I may not properly understand how to properly implement IdentityServer4 with Xamarin.Auth.
Basically I'm using Xamarin.Auth for multiple cases
logging in with OAuth2 Vendors (MS/Google/FB)
logging in with self implemented OAuth2 (not used yet)
Speaking of case 1, I after committing login from the mobile app to Google/MS/FB I decide what to do further : go to the app's main page or register the user, by register storing the email as username and userId (the one that comes from the vendor) as password.
I've implemented IdentityServer4 with AspNetIdentity
From what I've read I need to implement Hybrid Authentication, but the issue here is that it features the need to use a WebView, in case 1 it isn't required anymore.
So basically I think I need to use Authorization Flow but trying to do any of them failed.
https://localhost:44348/connect/authorize?
client_id=XamClient&
client_secret=secret&response_type=code+id_token&
scope=openid&
redirect_uri=https%3A%2F%2Flocalhost%3A44348%2Fxamarincallback&
nonce=7a8ff1c107e345a8b055a8232ec15545&
code_challenge=8Kk9RQ8NX6w3YzL0eU7AWQurWnikb9NS9bVwa5lxhhE&
code_challenge_method=S256&state=d3a7b6a511da413395b2552fb194af2f
My issue here is that most of the examples feature an MVC view that gets this this url as redirectURL and then after the client commits a POST with his username and password then I'll get the AuthorizationCode, RefreshToken and IdentityToken.
I am really uncertain how to properly commit authentication in my case, what to use ?
I can only use
- Implicit
- Authorization Code - this is the only reasonable option for my first scenario ?
- Hybrid mode - tried all day to implement this realizing It's not possible ..
Anyways, after looking at the logs I've seen a sudden dubious redirect to the Account controller (asp login controller)
{
"name": "Microsoft.ApplicationInsights.Dev.Request",
"time": "2017-09-12T11:26:56.5388249Z",
"tags": {
"ai.location.ip": "127.0.0.1",
"ai.internal.nodeName": "EDWARD",
"ai.operation.id": "152eb716-4ff8951dec6a1ed1",
"ai.internal.sdkVersion": "aspnet5c:2.1.1",
"ai.application.ver": "1.0.0.0",
"ai.operation.name": "GET /connect/authorize",
"ai.cloud.roleInstance": "EDWARD"
},
"data": {
"baseType": "RequestData",
"baseData": {
"ver": 2,
"id": "|152eb716-4ff8951dec6a1ed1.",
"name": "GET /connect/authorize",
"duration": "00:00:00.1530713",
"success": true,
"responseCode": "302",
"url": "https://localhost:44348/connect/authorize?client_id=AnonymousCheckerClient&client_secret=secret&response_type=code+id_token&scope=openid&redirect_uri=https:%2F%2Flocalhost:44348%2Fxamarincallback&nonce=af1427d39dc2463697047a834169fdcf&code_challenge=UUi0a9cfhrcGvzddV9eh0Lc8cdr5WE-ZwSzwbY7ReNQ&code_challenge_method=S256&state=aafde38b65044c35b83a1fcb8771de2e",
"properties": {
"httpMethod": "GET",
"AspNetCoreEnvironment": "Development",
"DeveloperMode": "true"
}
}
}
},
{
"name": "Microsoft.ApplicationInsights.Dev.Message",
"time": "2017-09-12T11:26:56.6993438Z",
"tags": {
"ai.location.ip": "127.0.0.1",
"ai.operation.parentId": "|152eb717-4ff8951dec6a1ed1.",
"ai.internal.nodeName": "EDWARD",
"ai.operation.id": "152eb717-4ff8951dec6a1ed1",
"ai.internal.sdkVersion": "aspnet5c:2.1.1",
"ai.application.ver": "1.0.0.0",
"ai.operation.name": "GET /account/login",
"ai.cloud.roleInstance": "EDWARD"
},
"data": {
"baseType": "MessageData",
"baseData": {
"ver": 2,
"message": "Request starting HTTP/1.1 GET http://localhost:44348/account/login?returnUrl=%2Fconnect%2Fauthorize%2Fcallback%3Fclient_id%3DAnonymousCheckerClient%26client_secret%3Dsecret%26response_type%3Dcode%2520id_token%26scope%3Dopenid%26redirect_uri%3Dhttps%253A%252F%252Flocalhost%253A44348%252Fxamarincallback%26nonce%3Daf1427d39dc2463697047a834169fdcf%26code_challenge%3DUUi0a9cfhrcGvzddV9eh0Lc8cdr5WE-ZwSzwbY7ReNQ%26code_challenge_method%3DS256%26state%3Daafde38b65044c35b83a1fcb8771de2e",
"severityLevel": "Information",
"properties": {
"AspNetCoreEnvironment": "Development",
"Protocol": "HTTP/1.1",
"Host": "localhost:44348",
"QueryString": "?returnUrl=%2Fconnect%2Fauthorize%2Fcallback%3Fclient_id%3DAnonymousCheckerClient%26client_secret%3Dsecret%26response_type%3Dcode%2520id_token%26scope%3Dopenid%26redirect_uri%3Dhttps%253A%252F%252Flocalhost%253A44348%252Fxamarincallback%26nonce%3Daf1427d39dc2463697047a834169fdcf%26code_challenge%3DUUi0a9cfhrcGvzddV9eh0Lc8cdr5WE-ZwSzwbY7ReNQ%26code_challenge_method%3DS256%26state%3Daafde38b65044c35b83a1fcb8771de2e",
"Scheme": "http",
"Path": "/account/login",
"DeveloperMode": "true",
"CategoryName": "Microsoft.AspNetCore.Hosting.Internal.WebHost",
"Method": "GET"
}
}
}
}
Having analyzing the IdentityServer4 from Git this /authorize endpoint only accepts GET's and no user/pw.
Edit 01:
I've checked this resource and it confuses me with my scenario (1)...
https://developer.xamarin.com/guides/xamarin-forms/enterprise-application-patterns/authentication-and-authorization/
Related
I am trying to setup an own App in Integromat
What is required for my App is an URL (and later a Bearer Token) to be entered manually by the user who wants to use my App.
I have the Apps Base:
{
"baseUrl": "{{connection.url}}",
"log": {
"sanitize": ["request.headers.authorization"]
}
}
a Connection:
Parameters:
[
{
"name": "url",
"label": "url",
"type": "text",
"required": true,
"value":"https://my-server"
}
]
and the Scenario:
{
"url": "/api/endpoint",
"method": "GET",
"qs": {},
"headers": "{{connection.headers}}",
"response": {
"output": "{{body}}"
}
}
When i execute, the scenario from my App. The URL seems not to be correctly taken over from the one configured inside the connection parametrs.
Can someone help?
Everything was right. I had to delete the old Connection and create a new one.
I have a user's refresh token with these scopes:
'https://www.googleapis.com/auth/analytics https://www.googleapis.com/auth/analytics.edit https://www.googleapis.com/auth/analytics.readonly https://www.googleapis.com/auth/analytics.manage.users’’
The user has a few accounts and a forbidden error occurs for XXXX2 account when I try to give access to an account to another user(you can see at the below code and account list json). I checked this account's effective permission field, I see that it is an empty array as you can see below as well.
In my opinion, this error reason is that this user does not have ‘manage_users’ permissions for this account(XXXX2), so this is an expected error, isn't it?
PS: I can link XXXX1 properly with the below code.
My code :
linkAccount = self.service.management().accountUserLinks().insert(
accountId=accountId,
body={
'permissions': {
'local': [
'EDIT',
'MANAGE_USERS'
]
},
'userRef': {
'email': email}}).execute()
User Account list :
{
"id": "XXXX1",
"kind": "analytics#account",
"selfLink": "https://www.googleapis.com/analytics/v3/management/accounts/XXXX1”,
"name": "XXXX1",
"permissions": {
"effective": [
"COLLABORATE",
"EDIT",
"MANAGE_USERS",
"READ_AND_ANALYZE"
]
},
"created": "2014-02-17T17:52:10.911Z",
"updated": "2019-06-04T16:06:12.717Z",
"childLink": {
"type": "analytics#webproperties",
"href": "https://www.googleapis.com/analytics/v3/management/accounts/XXXX1/webproperties"
}
},
{
"id": "XXXX2”,
"kind": "analytics#account",
"selfLink": "https://www.googleapis.com/analytics/v3/management/accounts/XXXX2”,
"name": "XXXX2",
"permissions": {
"effective": []
},
"created": "2015-07-02T19:11:16.307Z",
"updated": "2019-03-05T21:16:19.552Z",
"childLink": {
"type": "analytics#webproperties",
"href": "https://www.googleapis.com/analytics/v3/management/accounts/XXXX2/webproperties"
}
}
Error Code :
<HttpError 403 when requesting https://analytics.googleapis.com/analytics/v3/management/accounts/XXXXX/entityUserLinks?alt=json returned "User does not have permission to perform this operation.". Details: "User does not have permission to perform this operation."
I would check what access the currently authenticated user has to the account in question.
If the user you are authenticated with only has read access. To the Analytica account there not going to be able to give your application the ability to add another user.
I'm trying to migrate my app from LinkedIn API v1 to v2. I'm currently looking at sharing images (natively) to my personal LinkedIn profile.
I'm following the official docs here: https://learn.microsoft.com/en-us/linkedin/consumer/integrations/self-serve/share-on-linkedin#create-an-image-share
To register the image I made the following POST request: to https://api.linkedin.com/v2/assets?action=registerUpload
{
"registerUploadRequest": {
"recipes": [
"urn:li:digitalmediaRecipe:feedshare-image"
],
"owner": "urn:li:person:9PyfTxBTFY",
"serviceRelationships": [
{
"relationshipType": "OWNER",
"identifier": "urn:li:userGeneratedContent"
}
]
}
}
I got the success response:
{
"value": {
"uploadMechanism": {
"com.linkedin.digitalmedia.uploading.MediaUploadHttpRequest": {
"headers": {},
"uploadUrl": "https://api.linkedin.com/mediaUpload/C4D22AQEGOHxBzKUXvw/feedshare-uploadedImage/0?ca=vector_feedshare&cn=uploads&m=AQLhYJm0KOaTCgAAAWhSDplI-Lzlfh7lOsd8D5qBcz0aJ2bf1fwIfnh8ow&app=5212106&sync=0&v=beta&ut=0rKn179ebIA8A1"
}
},
"mediaArtifact": "urn:li:digitalmediaMediaArtifact:(urn:li:digitalmediaAsset:C4D22AQEGOHxBzKUXvw,urn:li:digitalmediaMediaArtifactClass:feedshare-uploadedImage)",
"asset": "urn:li:digitalmediaAsset:C4D22AQEGOHxBzKUXvw"
}
}
I successfully uploaded an image as binary using the returned uploadUrl:
curl -i --upload-file PATH_TO_FILE --header "Authorization: Bearer TOKEN" 'https://api.linkedin.com/mediaUpload/C4D22AQEGOHxBzKUXvw/feedshare-uploadedImage/0?ca=vector_feedshare&cn=uploads&m=AQLhYJm0KOaTCgAAAWhSDplI-Lzlfh7lOsd8D5qBcz0aJ2bf1fwIfnh8ow&app=5212106&sync=0&v=beta&ut=0rKn179ebIA8A1'
To confirm that the image is ready for use, I checked the status of the asset with the GET https://api.linkedin.com/v2/assets/C4D22AQEGOHxBzKUXvw which returned
{
"serviceRelationships": [
{
"identifier": "urn:li:userGeneratedContent",
"relationshipType": "OWNER"
}
],
"recipes": [
{
"recipe": "urn:li:digitalmediaRecipe:feedshare-image",
"status": "AVAILABLE"
}
],
"mediaTypeFamily": "STILLIMAGE",
"created": 1547564914979,
"lastModified": 1547564994321,
"id": "C4D22AQEGOHxBzKUXvw",
"status": "ALLOWED"
}
Based on the docs, I can now simply reference the asset URN in the UGC post.
This is the test image post I'm trying to share using the https://api.linkedin.com/v2/ugcPosts endpoint
{
"author": "urn:li:person:9PyfTxBTFY",
"lifecycleState": "PUBLISHED",
"specificContent": {
"com.linkedin.ugc.ShareContent": {
"shareCommentary": {
"text": "Testing LinkedIn image shares"
},
"shareMediaCategory": "IMAGE",
"media": [
{
"status": "READY",
"description": {
"text": "Some text"
},
"media": "urn:li:digitalmediaAsset:C4D22AQEGOHxBzKUXvw",
"title": {
"text": "Some title"
}
}
]
}
},
"visibility": {
"com.linkedin.ugc.MemberNetworkVisibility": "PUBLIC"
}
}
But I keep getting the error:
{
"message": "Attempting to associate a ugc with an asset that's not owned by the author",
"status": 400
}
The above request works perfectly when trying to share a status update or a link attachment.
I haven't tried it with videos yet (similar approach) since I assume I will face the same problem. I haven't tried sharing as an organization either since I need to be accepted to the LinkedIn Marketing Developer Program first.
I can confirm that this has been fixed by the LinkedIn Developer Team. Follow the same steps as above and it should work perfectly, as long as the authenticated user has granted the w_member_social permission.
On the last request I now get 201 Created response with the header X-RestLi-Id containing the link to the new post urn:li:share:6494126499975700480.
https://www.linkedin.com/feed/update/urn:li:share:6494126499975700480
P.S. If you're re-trying an old request / registered upload, it won't work, so make sure you try it with a new asset. I believe the bug was when registering uploads.
I am trying to create video post on linkedin with new ugc endpoint
there are two steps to create this type of post
1). Upload video asset on linkedin server (done)
2). make post request to ugc endpoint with request body
I have successfully uploaded the video but getting authentication error for ugc post request. error is
{
"message": "urn:li:developerApplication:<id1> does not have permission to create ugc posts with author: li:member:<id2>",
"status": 401
}
I am passing the request body as suggested in the linkedin api docs.
{
"author": "urn:li:person:<id>",
"lifecycleState": "PUBLISHED",
"specificContent": {
"com.linkedin.ugc.ShareContent": {
"media": [
{
"title": {
"attributes": [],
"text": "Sample Video Create"
},
"description": {
"attributes": [],
"text": "Sample Description"
},
"media": "urn:li:digitalmediaAsset:<asset_id>",
"thumbnails": [],
"status": "READY"
}
],
"shareCommentary": {
"attributes": [],
"text": "Some share text"
},
"shareMediaCategory": "VIDEO"
}
},
"visibility": {
"com.linkedin.ugc.MemberNetworkVisibility": "PUBLIC"
},
"targetAudience": {
"targetedEntities": [
{
"locations": [
"urn:li:country:us"
]
}
]
}
}
Please suggest how I can solve this problem. From error message it seems like I am not providing some permission. But I am not sure where I am making mistake.
This is the response I got from the LinkedIn Developer Support:
"Hi Ervin,
Creating video UGC posts is currently a whitelisted feature. There is currently hold on whitelisting new apps for video.
You may continue to create UGC posts that are not video though.
I'll put this on hold until I have more information on when we can whitelist apps again.
Best,
Alex"
I have a basic auth secured API but after filling in the authentication credentials, it does not apply to request header. I saw"ERROR Server not found or an error occurred " at swagger editor and "401 Unauthorized" on fiddler.
User Name and Pwd : odata and qtkr47PTM3pmzLyEHNrW4DXhhgyjMfM3CKUZfXdn0tk=
Here is my swagger json
{
"swagger": "2.0",
"info": {
"version": "1.0.0",
"title": "Basic Auth Example",
"description": "An example for how to use Basic Auth with Swagger.\nServer code is available [here](http://navm3.cloudapp.net:90/nav/odata). It's running on NAVM3.\n\n**You can use below User Name and Password for test.**\n* User Name: `ODATA`\n* Password: `qtkr47PTM3pmzLyEHNrW4DXhhgyjMfM3CKUZfXdn0tk=`\n"
},
"host": "navm3.cloudapp.net:90",
"basePath": "/nav/odata",
"schemes": [
"http"
],
"securityDefinitions": {
"basicAuth": {
"type": "basic",
"description": "HTTP Basic Authentication. Works over `HTTP` and `HTTPS`"
}
},
"paths": {
"/": {
"get": {
"security": [
{
"basicAuth": []
}
],
"responses": {
"200": {
"description": "Will send `Authenticated` if authentication is succesful, otherwise it will send `Unauthorized`"
}
}
}
}
}
}
i had the same problem, but the problem was in nodeJS back-end.
If you are using NodeJS, probably the problem it is with CORS. You should enable CORS in NodeJS with Express and everything will work.
To enable the CORS in nodeJS you can add the below code, before of the routes.
var app = express();
app.use(function(req, res, next) {
res.setHeader('Access-Control-Allow-Origin', '*');
res.setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, UPDATE, DELETE, OPTIONS');
res.setHeader('Access-Control-Allow-Headers', 'Origin, X-Requested-With, Content-Type, Accept, Authorization');
next();
});
try to replace the following part:
"securityDefinitions": {
"basicAuth": {
"type": "basic",
"description": "HTTP Basic Authentication. Works over `HTTP` and `HTTPS`"
}
},
with the following
"securityDefinitions": {
"basicAuth": {
"type": "http",
"scheme": "basic"
}
},
keeping the rest as is
here is the reference https://swagger.io/docs/specification/authentication/basic-authentication/