Making Google Oauth work locally with subdomains - asp.net

I'm developing a website using ASP.NET identity that will work with subdomains that identify a client using some information from here I've got subdomains working locally, but I can't get it to work with OAuth.
For example, if I got to https://localhost:44301 and try to login with Google, everything is fine. In my Google console I have https://localhost:44301 under "Authorized JavaScript origins" and https://localhost:44301/signin-google under "Authorized redirect URIs". But when I go to https://foo.localhost:44301 Google will respond with:
Error: invalid_request
Invalid parameter value for redirect_uri: Non-public domains not allowed: https://foo.localhost:44301/signin-google
When you try to log in. I can add https://foo.localhost:44301 to "Authorized JavaScript origins" in the Google console, but it won't let me add https://foo.localhost:44301/signin-google under authorized redirect URIs because it will complain:
Invalid Redirect: https://foo.localhost:44301/signin-google must end with a public top-level domain (such as .com or .org)
Some other questions and answers suggest redirecting all subdomains to a single domain for OAuth, but ideally I want to keep logins per subdomain. So if you use google to sign it to foo.mydomain.com it will be separate from bar.mydomain.com and I don't think that'll work if I have to redirect both to the same single domain (although I'm not sure that's going to work without separate projects in Google.

Google and in general other OAuth2/OIDC providers will support redirecting to sub-domains. Your specific problem is that you seem to be trying to use sub-domains of localhost which is in the list of Special-Use Domain Names (RFC6761) and it seems Google has additional constraints for those ones.
However, this is not a real limitation because on production you'll use a public top-level domain from from where you'll have the specific sub-domains.
If you need to have this working for local development, you can use localtest.me which allows you to set a sub-domain you like (foo.localtest.me and bar.localtest.me) while still ensuring that the domain resolves to your local machine (127.0.0.1). This should stop Google from complaining about it...

Related

Trusted domains not working for HERE Maps App

In the HERE platform, I added an App under Apps in the Access Manager. I then generated an API key for this app. This API key works when using it on our webapp.
However, when I add a "Trusted domain" and "Enable trusted domains", the key no longer works. I added all variations of our domain:
sub.domain.com
https://sub.domain.com
domain.com
I have waited multiple hours between different attempts and it still doesn't work. When I disable trusted domains, it works again...
The following question seems related but there is no solution: HERE Maps specific domain feature not working
Is this feature not working properly, or am I doing something wrong?
you would need to pass the "Referer" + Your trusted domains in the header.
Example: If you have your IPV4 address in the trusted domain and use some tools like postman to test it. Then add Referer and the IP in the headers. It should work. Thanks

firebase auth => auth/captcha-check-failed and "Hostname match not found" errror

I am getting the following message when trying to use auth.linkWithPhoneNumber(). All other auth services on the same domain are working fine.
auth/captcha-check-failed and "Hostname match not found" errror
https://github.com/firebase/quickstart-js/issues/394
Now I know this issue is reference all over but the solutions are not working for me... The solution i keep finding is to update Authorized Domains however there are 2 reasons that might not be the solution for this app.
All other auth services are working just fine
I am unable to change anything under Authorized Domains.
Login by phone DOES work on localhost, but not in prod
When updating Authorized domain the changes do not save. instead i get the following
Error updating authorized domain list
Question
If the solution for the auth/captcha... is to update domains then why cant i save changes there? If that is likely not the solution then do you know what it could be
I added my domain in the Authorised domain
like if my domain is www.example.com i added example.com
but it's not working
so i try Adding with www.example.com and it worked for me.
Add www.example.com instead of example.com
What's your browser and do you have any Allow CORS extension installed? Try to toggle it to off and try again.

Why can't I add firebase dynamic url as allowed redirect_url for google oAuth?

I am working on a react-native based project where google made it frustratingly hard to implement their oAuth without using an SDK.
First of all, WebView is not allowed to oAuth. So I attempted to implement it through normal browser / chrome tab where redirect is my app id like com.myCompany.myApp but when I add this as allowed oAuth redirect url I get error in google cloud console that this is not a valid redirect id for web based project.
I then tried to set it up with firebase dynamic links, But when I save changes it errors with Request contains an invalid argument.
Different type of OAuth keys have different redirect requirements and best practices. It's too numerous to name them all, so please see this documentation.
In general, if it's an installed app or a mobile app, the redirect URI isn't as important because you are just redirecting back to the app. However for web based app OAuth keys, you will need to be very careful with the redirect because it carries your access token. You can read more about redirect URIs and see what would qualify as a proper URI.
Basically Google makes sure your URI seems ok for your OAuth key type, otherwise it will reject it.
You cant use it because your app id is not an valid URI
This is the path in your application that users are redirected to after they have authenticated with Google. The path will be appended with the authorization code for access. Must have a protocol. Cannot contain URL fragments or relative paths. Cannot be a public IP address.
You cant redirect to an app id there is no way of knowing where the redirect should go. The following are valid redirect URIs
http://test.example.com/index.php
http://localhost:38898/signin-google

How to secure HERE API keys?

How to prevent someone just taking my API keys from the client side javascript code and starting to use my HERE subscription for some other use.
I noticed HERE provide an option to secure the API keys for a certain domain on the applications management page: "Secure app credentials against a specific domain". I have set up this option and also put domain there but I do not see any change on my app behavior.
The application still continue working fine on my PC. Shouldn't the HERE API stop working as web server is running on localhost and not on the defined domain.
My app is running fully on browser, and only static files come from the server (http://localhost:8083/index.html). I am using the HERE javascript API.
I tested also running the app on external cloud service on different domain than localhost. Results are the same. My conclusion is that the setting "Secure app credentials against a specific domain" just has no impact and does not work. Checked also the api response headers and all origins are accepted.
Access-Control-Allow-Origin: *
In your HERE dashboard, you can set the application id and application code to only work on a particular domain or set of domains. If the tokens are fixed to a domain, it won't matter if someone takes your tokens because only the listed domains can use them. If you don't secure the tokens to a domain, then someone will be able to use your tokens if they find them.

Firebase Custom Domain Name

I’m having a lot of trouble configuring my custom domain. Currently, if you go to my site www.mydomain.com it redirects to the default somecrazyname.firebase.com. In my google domains, I just have both www.mydomain.com and mydomain.com redirecting to the mycrazyname.firebase.com just for the sake of having something live until I can figure this out. My question is, how do I make it so when you go to www.mydomain.com it stays on www.mydomain.com while showing my amazing content and not somecrazyname.firebase.com.
Everything is configured correctly with firebase as far as my custom url goes(verification, etc.). However, the url firebase gave me is https mydomain.com (where if you go there it says the site can't be displayed) where my domain on Google domains is http. I've tried to configure redirects within my firebase json as well as my synthetic records in Google domains, but have had no such luck and am out of ideas. I've also looked at the firebase hosting custom domains documentation and am just not getting it.
Here are some visuals....
My redirects as seen on Google domains
I'm sure it's just a matter of putting things in the right places, but I have been trying this for a few hours and have not had any luck.
It was the synthetic records that was causing the issue for me. I was using CName records which, by the direction of the firebase support team is good only for subdomain redirects. Below is part of an email from the firebase support team. This is her answer to this as well as some helpful explanations.
Firebase uses TXT records for the verification of your custom domain.
On the other hand, CNAME and/or A records are used for redirection. Please take note of the following:
If you have a subdomain, CNAME records are recommended
Note that the host name with "*" indicates a wildcard. Any subdomains typed before your custom domain will redirect you to your
hosted custom domain.
Otherwise, if you have a custom domain without a subdomain, A records are recommended.
Note that adding both A records will increase redirection performance
Also, kindly remove other A records that are not from Firebase to prevent redirection issues
That's about it. Firebase Static Hosting only needs three records
(TXT, CNAME, A). Other than that, you wouldn't have the need to
implement domain forwarding such as your Synthetic records. Moving
forward though, I would suggest you to remove your Synthetic records
and add the A records I have provided on my previous email.
You should NOT be using a redirect (301 or 302) record for your domain. Instead, you should set a CNAME record. Here's how to fix it:
Delete the second redirect in your screenshot (the one that redirects to Firebase).
Go to the DNS tab of your Google Domains control panel, scroll down to the Custom resource records section, and add a record that looks like this:
www | CNAME | _____ | portfolio-6f15b.firebaseapp.com

Resources