Trying to save the URLs in "Authorized redirect URLs for your app" section of an app's Auth page results in error 500 with a generic message "Your changes could not be saved right now, please try again."
Happens on both latest Google Chrome and Firefox on Windows 10
I opened the URLs list and clicked on Save, which resulted in the abovementioned error. Same happens when I try adding any new URLs. There are currently 149 URLs in the list.
Would expect the saving to work.
If it does error, would like to see a meaningful error message, so I'd know if it's something I'm doing or if something has failed on LinkedIn side. Would also expect the LinkedIn dev team to be notified of the issue, so they would know without a need to contact about it.
Related
I've got the error above in my Joomla website when I either try to log in or create a new account from the side site. I have also noticed the two following things:
if I create a new user from the backend, this doesn't appear in the _users table;
a file named ".myjoomla.configuration.php.md5", containing an alphanumeric string, is automatically generated in the website root every time I try to log in vainly from the frontend. Besides, it turns up again if I remove it manually through FTP.
Did my website get hacked? How could I fix it?
".myjoomla.configuration.php.md5" contains the md5 hash of the configuration.php file and appears on your site as part of the mySites.guru service you either subscribed to or trialled. It is part of the near-realtime alerting service which detects when configuration.php has been changed and alerts you if you are a paying subscriber of the mySites.guru service. It is NOT an indication of a hack at all.
Disclaimer: It is code I wrote and a service I run, so I know what Im talking about.
Not being able to create users - Im guessing you have Admin Tools or RSFirewall installed and configured, both these products stop users being created IF configured that way.
Token issues: These are well covered in Joomla documentation and forums. They are CSRF tokens and if yours is not validating then try NOT double clicking the buttons, check your session handlers are working, and check your cookies are working as expected
Nothing you say leads me to believe your site is hacked
The issue I've encountered was about the Joomla native Login module. As I published it in all the pages of my website and clicked on the login link appeared on the frontend side, I was redirected to a link that looked like
mysite.com/index.php/component/users/?view=login&Itemid=yourid
which displayed the login page correctly. Yet, once filled in the form and submitted it, the warning message in question popped out. The same problem occurred when either trying to register a new account or reset the password.
Although I couldn't find an explanation to the issue, I managed to fix it by creating a Login, Reset and Registration menu items under the main menu and then hidden them as I didn't want them to show up among the other menu items on the frontend.
Went back to the frontend and clicked on login, I was now redirected to a different url that looks like
mysite.com/login
where "login" is the alias that I had chosen for the Login menu item.
After having filled in the form and submitted it, I was able to log in successfully. Likewise, Registration and Reset operations worked.
My app requests the user_link permission like this:
loginButton = findViewById(R.id.login_button);
loginButton.setPermissions("email", "user_link", "user_location");
And in the Graph API callback, the link field does contain a URL. However, for some users, selecting the link leads to the "Content Not Found" page. Why is this happening for some users but not all?
I just noticed that this only happens with test users! When Facebook tested my app, they used a name of a real user, but the email address was for a test user. Faked me out totally. I tested with an unfriended user and was able to see their page without a problem.
I was going through AzureAD msal library for javascript. I tried to run the test app given in the same github link.
The app runs smoothly with facebook or microsoft account login. But when I try to login with twitter, it throws the following error:
Refused to display 'https://api.twitter.com/oauth/authenticate?oauth_token=....' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' https://tweetdeck.twitter.com https://tdapi-staging.smf1.twitter.com https://tdapi-staging.atla.twitter.com https://tweetdeck.localhost.twitter.com".
Also, the example works well when I have a single google account logged-in in my browser or when I enter google credential on the google login page. But when I have multiple google accounts logged-in and choose one of them for the app, it throws the following error:
Refused to display 'https://accounts.google.com/o/oauth2/auth?.....' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
In both the cases (twitter and multiple google accounts), the login happens, id token is generated but it fails to get access_token using acquireTokenSilent() and throws the above mentioned error. Then because of the acquireTokenpopup(), the login popup window shows again and when I enter my same credentials again, I get the access_token.
I have tried using loginRedirect() & acquireTokenRedirect() instead of popup but I have seen the same behavior.
What I have understood so far:
In the error cases, iframe is trying to add the google/twitter link into iframe src in the app home page (which is obviously not allowed).
In case of successful acquiring of access_token, I saw the iframe src has a microsoft login link (https://login.microsoftonline.com ...).
Can somebody help me understand why is it happening? And if someone has got a way to solve this, please help me out.
I haven't changed anything in the code, I just wanted to understand how msal.js works so that I can implement it in another project.
Good day!
I've been googling for a long time, but still no success.
Problem:
Let's supose we have a google document, which have embeded into some site with iframe, following google docs guide. User have one tab in which he is authorized with it's account in google. He visites our site and see document. He can access it, edit it, and whatever he whants.
Now, he desides to change his auth in google, he logs out and than logs in with different account. He DOESN'T reload our site (because it is ajax based), and now he tries access our document. And here comes a fail. He sees a blank page. in chrome js console there is an error:
Refused to display https://**docs**.google.com/SamplePDFURL in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN.
In iframe src = "docs.google.com" .
What happens? When user changed authorization, it's cookies have been changed and he became not authed for this doc and google automaticaly redirects frame to account.google.com auth page. BUT! This auth page is on different domain ACCOUNT. , and since google follows "same origin" security policy, we get error in console and blank iframe for user.
How to work around this?
Please help somebody.
As I said, I didn't find any working solution for this.a
For a web app I want to let users review and edit a record they made previously through a browser form. In their confirmation mail, they get an access link with a secret token, like http://myapp.com/edityourstuff/hdD8sF2m Clicking this link shows them a form in which they can edit the existing data they submitted earlier.
This is not as secure as a username/password combination, but much more convenient and suitable for my situation.
However, I want to make this as secure as possible.
GET URLs
If the link containing the secret access token is disclosed, unauthorised people can access the data. My concern here is about shared/public computers.
I was planning to tackle this problem with the following pattern:
Access to /edityourstuff/ds8sdfhe via link in email
Start a session, store the secret token in there
redirect to clean /edityourstuff without token
The app now has access to the token in the session and can display the form accordingly. And the URL bar does not show it.
My question now is: Do browsers store the initial URL, that immediately redirects to the clean URL in their history?
I know that the different HTTP redirect status codes (301, 302, 303) have different use cases in theory. Is there any information on how different browsers treat the different redirect codes in respect to (not) storing the initial URL in browser history?
I just did some quick testing myself, with Firefox 7.0.1
When using the above pattern, no matter if 301, 302 or 303 redirect, Firefox does not return to the initial URL when clicking the back button. However, it is shown in the full browsing history and is part of the URL completion list of the browser bar.
This is exactly the drawback I was hoping to avoid.