Google asks for "Authorized Java Script Origin" & "Authorized Redirect URL" which is given to us by Meteor as follows https://localhost:3000 & https://localhost:3000/_ouath/google Respectively.
My concern now is, to what URL's should I change them in production environment?
You should use your domain (or IP address, whichever you use to access your website) instead of localhost:3000.
E.g. if you deploy your app to example.com your "Authorized Java Script Origin" & "Authorized Redirect URL" would be
https://example.com & https://example.com/_oauth/google
Note: you use https in your example links, so that's what I did too. Make sure your website has it set up, otherwise it won't work. If you are not sure what it is and how to do it, just use http instead of https everywhere and change it back after/if you set it up.
Also be careful with the ports. You might need to use example.com:3000 depending on how you deploy your app.
Related
In the HERE platform, I added an App under Apps in the Access Manager. I then generated an API key for this app. This API key works when using it on our webapp.
However, when I add a "Trusted domain" and "Enable trusted domains", the key no longer works. I added all variations of our domain:
sub.domain.com
https://sub.domain.com
domain.com
I have waited multiple hours between different attempts and it still doesn't work. When I disable trusted domains, it works again...
The following question seems related but there is no solution: HERE Maps specific domain feature not working
Is this feature not working properly, or am I doing something wrong?
you would need to pass the "Referer" + Your trusted domains in the header.
Example: If you have your IPV4 address in the trusted domain and use some tools like postman to test it. Then add Referer and the IP in the headers. It should work. Thanks
I'm developing a website using ASP.NET identity that will work with subdomains that identify a client using some information from here I've got subdomains working locally, but I can't get it to work with OAuth.
For example, if I got to https://localhost:44301 and try to login with Google, everything is fine. In my Google console I have https://localhost:44301 under "Authorized JavaScript origins" and https://localhost:44301/signin-google under "Authorized redirect URIs". But when I go to https://foo.localhost:44301 Google will respond with:
Error: invalid_request
Invalid parameter value for redirect_uri: Non-public domains not allowed: https://foo.localhost:44301/signin-google
When you try to log in. I can add https://foo.localhost:44301 to "Authorized JavaScript origins" in the Google console, but it won't let me add https://foo.localhost:44301/signin-google under authorized redirect URIs because it will complain:
Invalid Redirect: https://foo.localhost:44301/signin-google must end with a public top-level domain (such as .com or .org)
Some other questions and answers suggest redirecting all subdomains to a single domain for OAuth, but ideally I want to keep logins per subdomain. So if you use google to sign it to foo.mydomain.com it will be separate from bar.mydomain.com and I don't think that'll work if I have to redirect both to the same single domain (although I'm not sure that's going to work without separate projects in Google.
Google and in general other OAuth2/OIDC providers will support redirecting to sub-domains. Your specific problem is that you seem to be trying to use sub-domains of localhost which is in the list of Special-Use Domain Names (RFC6761) and it seems Google has additional constraints for those ones.
However, this is not a real limitation because on production you'll use a public top-level domain from from where you'll have the specific sub-domains.
If you need to have this working for local development, you can use localtest.me which allows you to set a sub-domain you like (foo.localtest.me and bar.localtest.me) while still ensuring that the domain resolves to your local machine (127.0.0.1). This should stop Google from complaining about it...
I have a Comodo SSL certificate on my host plan, however when accesing my site from google, it sends me automatically to
http://example.com, Where the green lock doesn't appear.
If I manually add "https", like: https://example.com it does show up!
Is there a way to access my website always with the green lock showing up? instead of manually having to write it everytime?
You can easily redirect to the https version of any page using rewrite rules/rewrite module of your web server (the exact way to do this depends on the webserver used). Ask your provider, this is a common case so there may even be a UI option in your console to do this.
Regarding google see this: https://webmasters.stackexchange.com/questions/67212/how-to-convince-google-to-list-https-version-of-website
It may also be good form to verify the protocol used to access the site in your authentication module and refuse authentication if the wrong protocol is used. Assuming web rules are used to redirect traffic this would to prevent leaking information due to a misconfiguration/bug.
I am a new to web deployment and I am deployed a website for testing on IIS, the website is non secure (http) site but one page should be secure (https).
Can anyone suggest me how I can achieve it and it should not warn the user while switching between 'http' and 'https'.
SSL or Secure Socket Layer would be bound to a website through bindings. That is, you can tell IIS to redirect the incoming request traffics to a website, when for example the requested URL would be like http://domain.com/ or https://doamin.com, or http://200.202.150.200:8080/ or stuff like that.
Therefore, it's not a matter of IIS to set HTTPS only for one page. It's rather how to manage your URLs while redirecting user. In other words, it's a navigational matter.
I havent used IIS but I did this recently with Apache.
I did the following:
Set up a redirect for the page that you wish to secure so it redirects to HTTPS.
Set up a redirect for every other page to redirect from HTTPS to HTTP
Ensured static files such as images css and js are not affected by the above rules (These files need to work on both HTTP and HTTPS
If you need this commercially, I would recommend to use Helicon tool to redirect that particular page to HTTPS.
Using Helicon tool you can redirect the HTTP request to HTTPS for any specific page or whole site by writing the Rules.
In IIS 7 there is way to define new rules in "URL Rewrite" section for a particular web site. By this you can define a regular expiration and based on that you can redirect any pages which matches the expression to the page which you want. Lets say you are going to redirect http:\x.com\sample.aspx to https:\x.com\sample.aspx. For this do the following steps:
select your website on IIS
click URL Rewrite
Add Rule(s)
Select Blank rule
Then define your pattern in this case : lets say ^sample(any page start with sample). you can define any expression as you like.
in Action section select Redirect in Action type dropdown
in Redirect URL put https:\x.com\sample.aspx
save it and restart your website
you can then add any other rules as you want o match your request
And also in some other complex scenarios you can write your own scripts here
I'm working on a CMS that can run either with or without https enabled on the webserver. I'd like to be able to detect whether https is enabled or not, so that I can act accordingly (for example, display some https-related options to the administrator, and redirect to https for administrator logins).
I'm not looking for Request.IsSecureConnection because that only tells me if the current request is via https. I want something that will tell me whether the current bindings for the site in IIS include a binding for https at the same domain as the current request is on. So, for example, even if the current request is for http://example.com/ and thus not secure, I want to know whether https://example.com/ would work so I can (for example) redirect the user to it if they log in as administrator.
I've had no luck looking for anything in System.Web.Configuration that will tell me about the bindings of the current site, though.
My current workaround is just to require the administrator to set an appSetting in web.config if https is enabled, but I'd prefer if I could make it automatic. Having to set the same thing twice - once in IIS and once in web.config - is confusing.
The simplest way is to make an https request to the site from the site and if it succeeds then you know https is supported. Cache this in a static variable so it's only called once per app invocation.
Depending on your IIS version you can use managemed .net code to do administrative tasks in IIS7. This is an example of querying a site for its bindings to see if https is enabled
http://msdn.microsoft.com/en-us/library/microsoft.web.administration.bindingcollection(v=VS.90).aspx