I have been trying to figure this out all day. I have an one application that forwards to another application in order to handle logins. The first application redirects to a webAPI URL. That url then takes one of the parameters and creates a token. It then sends a 403 response with a Set-Cookie Header. The cookie that is sent is that header is never being set.
After a bunch of research I thought that It might need a P#P header so I have tried various combinations of that.
Here is the Code:
Public Function Authenticate(t As String, forwardURL As String) As HttpResponseMessage
Dim resp As New HttpResponseMessage()
If VestigoBusinessObjects.UserToken.IsValid(t, EncType.AES) Then
Dim user As New UserToken(t, EncType.AES)
user.ResetExperation()
'Create usertoken cookie
Dim Cookie = New CookieHeaderValue("t", user.GetEncTicket())
Cookie.Expires = DateTimeOffset.Now.AddDays(1)
Cookie.Domain = Request.RequestUri.Host
Cookie.Path = "/"
resp.Headers.AddCookies(New CookieHeaderValue() {Cookie})
resp.StatusCode = HttpStatusCode.RedirectMethod
resp.Headers.Location = New Uri(forwardURL)
resp.Headers.Add("Pragma", "no-cache")
resp.Headers.Add("Cache-Control", "no-cache")
Return resp
End If
resp.StatusCode = HttpStatusCode.Unauthorized
Return resp
End Function
Here are the headers that I see being set back in the browser:
Request URL:deleted because it won't let me post them?
t=bB%2B%2FpRLq%2BzobRcXgQuw5rjMa8Yeb1Wxb7qIZCtjLfwiN8RNT%2BQYjzIuWI9j3JPn4qnpXpgK%2F%2B6ucL96lBmpD6ryIbFJvP3yPOfJjXuZsECfWlj58etczEco79q0SNJj0c%2BwKLREh5FWMfTvN%2BQxSn8nMEr6JzS06CuPizM1k0Kef52ZrHVkxHDv6qVyGLJrxRFebwbpFT0LNMCCihJ%2BZ%2FbmfvvKl9lfg18vHT8nhL1dDtAlR0Fd%2FdSuB5L6Yg3Yj%3F%3FHKZNy0zYBTVwdL7NXMFGXw%3D%3D&forwardurl=http%3A%2F%2Flocalhost%3A4644%2FInternalMonitor.html
Request Method:GET
Status Code:303 See Other
Remote Address:[::1]:4644
Response Headers
Cache-Control:no-cache
Content-Length:0
Date:Tue, 29 Nov 2016 22:58:11 GMT
Location:deleted because it won't let me post them
P3P:CP="IDC DSP COR IVAi IVDi OUR TST"
Pragma:no-cache
Server:Microsoft-IIS/10.0
Set-Cookie:t=5524596D26C583E9DEAC935880DD6FE40D579B362A63EECE67942CD0DCEDDE47D5B6B367AF3547A93E4F309C12F2607EED1F02E19D698D2BAD97E6E9BB1FD807EF331842AEA6B62CE0BFF90206F62B31EAAB5035BD26BC66B89D1A8A676E47FB2CD007B5644487781D79DD0D26454B16E60EF96E6034EA350F8190C0317BCF3CA0875EAA41795014F1F1430E55E79E56E911BA097F09E89DAF3BC86BFE8E5EC6E74C72CDB500005E0E0FDA6E2B394A8400DDB63C4B33EA755D0D083A87B5B1244F1529353FE758EF666ECBA57BEE50AF4D319AB42F1183A3244E01AF87A3F9CADF8861DC29497945052CC568E6B4D996A9E0F8139CEEF4DCCCBB1990F138F735D2FC6FEFA352430FE9CB999926A47EA374E87895F8079F3C0550A45000EF26E030E14CE814E823BCC788E4882CCBCC795FAAC7C9BC4D7A5BEBD902CF79900296D61DC277A2CC375AEBE3FEAF6E605CC167DF757A8805332C33E32A6B8DECF3C92DCB96B7A4E015499D6B5FFB807FAA69408A74EFE323C58C796027ED89D39E4F6C22B3865B301B7B1BF77C1CA4B2AD39B245E9B0388B3D2D3D9C33DFD577ED633F9AB82AC2A63DA608BBCA32FFCEC96FE7CB299930674745018B81BE606C6181F0A5C94AA6DB025A6B5829ABCABD4A7A075BE33246CBE151D320904AA3643C6AE7E4DBA553500AB19522970036DA64323E1A4352241DB8CF4FEE6FE121135DC9364F8A2C3ADA4346BAFBF8B18F7875F3; expires=Wed, 30 Nov 2016 22:58:12 GMT; domain=localhost; path=/
X-AspNet-Version:4.0.30319
X-Powered-By:ASP.NET
X-SourceFiles:=?UTF-8?B?
YzpcVEZTXFZlc3RpZ29cVGVzdFxDZW50cmFsTW9uaXRvclxhcGlcQXV0aGVudGljYXRpb25Db250cm9s
bGVyXEF1dGhlbnRpY2F0ZQ==?=
Request Headers
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.
8
Accept-Encoding:gzip, deflate, sdch, br
Accept-Language:en-US,en;q=0.8
Cache-Control:no-cache
Connection:keep-alive
Cookie:ASP.NET_SessionId=cnru1r4g0svzeomwglkwestw; .ASPXAUTH=1566301093F4FC41F147432F8A4B044E3A19EFC46C47A1BE54F95A98E08EE8952197E5212230F0416776480CA3496036DCA0C0B8AEF0D08675D4B20E655E107F055E1D60150BF84334F65FE63E134B0252EF3B8F02E1E0BC372DBA80006300215AAE095F4333F48BB04D0DF315D825BF1A1B0F27A81E32E82ACEEA791BF11551A8F96A1B0AED9EC11EEA5EF34AE03406; hoursDiffGMTTime=-5; ScreenResolution=1920x1080; BrowserResolution=1920x950; t=FDB5B335C4DCE820A037947D7A19D487FF44AB3CC2EA8E44FB6EA59FDA43E14BA53B0E455EED57C63040B8995C67C9B96146516B600B0ED4FC397DFFBE16FA259C554AC24A2CCBB99537FBA6BAC2F1F78031BD3F0D11FED97B57CB401738319890ACD128926B3DF05AEAE975979B18DE32A60795FB8360B4D1CB8517B7E34E7B14EF0EBE77036FA72504F3C2B12B2C147D6599C1357F2789A09134B9F2020F4A413E96A5DBE0E725E09EAEB82AB8DFAB212760E5D09501BC0AD9248119CAF245E2B448437529A7AF72725E0DB2EA2975915D934B13E6226C4DF0D1E4426B25DA6822F1D678127B30736355B645729501888C5079629052467C5AB0458709AEE6B3BA04363951DDDCE33DA656C5B1E3979A7BFD182459074B3588856A0859FCFBC5EB95A6BF8C6ECAF9623E8A2E167580191C1C3BE89446FA212E0E908578DC7CE1E99F11CCD460A2E07E1D53F25DA96AFD92D9D13B753C80015E7E2722A1F473D1E958CA0FA19DA3F959E4A813D55C8468B8A16F959C7F3469D71F6433282FE5C03B5FFEE32ED2739CBB4ECBF79D8573769F497A954B58611F7FB9D3EB256492675F36523E6557545FC9AFD27A04360835AD5DC54CE94372FAB5830AEB7FAE086E1D13837ADB91EEC76C0F12614524E98B0D5B0C6D833490D280F62FDBF69706896D9B5EDDD2B59C8DF3A82CEF4475941A319BBD03FB4C16522B5188081943EDFEB0DFD857FB853D903B036DF66F0B9F
Host:localhost:4644
Pragma:no-cache
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36
Query String Parameters
t:bB+/pRLq+zobRcXgQuw5rjMa8Yeb1Wxb7qIZCtjLfwiN8RNT+QYjzIuWI9j3JPn4qnpXpgK/+6ucL96lBmpD6ryIbFJvP3yPOfJjXuZsECfWlj58etczEco79q0SNJj0c+wKLREh5FWMfTvN+QxSn8nMEr6JzS06CuPizM1k0Kef52ZrHVkxHDv6qVyGLJrxRFebwbpFT0LNMCCihJ+Z/bmfvvKl9lfg18vHT8nhL1dDtAlR0Fd/dSuB5L6Yg3Yj??HKZNy0zYBTVwdL7NXMFGXw==
forwardurl: deleted because it won't let me post them
Any input would really be appreciated.
Related
How is it possible to make a request by HttpClient with the HTTP request header Sec-Fetch-Mode: no-cors in Blazor Webassembly?
My actuel code is :
var hc = new HttpClient();
var responseHTTP = await hc.GetAsync("https://www.somedomain.com/api/");
But this produces the following HTTP request headers :
:authority: www.somedomain.com
:method: GET
:path: /api/json?input=test&key=AIzaSyDqWvsxxxxxxxxxxxxxxxxx1R7x2qoSkc&sessiontoken=136db14b-88bd-4730-a0b2-9b6c1861d9c7
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
origin: http://localhost:5000
referer: http://localhost:5000/places
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.116 Safari/537.36
x-client-data: CJS2yQxxxxxxxxxxxxxxxxxxxxxxxxygEI7bXKAQiOusoBCObGygE=
To specifically answer your question, you need to create a HttpRequestMessage first.
e.g.
var request = new HttpRequestMessage(HttpMethod.Get, "https://www.somedomain.com/api/");
request.SetBrowserRequestMode(BrowserRequestMode.NoCors);
request.SetBrowserRequestCache(BrowserRequestCache.NoStore); //optional
using (var httpClient = new HttpClient())
{
var response = await httpClient.SendAsync(request);
var content = await response.Content.ReadAsStringAsync();
}
This will correctly set the sec-fetch-mode header to no-cors
I've found however, that the response comes back as empty even though upon inspection in fiddler the response is there.
The closest I got to understanding the problem is through this issue here but unfortunately the bug was closed.
I have an app to create server certificate requests, just as if one were using java keytool or something. I'm trying to return the created certificate request and the key in a zip file, but for the life of me, I can't get my REST controller to respond to the http request. CORRECTION: The controller responds, but the code within the method is never executed.
The server does receive the request, because my CORS filter is executed. But I have a debug set in the controller method, and it's never triggered. Is the signature of the method correct? I need another set of eyes, please?
Here is my controller code:
#RequestMapping(method = RequestMethod.POST, value = "/generateCert/")
public ResponseEntity<InputStreamResource> generateCert(#RequestBody CertInfo certInfo) {
System.out.println("Received request to generate CSR...");
byte[] responseBytes = commonDataService.generateCsr(certInfo);
InputStreamResource resource = new InputStreamResource(new ByteArrayInputStream(responseBytes));
System.out.println("Generated CSR with length of " + responseBytes.length);
return ResponseEntity.ok()
.header(HttpHeaders.CONTENT_DISPOSITION, "attachment;filename=certificate.zip")
.contentType(MediaType.parseMediaType("application/zip"))
.contentLength(responseBytes.length)
.body(resource);
}
And here is the Angular request:
generateCertificate(reqBody: GenerateCert) {
let headers = new Headers();
headers.append('Content-Type', 'application/json');
this.http.post(this.urlGenerateCert, JSON.stringify(reqBody), {headers: headers}).subscribe(
(data) => {
let dataType = data.type;
let binaryData = [];
binaryData.push(data);
this.certBlob = new Blob(binaryData);
});
return this.certBlob;
}
And finally, the request and response headers I copied from the Network Panel:
Response
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Content-Type, Authorization, Accept, X-Requested-With, remember-me
Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 3600
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Length: 0
Date: Thu, 27 Dec 2018 22:48:00 GMT
Expires: 0
Location: http://localhost:8102/login
Pragma: no-cache
Set-Cookie: JSESSIONID=EDACE17328628D579670AD0FB53A6F35; Path=/; HttpOnly
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Request
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: keep-alive
Content-Length: 205
Content-Type: application/json
Host: localhost:8102
Origin: http://localhost:4200
Referer: http://localhost:4200/generateCerts
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.80 Safari/537.36
I really struggled with getting CORS working, so maybe that's interfering with the request? I hate to post all that code unless absolutely necessary. Anybody got any ideas?
Listing of request/response headers lack information on URL, method and most important response status code.
Seeing Location: http://localhost:8102/login among response headers I can guess that it could be 401 Unauthorized or anything else that redirects to the login page. Hence, if there is an auth filter in the filter chain, it may be a culprit.
The following request headers
Host: localhost:8102
Origin: http://localhost:4200
suggests that you are doing CORS and the CORS filter may be involved indeed and fulfill response before the request gets routed to the controller. I suggest setting a breakpoint into the CORS filter (and into others if any) and debug it to the point where the response is returned.
define a proxy.conf.json
{
"/login*": {
"target":"http://localhost:8080",
"secure":false,
"logLevel":"debug"
}
}
now in your package.json
"scripts": {
"start":"ng serve --proxy-config proxy.config.json"
}
I think there is issue while getting connection in both webapp.please try .
When Angular encounters this statement
this.http.post(url,body).subscribe(data => # some code
);
It comes back immediately to run rest of the code while service continues to execute. Just like Future in Java.
Here if you
return this.cert;
You will not get the value that may eventually get populated by the this.http service. Since the page has already rendered and the code executed. You can verify this by including this within and outside the Observable.
console.log(“Inside/outside observable” + new Date().toLocalTimeString());
Thanks to everyone who contributed. I discovered the error was due to the headers of my controller method. After changing them, the method was invoked properly. This is what worked:
#RequestMapping(method = RequestMethod.POST, path = "/generateCert",
produces = {MediaType.APPLICATION_OCTET_STREAM_VALUE}, consumes = {MediaType.APPLICATION_JSON_VALUE})
public ResponseEntity<byte[]> generateCert(#RequestBody CertInfo certInfo) {
byte[] responseBytes = commonDataService.generateCsr(certInfo);
return ResponseEntity.ok()
.header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_OCTET_STREAM_VALUE)
.contentLength(responseBytes.length)
.body(responseBytes);
}
I followed the link https://learn.microsoft.com/en-us/azure/app-service-mobile/app-service-mobile-how-to-configure-facebook-authentication to set up Facebook login.
In the https://developers.facebook.com/apps, the "Valid OAuth redirect URIs" has the following URIs
https://myapp.azurewebsites.net/signin-facebook
https://myapp.azurewebsites.net/.auth/login/facebook/callback
However, the site cannot login - the login page just stays. Type an Url https://myapp.azurewebsites.net/event will always redirect to https://myapp.azurewebsites.net/Account/Login?ReturnUrl=%2Fevent.
The following is the Net traffic captured by fiddler. It seems the request is denied when GET https://myapp.azurewebsites.net/signin-facebook?code=.... (Response: Location: /Account/ExternalLoginCallback?error=access_denied)
------------------------------------------------------------------
GET https://www.facebook.com/dialog/oauth?response_type=code&client_id=365322087148601&redirect_uri=https%3A%2F%2Fmyapp.azurewebsites.net%2Fsignin-facebook&scope=&state=E4J6p7jhJVr2YT1SYqxzHKoUJ1u04QtfVu8UUtgoRzK8xPfXvHnWSFJE5TGKOn9AoqVQkvGZHzakiNoTme2bQBm27n1riQTPTCLNrIoybUxhV-wXpyUDYrkXVawTs0JMtTOW1UK2gv_1YJ_A9EkbvPSZMXN-NW56vF2lq8d-9iPG7fTv41CGV3-0bVV2dAEW86gyO70VLVdQ5X2byye_XFS3XNkhtVJEbfXio_RMRvE HTTP/1.1
Accept: text/html, application/xhtml+xml, image/jxr, */*
Referer: https://myapp.azurewebsites.net/Account/Login
Accept-Language: en-US,en;q=0.8,zh-Hans-CN;q=0.5,zh-Hans;q=0.3
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Cache-Control: no-cache
Host: www.facebook.com
Cookie: fr=0RObsAfMX8N2oDE0P.AWUijY5j4ajj3MWCbj2nVPEp4Go.BY9tIg.oW.Fj2.0.0.BY-AuR.AWU2VfKJ; datr=INL2WBkTq1-aa6V7IMJUUMMw; dats=1; sb=JNL2WJ2XCIs_K6QaFHEcvbTM; c_user=100000343225510; xs=251%3A-D7EtOmwXRbYlQ%3A2%3A1492570660%3A12220; pl=n; lu=ggNZWbJ4ElBZhc5tOVdylWWA; presence=EDvF3EtimeF1492652361EuserFA21B00343225510A2EstateFDutF1492652361094CEchFDp_5f1B00343225510F195CC
HTTP/1.1 302 Found
Location: https://myapp.azurewebsites.net/signin-facebook?code=AQC2JMYoeLmJAHtkTiHMTEckID_cdoJZ0eFkuffNCSh-XDzgZWCm-cJbDyIMJaLEa-mLApgU54MoppjOS0CH3b6jWCN-VDXsqq7z-6TALE35OdralWJRFSZQs7k-_4qBk4Vl8HmeW0INO5V4NL9nVU1tlDSqF6PoAN4Dee5DvvJyr_w_-ZE2ZG_dfY5zcq2-G9dNcqVGDs3YWzDQfP3VmWu-4kFZ3YUC8ENfFoUZPw8uvOBGPEgr_92aK8cQJnLXd1k98jCKb-sIzQHB9XCfUFW1QrMeww4EqvTvINl0Pu0O8l--M-zATFoMnQW6et8RRhBarAbmYSVMGCkClEFUDPe9Mcn8-qsFr1WBv4kqtLrnSA&state=E4J6p7jhJVr2YT1SYqxzHKoUJ1u04QtfVu8UUtgoRzK8xPfXvHnWSFJE5TGKOn9AoqVQkvGZHzakiNoTme2bQBm27n1riQTPTCLNrIoybUxhV-wXpyUDYrkXVawTs0JMtTOW1UK2gv_1YJ_A9EkbvPSZMXN-NW56vF2lq8d-9iPG7fTv41CGV3-0bVV2dAEW86gyO70VLVdQ5X2byye_XFS3XNkhtVJEbfXio_RMRvE#_=_
Expires: Sat, 01 Jan 2000 00:00:00 GMT
facebook-api-version: v2.8
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=15552000; preload
X-Frame-Options: DENY
Cache-Control: private, no-cache, no-store, must-revalidate
Pragma: no-cache
public-key-pins-report-only: max-age=500; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; pin-sha256="q4PO2G2cbkZhZ82+JgmRUyGMoAeozA+BSXVXQWB8XWQ="; report-uri="http://reports.fb.com/hpkp/"
X-XSS-Protection: 0
Content-Type: text/html
X-FB-Debug: BOC8IkjZ4va1buTLdHl+OgLKK4ymT3oyi4SALf8bnAQx2MDqHkCvmTGsTMngZazRs0dFZ6SSHYSi0U6mcbaQNw==
Date: Thu, 20 Apr 2017 01:42:19 GMT
Connection: keep-alive
Content-Length: 0
------------------------------------------------------------------
GET https://myapp.azurewebsites.net/signin-facebook?code=AQC2JMYoeLmJAHtkTiHMTEckID_cdoJZ0eFkuffNCSh-XDzgZWCm-cJbDyIMJaLEa-mLApgU54MoppjOS0CH3b6jWCN-VDXsqq7z-6TALE35OdralWJRFSZQs7k-_4qBk4Vl8HmeW0INO5V4NL9nVU1tlDSqF6PoAN4Dee5DvvJyr_w_-ZE2ZG_dfY5zcq2-G9dNcqVGDs3YWzDQfP3VmWu-4kFZ3YUC8ENfFoUZPw8uvOBGPEgr_92aK8cQJnLXd1k98jCKb-sIzQHB9XCfUFW1QrMeww4EqvTvINl0Pu0O8l--M-zATFoMnQW6et8RRhBarAbmYSVMGCkClEFUDPe9Mcn8-qsFr1WBv4kqtLrnSA&state=E4J6p7jhJVr2YT1SYqxzHKoUJ1u04QtfVu8UUtgoRzK8xPfXvHnWSFJE5TGKOn9AoqVQkvGZHzakiNoTme2bQBm27n1riQTPTCLNrIoybUxhV-wXpyUDYrkXVawTs0JMtTOW1UK2gv_1YJ_A9EkbvPSZMXN-NW56vF2lq8d-9iPG7fTv41CGV3-0bVV2dAEW86gyO70VLVdQ5X2byye_XFS3XNkhtVJEbfXio_RMRvE HTTP/1.1
Accept: text/html, application/xhtml+xml, image/jxr, */*
Referer: https://myapp.azurewebsites.net/Account/Login
Accept-Language: en-US,en;q=0.8,zh-Hans-CN;q=0.5,zh-Hans;q=0.3
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Cache-Control: no-cache
Host: myapp.azurewebsites.net
Cookie: __RequestVerificationToken=49xMNw5ePC60qAaVBtxq5TAbkgpGbkcPyb5OcWmO0CYNstOX7vUQJAST80cvsFM16l0USNgUCr9b5RCn3cnXXlsGhpz33rme4A_HRw1QFNY1; ARRAffinity=f86b281b78014bea7ff499f4d5d3d562aafe8f1cf9e24d7ef4dc3d48d94a9c32; .AspNet.Correlation.Facebook=hcA83RJONYyZTzuT0I3kTRJM6DTK9OUsmmrQKV_mAkU
HTTP/1.1 302 Found
Content-Length: 0
Location: /Account/ExternalLoginCallback?error=access_denied
Server: Microsoft-IIS/8.0
Set-Cookie: .AspNet.Correlation.Facebook=; expires=Thu, 01-Jan-1970 00:00:00 GMT
X-Powered-By: ASP.NET
Date: Thu, 20 Apr 2017 01:42:20 GMT
Startup.Auth.cs:
public partial class Startup
{
// For more information on configuring authentication, please visit http://go.microsoft.com/fwlink/?LinkId=301864
public void ConfigureAuth(IAppBuilder app)
{
// Configure the db context, user manager and role manager to use a single instance per request
app.CreatePerOwinContext(ApplicationDbContext.Create);
app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
app.CreatePerOwinContext<ApplicationRoleManager>(ApplicationRoleManager.Create);
// Enable the application to use a cookie to store information for the signed in user
// and to use a cookie to temporarily store information about a user logging in with a third party login provider
// Configure the sign in cookie
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
Provider = new CookieAuthenticationProvider
{
// Enables the application to validate the security stamp when the user logs in.
// This is a security feature which is used when you change a password or add an external login to your account.
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(30),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
}
});
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
// Enables the application to temporarily store user information when they are verifying the second factor in the two-factor authentication process.
app.UseTwoFactorSignInCookie(DefaultAuthenticationTypes.TwoFactorCookie, TimeSpan.FromMinutes(5));
// Enables the application to remember the second login verification factor such as phone or email.
// Once you check this option, your second step of verification during the login process will be remembered on the device where you logged in from.
// This is similar to the RememberMe option when you log in.
app.UseTwoFactorRememberBrowserCookie(DefaultAuthenticationTypes.TwoFactorRememberBrowserCookie);
// Uncomment the following lines to enable logging in with third party login providers
//app.UseMicrosoftAccountAuthentication(
// clientId: "",
// clientSecret: "");
//app.UseTwitterAuthentication(
// consumerKey: "",
// consumerSecret: "");
app.UseFacebookAuthentication(
appId: ".....",
appSecret: ".....");
//app.UseGoogleAuthentication();
}
}
Update:
After updated Microsoft.Owin.Security.Facebook, facebook login prompted me to register a new user. However, it still redirect to login page? The following is the http traffic.
POST https://myapp.azurewebsites.net/Account/ExternalLogin?ReturnUrl=%2Fevent HTTP/1.1
Accept: text/html, application/xhtml+xml, image/jxr, */*
Referer: https://myapp.azurewebsites.net/Account/Login?ReturnUrl=%2Fevent
Accept-Language: en-US,en;q=0.8,zh-Hans-CN;q=0.5,zh-Hans;q=0.3
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: myapp.azurewebsites.net
Content-Length: 196
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: __RequestVerificationToken=49xMNw5ePC60qAaVBtxq5TAbkgpGbkcPyb5OcWmO0CYNstOX7vUQJAST80cvsFM16l0USNgUCr9b5RCn3cnXXlsGhpz33rme4A_HRw1QFNY1; ARRAffinity=f86b281b78014bea7ff499f4d5d3d562aafe8f1cf9e24d7ef4dc3d48d94a9c32; .AspNet.ApplicationCookie=VkuppVPkn0nPbkYf5aSoSKrYsJVWusdEU4TKvf_bPajqbd7gMexZ4muf43ZnpSOwt9P6L60Lc_7VBWZu8Q41eIN2qw3vmhdcAC3gypOhFrQ57T-ymAyJX838uGjsjE3zw_RlVr1kLbyomB5xFVz5azv3nMCm4DDGadGQTSrPdEOQ54GVTQiDJJ9wi4vAd7Cc96ssc4J4x9HrWRIwdZiorubCJpyd1SUeDd6MkZTQgdxGPR42NBwr1CH7DDymU2fJSMw7Dw6Qi5IDNYwFL32J0rsc_5ji_VxvbUBhJZDFGwOxsQ5cFzm0k-XuqJB5zH1aS-6WvQ97sAbu4kQOt0BCZc3EhBAy9c5gmRmq1HyB-NiDwxhbpcS1e57M_9yNmdh8l9phHpnrthk2JNxzyom1Ni-nTbkbZsFdQ2SwuzuPaKS_R1IvXG57q7GM3QEzzTkjsZmuEPCaP5IvFfjISH8kVFBzCnoCoYkvjTKNsfG05VY
HTTP/1.1 302 Found
Cache-Control: private
Content-Length: 0
Location: https://www.facebook.com/v2.8/dialog/oauth?response_type=code&client_id=365322087148601&redirect_uri=https%3A%2F%2Fmyapp.azurewebsites.net%2Fsignin-facebook&scope=&state=wq_uw7UGAFosxcCkR_Oa7P9gyBQeE4DbW92-YZN0tgOFzlOTLeFxDsaVVmH9SsEY6rkZb3zU4ZRBjcp3nQf-b4V-lbXSihHBIzol77_SiBOX7b-GI8iDtPfp9VFuXbhXZWn--GY5xhjOLXnMCu1idq-Y53qMLm_mhX_oOFuOqgyLmqz35Cf3ardNKUT9tdXUyrLOkOCndQ3R2KSWx_FJ0qzptM6J0IyCvk-JwFkEKvjAh3-mgopTgnIKP-LHBL2Z
Server: Microsoft-IIS/8.0
Set-Cookie: .AspNet.Correlation.Facebook=dfeXeK1QG0fHz_lgWH9nLhCT4Zw0USACEAyA0oAZzZ8; path=/; secure; HttpOnly
X-AspNetMvc-Version: 5.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 20 Apr 2017 03:49:27 GMT
------------------------------------------------------------------
GET https://www.facebook.com/v2.8/dialog/oauth?response_type=code&client_id=365322087148601&redirect_uri=https%3A%2F%2Fmyapp.azurewebsites.net%2Fsignin-facebook&scope=&state=wq_uw7UGAFosxcCkR_Oa7P9gyBQeE4DbW92-YZN0tgOFzlOTLeFxDsaVVmH9SsEY6rkZb3zU4ZRBjcp3nQf-b4V-lbXSihHBIzol77_SiBOX7b-GI8iDtPfp9VFuXbhXZWn--GY5xhjOLXnMCu1idq-Y53qMLm_mhX_oOFuOqgyLmqz35Cf3ardNKUT9tdXUyrLOkOCndQ3R2KSWx_FJ0qzptM6J0IyCvk-JwFkEKvjAh3-mgopTgnIKP-LHBL2Z HTTP/1.1
Accept: text/html, application/xhtml+xml, image/jxr, */*
Referer: https://myapp.azurewebsites.net/Account/Login?ReturnUrl=%2Fevent
Accept-Language: en-US,en;q=0.8,zh-Hans-CN;q=0.5,zh-Hans;q=0.3
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Cache-Control: no-cache
Host: www.facebook.com
Cookie: fr=0RObsAfMX8N2oDE0P.AWUijY5j4ajj3MWCbj2nVPEp4Go.BY9tIg.oW.Fj2.0.0.BY-AuR.AWU2VfKJ; datr=INL2WBkTq1-aa6V7IMJUUMMw; dats=1; sb=JNL2WJ2XCIs_K6QaFHEcvbTM; c_user=100000343225510; xs=251%3A-D7EtOmwXRbYlQ%3A2%3A1492570660%3A12220; pl=n; lu=ggNZWbJ4ElBZhc5tOVdylWWA; presence=EDvF3EtimeF1492652361EuserFA21B00343225510A2EstateFDutF1492652361094CEchFDp_5f1B00343225510F195CC
HTTP/1.1 302 Found
Location: https://myapp.azurewebsites.net/signin-facebook?code=AQCGF2xmMpxqeJOvGi0ngPWLVPqxKZL19gdGPeZdYjQ0k6S-Ta_WS0VxOBxR7wcz70IzHkeC-jQw8KAy7NNP-9m0_atTD6OJYjFZpbnAyixkg7-2r6_B5MR3_nzSBVqc8orXBeBy4KbcG0pgcW6AYGOX1inJaXixCbvypqK5JSgj8RTjbnTd8OmMMzVhC6QBpuViHEcnwOKMx3YgaOEyV9GXwr39EBY-WvcDlu1b__L7vSD9y1VA5jGfAX7jRTmXOOOPrgU-KVOnvqrAUj4RgfpS2YqEFa59t9k00emP2L2FRq94HHBzZshI3dwN0kFH6nVu1y8VKuGqgIDJqbkiXPj88kgbC612wocVpuST4Y0q2g&state=wq_uw7UGAFosxcCkR_Oa7P9gyBQeE4DbW92-YZN0tgOFzlOTLeFxDsaVVmH9SsEY6rkZb3zU4ZRBjcp3nQf-b4V-lbXSihHBIzol77_SiBOX7b-GI8iDtPfp9VFuXbhXZWn--GY5xhjOLXnMCu1idq-Y53qMLm_mhX_oOFuOqgyLmqz35Cf3ardNKUT9tdXUyrLOkOCndQ3R2KSWx_FJ0qzptM6J0IyCvk-JwFkEKvjAh3-mgopTgnIKP-LHBL2Z#_=_
Expires: Sat, 01 Jan 2000 00:00:00 GMT
facebook-api-version: v2.8
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=15552000; preload
X-Frame-Options: DENY
Cache-Control: private, no-cache, no-store, must-revalidate
Pragma: no-cache
public-key-pins-report-only: max-age=500; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; pin-sha256="q4PO2G2cbkZhZ82+JgmRUyGMoAeozA+BSXVXQWB8XWQ="; report-uri="http://reports.fb.com/hpkp/"
X-XSS-Protection: 0
Content-Type: text/html
X-FB-Debug: ABkQtw3vY1sccWewy5h4luP2SmaMQXgOUnv2HfxKkMGR7VFV+3Jq7+HOsVnGAESUXqI7RT+raZ/CrCLo3U1JbQ==
Date: Thu, 20 Apr 2017 03:49:26 GMT
Connection: keep-alive
Content-Length: 0
There is a X-Frame-Options: DENY for the request of GET https://www.facebook.com/v2.8/dialog/oauth?response_type=code&client_id=....
I could encounter the same issue, after some searches I found that the facebook graph api did some changes. Here is the detailed info, you could refer to it:
Facebook Graph API has a force upgrade: Changes from v2.2 to v2.3
[Oauth Access Token] Format - The response format of https://www.facebook.com/v2.3/oauth/access_token returned when you exchange a code for an access_token now return valid JSON instead of being URL encoded. The new format of this response is {"access_token": {TOKEN}, "token_type":{TYPE}, "expires_in":{TIME}}. We made this update to be compliant with section 5.1 of RFC 6749.
Since the access_token returned with the JSON instead of the URL encoded, Microsoft.Owin.Security.Facebook prior to 3.1.0 could not handle this change. You need to upgrade Microsoft.Owin.Security.Facebook to 3.1.0 version, or you need to implement the FacebookAuthenticationOptions.BackchannelHttpHandler for a workaround to handle this change, for more details, you could refer to this similar answer.
UPDATE
As I known, X-Frame-Options indicates whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object>, I assumed that this header has no relation with your issue. Since your network packages are from your client, you could not see the processing when you use authorization_code to exchange the access_token from facebook. I recommended that you could run your web app on your local side and capture the packages as follows:
I have checked both update Microsoft.Owin.Security.Facebook to 3.1.0 and implement FacebookAuthenticationOptions.BackchannelHttpHandler by following this issue, both could work on my side and azure. In summary, you could get the authorization_code but failed to extract the access_token, I assumed that you need to clear/rebuild your project and make sure your project could work on your local side, then redeploy your project to web app (if you deploy the website via VS publish wizard, you could choose the "Remove additional files at destination" under Settings > File Publish Options or you could use KUDU to empty your web content).
UPDATE2
I have created a code sample AspDotNet-WebApplication-FacebookAuth with my facekbook app, you could try to run on your local side and make sure you could retrieve the access_token and get the logged user info as follows:
I have an Intel Edison running a Node.JS server that is printing everything I post to it into the console. I can successfully post to it using Postman and see the sent raw data in the console.
Now I'm using Processing to POST to it, which will fire off different events on the Node.JS server.
My problem is that I can't seem to successfully POST the raw body to the server, I've been trying to get this working for several hours already.
import processing.net.*;
String url = "192.168.0.107:3000";
Client myClient;
void setup(){
myClient = new Client(this, "192.168.0.107", 3000);
myClient.write("POST / HTTP/1.1\n");
myClient.write("Cache-Control: no-cache\n");
myClient.write("Content-Type: text/plain\n");
//Attempting to write the raw post body
myClient.write("test");
//2 newlines tells the server that we're done sending
myClient.write("\n\n");
}
The console shows that the server received the POST, and the correct headers, but it doesn't show any data in it.
How do I specify the that "test" is the raw POST data?
The HTTP code from Postman:
POST HTTP/1.1
Host: 192.168.0.107:3000
Content-Type: text/plain
Cache-Control: no-cache
Postman-Token: 6cab79ad-b43b-b4d3-963f-fad11523ec0b
test
The server output from a POST from Postman:
{ host: '192.168.0.107:3000',
connection: 'keep-alive',
'content-length': '4',
'cache-control': 'no-cache',
origin: 'chrome-extension://fhbjgbiflinjbdggehcddcbncdddomop',
'content-type': 'text/plain',
'user-agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36',
'postman-token': 'd17676a6-98f4-917c-955c-7d8ef01bb024',
accept: '*/*',
'accept-encoding': 'gzip, deflate',
'accept-language': 'en-US,en;q=0.8' }
test
The server output from my POST from Processing:
{ host: '192.168.0.107:3000',
'cache-control': 'no-cache',
'content-type': 'text/plain' }
{}
I just figured out what was wrong, I needed to add the content-length header to tell the server how much data to listen for, and then a newline before the data.
Final code:
import processing.net.*;
String url = "192.168.0.107:3000";
Client myClient;
void setup(){
myClient = new Client(this, "192.168.0.107", 3000);
myClient.write("POST / HTTP/1.1\n");
myClient.write("Cache-Control: no-cache\n");
myClient.write("Content-Type: text/plain\n");
myClient.write("content-length: 4\n");
myClient.write("\n");
myClient.write("test");
myClient.write("\n\n");
}
EDIT 2: Some response I found mention modifying the 'datatype', is that a header? i did try modifying the Content-Type to application/json which didn't help.
EDIT: I am still having this issue, just to add to this information I am sending a file as input, here are the HTTP headers that i am sending, I know the 'Accept' header is not an issue since I have another request that is not causing any isses:
Host: localhost:26479 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost:26479/Home/FileUploadBrowser Content-Type: multipart/form-data; boundary=---------------------------41184676334 Content-Length: 1104
I have the following controller method ( still a work in progress):
Function uploadFileToAmazon(ByVal key As String) As ActionResult
Dim incomingStream As Stream = Me.Request.InputStream
Dim bucketName As String = ""
Dim accessKey As String = ""
Dim secretKey As String = ""
ConnectToAmazon(bucketName, accessKey, secretKey)
Dim client As AmazonS3 = Amazon.AWSClientFactory.CreateAmazonS3Client(accessKey, secretKey, RegionEndpoint.USEast1)
Dim titledRequest As PutObjectRequest
titledRequest = New PutObjectRequest
With titledRequest
.WithBucketName(bucketName)
.WithKey(key)
.WithInputStream(incomingStream)
End With
Dim response As S3Response = client.PutObject(titledRequest)
Return Json(New With {Key .success = "true", Key .msg = "uploaded"})
End Function
Original question:
Here is the problem that I'm having, for some reason it is sending the following message to the front end after completing <pre>{"success":"true","msg":"uploaded"}</pre>. I am confused, where is this <pre> tag is coming from and how to I get rid of it? Thank you