Obtaining token from token service - iframe

I am trying to obtain token for my UCWA app using passive auth. My setup is that once I receive the 401 challenge, I take the link to the token service from ms_rtc_passiveauthuri parameter and I visit this website (PassiveAuth.aspx) by creating a hidden iframe in the background of my website. Couple of redirects happen in that iframe but eventually I successfuly get the cookie and I proceed with creating the UCWA app.
This works nicely in IE, Chrome, Firefox and Opera, but Safari seems to refuse to do this redirections inside of that iframe.
I also tried to visit this token service by using the XFrame (and using helper library's Transport.clientRequest), but the result is 406 Not Acceptable.
Do you know about any workaround for Safari? Or, more importantly, is my approach correct - is this how it's meant to be used?
Thanks for any suggestion

Did you manage to work this out? I am having the same issues.
Edit : See the comments below for the answer - look out for the WWW-Authenticate and Www-Authenticate headers.

Related

Postman simulation of login website with invisible reCaptcha

I am trying to simulate the login process of a website that has invisible recaptcha using Postman. I used both chrome DevTools and interceptor feature of the Postman. I also used the capture cookies feature in Postman to ensure I have the same cookies as in Chrome. The POST request for login api of the website has a JSON body of something like below:
{"userName":"myusermane","password":"mypassword","captchaResponse":"03AGdBq25SXrvrLWv3VbhyNPYCccO62Scf5reo04IeLNloKGo7ND1TcX7mg67fG-tL_0w1E7urn0MvoCJvdl6c5SBDloPXaeHiTnDMsjIgEGrvLjPbdsZ8U6vpL8VuqX1DZgGFRXXj_97ra1ZgYpuQykxnCEtgXQXwVqF5IbHyGj7MwtzM0jvT1wHdfFCDDJ3o9Z7edgUfHZeHHjfmMI_s1j5wZY2Lvp9XEGYdA9kmR5kZxu_CaGZ9i9rll8nY-GBqC4wWNuazB0l9F7k3R0ragTL9eoNawsdUP2l8nBvpR0dhWf476KqBgN7fE7aIj6HNQbCzRltgiUJeUh5RUmZk_XeUdN2hNhTAhfK8cwH1crn-bddCQ9J4ZJtFOcZ8qTYZbf6PWp1Hw8lX"}
The problem is while the login is successful in Chrome, the exact same request in Postman fails. Why is this happening? I am thinking that there might be something with invisible recaptcha fundamental that I do not understand. Hope someone can figure it out
The problem is while the login is successful in Chrome, the exact same request in Postman fails. Why is this happening?
This is the purpose of a Captcha: it prevents automated logins, allowing only a human to log in.
In other words, this is happening because it is exactly what is supposed to be happening.

Retrieve openid bearer token using headless browser setup

Using OkHttp3 I was happily scraping a website for quite some time now. However, some components of the website have been upgraded and are now using an additional OpenID bearer authentication.
I am 99.9% positive my requests are failing due to this bearer token because when I check with Chrome dev tools, I see the bearer token popping up only for these parts. Moreover, a couple of requests request are going to links that end with ".well-known/openid-configuration". In addition, when I hardcode the bearer token from my browser in my OkHttp3 code, everything works. Without the code, I get an 401 non authorized message.
I figured that my browser emulation was not close enough to the real situation so I decided to use a headless browser setup that is doing some javascript invocations. Since I am using Java, I used HtmlUnit. Using this tool I could quickly get to the point where I could successfully scrape parts of the website (just as with OkHttp3) but it would again fail with the newly updated parts. I checked but couldn't find the bearer token in any of the responses (nor in the headers or in the cookies).
Is there any chance this approach (using a headless browser) could work? Or are there perhaps alternative approaches I could check.

Azure AD Owin with Iframe solution

I have a app which is setup to use Owin and Azure AD. It works well, but I have now a requirement to run inside an iframe as part of a third party solution.
This is OK apart from the security. https://login.microsoftonline.com does not allow running inside an iframe. My controller will check if the user is authenticated and if not, call 'HttpContext.GetOwinContext().Authentication.Challenge(..............'
On research it looks unlikely that I can do anything inside the frame. Is my only option to create a sign-in page, which redirects to the client app which includes the iframe? If this expires, the iframe then currently displays an error stating the content cannot be displayed in a frame, this is not very elegant.
AAD does not permit framing of pages where credentials are entered. This requirements stems from a need to prevent click jacking style attacks. See: https://www.owasp.org/index.php/Clickjacking. Instead, you can do a full frame authentication initially and then do I frame authentication with prompt=none to refresh the ticket. Prompt=none tells AAD that it is not permitted to stop and ask for credentials, so this flow will always work in an iframe.
As an addendum to the accepted answer, I was able to work around the issue by ensuring that the iframe URL's casing matched exactly what I'd provided in my app registration in Azure AD. E.g. if Azure AD has https://mydomain/My-App/ as one of my reply URLs then ensure that the iframe URL is spelled exactly the same way. I initially had my iframe URL as https://mydomain/my-app/my-page and was encountering the same issue described above till I changed the casing to https://mydomain/My-App/my-page.

OAuth2 Implemenation with Restsharp.Portable

I'm doing an application for android, iOS and Windows Phone using Xamarin.forms.
I need to implement login with most common social for all platforms and I have found on web Restsharp.Portable.
I'm having trouble to understand how to use the library (it was correctly imported) for OAuth2 request.
Does anyone have any example or guide that could be helpful?
I struggled with restsharp.portable due to the lack of documentation.
Instead I used the redirect URL as a way of getting the code generated after the user gives permission needed to request the access token.
I gave the browser the correct adddress for the login/permission screen and for the Redirect I set to a made up address (http://madeupaddress.com) and on the Navigating event of the browser checked if the url started with my made up address, if so, I cancel navigation, closed the browser and take the token from the URI.Query parameters found in the navigating event parameters (or named differently depending on control/platform). I thenapply for the access token using the code via Microsoft HTTP Client.
This was for Windows Phone 8.1.
Thanks go to Vittorio Bertocci
I ended up using Microsoft Httpclient for the access token.

HTTPS call from HTTP page IFrame

I have got http page from where i want to make HTTPS call for login (I have already done that)
My question is :
Is it safe to call like this, If not what additional things we should do to support this functionality since my home page is http and when user clicks on sign in it redirects to https page, Now i want to give one drop down IFrame and ask credential and make https call from Iframe, I have seen this on some of the sites and wondering what they are doing differently for this.
Is there any limitation on browser that is used for this call i.e. IE Versions, Chrome, Firefox, Opera. Does it work for all browsers and versions
I have come across few old posts but could not find satisfactory answer
HTTP and HTTPS iframe
Any help would be greatly appreciated.

Resources