.apps.googleusercontent.com&client_secret={ClientSecret}&refresh_token=1/ffYmfI0sjR54Ft9oupubLzrJhD1hZS5tWQcyAvNECCA&grant_type=refresh_token
Response
{
"access_token" : "ya29.1.AADtN_XK16As2ZHlScqOxGtntIlevNcasMSPwGiE3pe5ANZfrmJTcsI3ZtAjv4sDrPDRnQ",
"token_type" : "Bearer",
"expires_in" : 3600
}
So as long as you can embed the auth URL into your application you can fetch it yourself. You don't need the redirect URI. my tutorial on google 3 legged oauth2
Since you're already using non-portable xdg-open, you probably can use another external tool (xdotool) and emulate users keystrokes with it:
xdotool search --onlyvisible --class "Chrome" windowfocus key 'ctrl+w'
This will send ctrl+w (close tab) to visible chrome instance
Keep in mind there may be more than one browser window open.
I'm using MGTwitterEngine and OAuthConsumer frameworks. And mostly following the instructions at UsingOAuthConsumer.
In order to use OAuth and not have the user deal with the oob PIN based authentication, you need to enable a callback to the application. To do this on a desktop (or iOS) application, you need to set up a custom URI scheme that goes to an event handler in the app. I got this working, and tested it by using the custom URI in Safari. My app does open and the correct method is invoked. So far so good.
To do this for Twitter, you need to specify the callback URI in the settings for the application on Twitter's dev site. Here the problem starts. Twitter won't allow non-standard URIs. So "myapp://oauth/" is not allowed. It has to be an http or https URI. All the websites I referenced say to put a placeholder here, and override in the request token request. OK, so I put a dummy URL for my website here. Now to implement the override. Here's the code from one of the comments on how to so that:
OAMutableURLRequest *request = [[OAMutableURLRequest alloc] initWithURL:url
consumer:consumer
token:nil
realm:nil
signatureProvider:nil];
[request setOAuthParameterName:#"oauth_callback" withValue:#"callbackurl:"];
When I add that second method call, the request to twitter now fails. NSURLErrorDomain error -1012 or something similar (I forgot to write down the number).
I tried a number of ways, but was never able to override the callback URL. Does anyone have a sure-fire way of doing this? For now, I've changed the app to use the OOB PIN authentication method, but I'd sure like to remove that unnecessary step for the user.
Thanks!
joe
I finally gave up on the OAuthConsumer framework and switched to the Google GTMOAuth framework. That works fine.