I am using the https://github.com/jaredhanson/passport-windowslive NPM package to implement Microsoft account authentication for my NodeJS app. Recently (since 22 April), I have been seeing a few cases in my server logs that show a user trying to login, but the data in the OAuth callback to our server contains an empty array for the emails. This is despite me explicitly specifying the wl.signin,wl.emails scopes. These cases are rare (happens once or twice a day), but frequent enough to make my service monitoring alerts annoying.
This is the user object returned: Note that apart from the user ID, which i hid away for privacy reasons, all the other fields are indeed null or empty as attached in the callback.
{"id":"<id hidden>","displayName":null,"name":{"familyName":null,"givenName":null},"emails":[],"photos":[{"value":"https://apis.live.net/v5.0/<id hidden>/picture"}],"provider":"windowslive","_raw":"{\r \"id\": \"<id hidden>\", \r \"name\": null, \r \"first_name\": null, \r \"last_name\": null, \r \"gender\": null, \r \"emails\": {\r \"preferred\": null, \r \"account\": null, \r \"personal\": null, \r \"business\": null\r }, \r \"locale\": null\r}","_json":{"id":"<id hidden>","name":null,"first_name":null,"last_name":null,"gender":null,"emails":{"preferred":null,"account":null,"personal":null,"business":null},"locale":null}}
Did something change in the Windows Live API server recently? Is there a bug somewhere?
Not sure if you have found a solution to your problem. Anyway, I stumbled upon the same problem.
Apparently, you will get email address only if "First name" and "Last name" are missing. If that info is filled in, email won't be provided. (in my case that was not true, could be that this behavior was changed my MS over time)
But I found out that there is a special scope permission: "wl.contacts_emails"
Scope I'm using now looks like this: "wl.signin,wl.emails,wl.contacts_emails"
When I tried Oauth I got noted that I will provide my email address if I continue. I believe this is the behavior we both are after.
Will confirm if this fix my problem after our logs will be clean for some longer period of time.
If somebody else can reproduce the problem, would be great if he/she could confirm if this is a valid solution before me.
I had this issue. Turns out it was a problem with the user account.
I went into my account (OneDrive) and changed my personal email address in the select list (from 'not selected' to my account email address) in the profile. After that the API started returning the correct details.
Seems like an internal bug - should default to the account email if not otherwise set.
Related
For quite some time we have been getting the following error from yahoo:
mail.log:6452:Apr 22 19:21:06 aegir postfix/smtp[8997]: 87BCF4C93F: host mta7.am0.yahoodns.net[67.195.228.110] said: 421 4.7.0 [IPTS04] Messages from 188.93.125.68 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html (in reply to end of DATA command)
If someone did get the similar, how did you solve this issue?
I've been trying to contact Yahoo but everytime I get automated response and ticket closure as I send it.
What other thing I can offer is DMARC report if its relevant:
https://mxtoolbox.com/DmarcReportAnalyzer.aspx?id=F-9a3a8364-6cba-41f9-b93f-cfc32155a3f6
Test for headers and every check seems to be working alright:
https://www.mail-tester.com/test-m5ytebosm
Google email is showing everything is pass:
gmail email
gmail header
For now I've tried changing OpenDKIM to relaxed/relaxed from relaxed/simple.
Removed p=quarantine and added p=none
Sorted out SPF record for official signing domain just in case, added another IP address where resourcecenter is found.
Will provide additional info if needed.
I want to manage my Trello cards and boards using the trelloR package but when I try to create a token with the get_token function, I get an error message on my browser : "Invalid return_url".
my_token <- get_token(key = my_key, secret = my_secret)
my_key is my personal Trello API key and my_secret is my OAuth secret. I got them on the Trello page that gives you your authentication codes, after login : https://trello.com/app-key
To use the Trello API and to access to boards, I need a token. This token is generated with OAuth1.0 by the httr package. Indeed, the function get_token do something like this, according to Jakub Chromec, author and maintainer of trelloR here :
trello.app = httr::oauth_app(
appname = "trello-app",
key = my_key,
secret = my_secret)
trello.urls = httr::oauth_endpoint(
request = "OAuthGetRequestToken",
authorize ="OAuthAuthorizeToken?scope=read&expiration=30days&name=trello-app",
access = "OAuthGetAccessToken",
base_url = "https://trello.com/1")
httr::oauth1.0_token(
endpoint = trello.urls,
app = trello.app)
When I execute this code or the function get_token with my personal key and secret, I am redirected to my browser, which is normal. As described on this page, a screen should appear asking me to allow authentication. But instead I just have an error message in the browser : "Invalid return_url".
In the RStudio console, this remains displayed :
> my_token <- get_token(my_key, my_secret)
Waiting for authentication in browser...
Press Esc/Ctrl + C to abort
I'm using httr 1.4.1, curl 4.2 and trelloR 0.6.0 with R 3.6.1 under macOS 10.15.
Some people reported the problem started after the introduction of Allowed Origins and they were able to fix it by adding the following origin:
http://localhost:1410
on the appkey page. This is a bit surprising to me as the default * should cover all origins, but there you go.
Trying this today (11/23/2019), I could not get wildcards to work as Allowed Origins. You should specify the domain of where you are running the call for authorization.
One source of confusion: The comments under "Allowed Origins" on https://trello.com/app-key refer to sites that "your application is allowed to redirect back to following the authorization flow." That was a bit confusing to me. The list should include sites you want to redirect back to IN ADDITION TO the sites you are calling Trello.authorize() from.
If you are thinking "I don't need a redirect" (and, in fact, if you are using client.js, I don't think you can specify a redirect), then those comments under "Allowed Origins" could lead you to believe you don't need to specify anything there. That would be incorrect.
Summary: Even if you want NO post-authorization re-direct, you still have to list an ORIGIN.
Also, you cannot specify file:// in Allowed Origins, so you cannot run your javascript off a local file.
I'm trying to setup my Google Identity Toolkit so users can reset their passwords. I'm following the documentation here: https://developers.google.com/identity/toolkit/web/required-endpoints#send_email_url
I'm using the PHP Gitkit Client outlined here: https://github.com/google/identity-toolkit-php-client/blob/master/src/GitkitClient.php
Specifically the function getOobResults() on line 307 seems to be unhappy for some reason. Here's where I'm at:
User sets up account and logs in successfully
User then logs out and starts to log back in, enters email in and clicks "Forgot password"
reCaptcha is shown, click check box and then hit continue
At this point my 'Send Email URL' endpoint (gitkitEmail.php) is successfully called and the following POST is set to it (dropping the full '&response' param since it goes on for a while):
action=resetPassword&email=xodfebefa%40nada.ltd&challenge&response=03ACgFB9tGlNt2KAGhrVY....
I then take that string and parse it using parse_str(); since getOobResults() is looking for an array. However, response I get back is always:
{
"response_body": {
"error": "CAPTCHA_CHECK_FAILED"
}
}
I searched around but can't find any details on this error. Any help would be appreciated. I don't have a reCaptcha setup anywhere on my site, unsure if this is expecting me to do that and that's why it's failing? Also, I did bump all my code to a production environment and got the same error there as I did on my localhost.
I have only recently been looking into ACS, AAL, WAAD and I would like to avoid redirecting users to the login page of their IDP. I want to keep my users within my site and present them with a dropdown to choose who they wish to authenticate with and an area to request a username and password, then acquire token via code. Is this possible?
I have been reviewing some sample applications and produce a quick mock-up, but cant seem to get things working e.g.
_authContext = new AuthenticationContext("https://littledeadbunny.accesscontrol.windows.net");
string enteredEmailDomain = UserNameTextbox.Text.Substring(UserNameTextbox.Text.IndexOf('#') + 1);
IList<IdentityProviderDescriptor> idpdList = _authContext.GetProviders("http://littledeadbunny.com/NonInteractive");
foreach (IdentityProviderDescriptor idpd in idpdList)
{
if (String.Compare(ServiceRealmDropDownList.SelectedValue, idpd.Name, StringComparison.OrdinalIgnoreCase) == 0)
{
Credential credential;
credential = new UsernamePasswordCredential(enteredEmailDomain, UserNameTextbox.Text, PasswordTextbox.Text);
_assertionCredential = _authContext.AcquireToken("http://littledeadbunny.com/NonInteractive", idpd, credential);
return;
}
}
Using the code above, when I try to use the Windows Azure Active Directory User (admin), i get the error "Data at the root level is invalid. Line 1, position 1." where I attempt to acquiretoken.
When I use Google, I get an error "0x8010000C: No identity provider matches the requested protocol".
If there is a working sample? if I am doing something obviously wrong, I would appreciate the correction.
This is not supported for passive identity providers. IdPs like Google, Facebook, etc. don't want other people collecting credentials for them, as this leads to security issues and possible phishing attacks. They also don't support it because they need to be able to show a permission dialog (that screen that asks the user if they want to release data to you) which they can't do without the browser redirecting to them. Furthermore, Google in particular supports two-factor auth, which you couldn't replicate, and generally collecting credentials opens up whole cans of worms around other UI problems such as incorrect or forgotten passwords.
This is also generally a bad user experience, because your users are fairly likely to already be logged in to Google and have cookies there. If so, and if they've already consented to your app, they would just be silently redirected back to you. In your scenario, even if the user is already logged in they'd still have to provide a username/password.
The correct way to do these sorts of logins is to render a browser control in your app that allows the user to log in at their IdP, which is what AAL helps with.
I had the same error, executing a powerscript solved that error
PS C:\windows\system32> $replyUrl = New-MsolServicePrincipalAddresses
-Address https://mydomain.accesscontrol.windows.net/
PS C:\windows\system32> New-MsolServicePrincipal -ServicePrincipalNames
#("https://mydomain.accesscontrol.windows.net/") -DisplayName
"MyDomain Namespace" -Addresses $replyUrl
But i'm stuck anyway with a 403 permission error
If you get any further i would like to know how :)
I am running dotnetopenauth 3.3.0.9283 (nightly build), it works great and it solved my previous problem ( DotNetOpenAuth get email and redirect problem )
So now I am able to get the users email from gmail only! I have tried yahoo and myspace but i always get "Object reference not set to an instance of an object." I ran the sample that came with the build, ajaxlogin.aspx and loginProgrammatic.aspx they both give me the same error message.
this is the only line i added to the sample (and also set email to required)
var email = OpenIdAjaxTextBox1.AuthenticationResponse.GetExtension<ClaimsResponse>().Email;
You've got too much code on one line.
GetExtension<T>() will return null if the Provider doesn't actually include that extension in the response. So you must always check that it returns a non-null value before dereferencing it.
You're getting null back from Yahoo because they don't support giving away their users' extra information (yet) except for a small whitelist of RPs.
I don't know about MySpace, but I suspect they just don't support it either.