Checking ASP.NET Membership Authentication from Browser Extensions using JavaScript
Hi,
I have a website [Visual Studio 2012 website] that uses ASP.NET Membership with OAuth/OpenID. Now I need to create a browser extension [Using Crossrider.com APIs for Chrome, IE, Safari etc.] which will enable logged in [to my website] users to bookmark a URL from the browser extension on button click and save the URL to a database in my website using JavaScript. The website then can show the bookmarked URL for the logged in user in some DataGrid.
Now my questions are:
1. What's the best approach to do this?
2. How do you check if a user is authenticated or not from the browser extension using JavaScript?
3. How to save the bookmarked URL to the Database in my website for that logged in user?
If I understand you correctly, you want the event handler of extension button to send the URL of the active page to your website. In general, you can achieve this by capturing the URL of the active tab using appAPI.tabs.onTabSelectionChanged and then using appAPI.request.get (or post) to send the data to your website database.
Regarding the user credentials, assuming you are authenticating the user in the extension, you can save the credentials to the local database using appAPI.db.set (get to retrieve the data) and send it as part of the request to save the URL. The following code shows the principle idea:
In the background.js file, implement the button handler and saving the URL to your site:
appAPI.ready(function() {
var activeUrl = null;
// Keep track of the active tab's URL
appAPI.tabs/onTabSelectionChanged(function(tabInfo) {
activeUrl = tabInfo.tabUrl;
});
// Configure the extension's button
appAPI.browserAction.setResourceIcon('icon.png');
appAPI.browserAction.click(function() {
// Send bookmark to your website
appAPI.request.post({
url: <YOUR_WEBSITE_URL>,
postData: {
bookmark: activeUrl,
token: appAPI.db.get('userToken'); // User Credentials
}
});
});
});
In the extension.js file, save user credentials to the extension's database:
appAPI.ready(function($) {
// Your authentication code
...
userToken = ...;
// Save the credentials
appAPI.db.set('userToken', userToken)
});
If you require further assistance and feel that stackoverflow is not the appropriate forum to discuss the specifics, please email our support team (support#crossrider.com).
Disclaimer: I am a Crossrider employee
Related
I am currently trying to implement an oauth flow within a Teams Messaging Extension. I use ASP.NET and I managed to make the sign in process work, by using the sign in card recommended by Teams.
ComposeExtension = new MessagingExtensionResult
{
Type = "auth",
SuggestedActions = new MessagingExtensionSuggestedAction
{
Actions = new List<CardAction>
{
new CardAction
{
Type = ActionTypes.OpenUrl,
Value = authUrl,
Title = "OAuth"
}
}
}
}
This card has a button that opens a specific popup window (a Teams webview) which I can relocate to the oauth authentication page of a third party site.
All this goes very well, but when the user tries to log out, in my case it is not enough to just revert the tokens I got from the server, I also need to navigate the user to the third party site's /forcelogout subpage in the exact same webview which I used in the sign in process, to make sure the cookies related to the previous login session are getting deleted. By this I can prevent the login form getting auto filled and submitted when the user tries to sign in the next time they use my Messaging Extension.
My problem is that I can not find any way to open that exact webview from the Messaging Extension (this problem only occurs on the Teams Desktop Client, since the web version of Teams uses browser tabs instead of webviews and iframes). I tried using Task Modules, the dialog module, adaptive cards but none of them could open that specific webview that has the cookies for the login form.
Do you have any solution for this?
Authentication provider could receive an optional parameter to always prompt the auth-form by neglecting the cookies.
Using this way there is no need to open any webview when the user logs out.
I have a web app and I am using firebase authentication to login/signup our users.
In the past I have used Passport for login in my app which works but you have to maintain your own database and security blah blah... but I can control when my user can visit a page after logging via Passport using middleware like this -
// isAuthentcated is my middleware on server side.
app.get('/home', isAuthenticated,(req,res)=>{
res.render('home');
});
How can I do the same using firebase because there isn't any mechanism to do that. I have read different answers on stackoverflow and most of the pople are suggesting something like below which obviously isn't secure. Anybody can just type home.html and get to the page.
firebase.auth().onAuthStateChanged(user => {
if(user) {
window.location = 'home.html'; //After successful login, user will be redirected to home.html
}
});
Although, I have thought of using firebase-admin sdk token verification and try to follow the suggestion here but I don't know how it can be useful to do that on server side. Do you guys have any suggestions? How do you redirect user to a new page. An ajax post/get request from a client to a route '/home' with a header containing 'Bearer token' just validate the token but doesn't redirect user because it is a ajax call which is meant for updating a portion of a page.
Now, the question really is, Is it even possible to do that with firebase authentication?
If you host your site on App Engine you can send the ID token of the client with the request for the HTML. This could take the form of a cookie, a parameter, or whatever you choose to securely transfer the token from client to server.
Then the server can use the Firebase Admin SDK to verify the ID token, and use whatever logic you need to determine whether the request is authorized.
I have create an app to achieve login-with-linked-in functionality. Previously it worked fine, but all of a sudden it stopped working.
Previously if user already logged-in to LinkedIn, clicking the login-in-with-linkedIn button will lead user to there corresponding dashboard, otherwise login-popup open and user details get saved in db and user redirects to corresponding dashboard,But now nothing happening.
Note:- I have used my custom button to use this functionality. not the linked-in provided button code.
Here is my code and app creation steps:-
Button code:-
<?php echo Labels::getLabel('LBL_Linkedin',$siteLangId);?>
Javascript sdk code:-
<script type="text/javascript" src="//platform.linkedin.com/in.js">
api_key:*********
authorize:true
</script>
<script>
function doLinkedInLoginForBuyer(){
IN.User.authorize(function(){
onLinkedInAuth();
});
}
function onLinkedInAuth() {
IN.API.Profile("me").fields("email-address","first-name","id").result(function (data) {
processLinkedInUserDetails(data);
}).error(function (data) {
$.systemMessage('There was some problem in authenticating your account with LinkedIn,Please try with different login option','alert alert--danger');
});
}
processLinkedInUserDetails = function(data){
data = data.values[0];
fcom.ajax(fcom.makeUrl('LinkedIn', 'loginLinkedIn'), data, function(t) {
var response = JSON.parse(t);
if(response.status ==0){
$.systemMessage(response.msg,'alert alert--danger');
}
if(response.status ==1){
location.href = response.msg;
}
});
};
</script>
Note:- It seems that onLinkedInAuth() as well as processLinkedInUserDetails() functions are not called at all now. Previously they worked fine.
Let me know if any other details are required. Thanks!
After a long discussion with LinkedIn Customer Support they just said that they didn't support API-related issues. They asked to buy a premium account for any kind of technical support
Also I come to know that they stopped giving support for Javascript SDK.
Check here:- JavaScript SDK is not currently supported
Solution:- Now I followed the below post and make it work:
https://www.codexworld.com/login-with-linkedin-using-php/
Visit LinkedIn Developers page and log in with your LinkedIn account credentials.
Click the Create app button to create a new LinkedIn app.
Provide the information about your app and click Create an app to submit the app registration form.
App name – Name of the application.
Company – Name of your company.
App description – Workflow of the application.
App logo – Logo to display on the OAuth dialog.
Privacy policy URL – URL of the Privacy Policy page.
Business email – Your email address.
Products – Select the products that you’d like to add to your app.
On successful app creation, the page will be redirected to the App settings screen.
Switch to the Auth tab » Scroll down to OAuth 2.0 settings section.
Specify the redirect URL in the Redirect URLs fields and Update the App settings.
Note: The Redirect URLs must be matched with the Redirect URL that is specified in the script.
In the Application credentials section, you will see the Client ID and Client Secret of your LinkedIn App. The App ID and App secret need to be specified in the script at the time of the LinkedIn API call.
Now you have to create PHP code that will call linked-in API with the help of Client ID and Client Secret.
Kindly check Php code of thread for example.
I have a web app using forms authentication and I have restricted a folder so that only those with an administrator role can access it. I am controlling all of this through the web.config file and adding the proper location tags to restrict access.
Currently the application is working fine. If I am logged in as a user and click the link to the administration section, I'm redirected to the login page once again. If I look at the URL, the ReturnUrl parameter is set properly.
What I'd like to do is to display a message to the user indicating insufficient security privileges, or something to that effect so the user doesn't think they are getting logged out of the application prematurely or that the application isn't working.
Does anybody know of a way to do this?
You can redirect to a page that displays an alert box, and which then (on the client) redirects to the page you want to be at.
I gave no sample code because I don't have time now to get it right. Here's the wrong code:
if (FormsAuthentication.Authenticate(userName, passWord))
{
Response.Redirect("alertPage.html?ReturnUrl=" + Request.QueryString["ReturnUrl"]);
}
on alertPage.html:
<script language="javascript">
alert('Some message');
window.navigator.location = // get the URL and use it
</script>
Currently building a site in ASP.NET MVC and have to integrate another site within it, in an IFrame. It is the wish of the client to have one login for both systems, so the user logs in in the parent site, and then are automatically authenticated on the IFramed site. Of course, if this were possible then it could be assumed that both sets of login credentials were the same. So, it there anyway this can be done easily?
Its worth noting that we don't have any real control over the IFramed site. Its basically a site that our client provide their customers for processing payments.
Thanks in advance!
(I suppose OpenID or WS*-Federation is out of the question?)
If the credentials are the same, couldn't you simply submit the credentials to the iframe before you submit your own login form?
Or if you want to check credentials first, then send them to your server, check return them back to the client as a javascript snippet that then does the iframe authentication. (But be aware you would be sending credentials back to the client as javascript.)
An example that might work for you:
Say your login Url is http://yourdomain/login and you also need to login to http://thirdparty/login
yourdomain/login wants two post variables "username" and "pwd" whereas thirdparty/login wants "uname" and "password".
Try to include jQuery in your project (there are ways to do it in javascript by itself, but you'll have to check what jQuery does in the background - but I strongly suggest not reinventing the wheel if you don't have to).
// this is the jQuery startup function, called once the page is loaded
$(function()
{
// register an event for the form submit
$("form[#action*='login']").submit(function(event){
// get username and pwd from the form
var _user = $("#username").val();
var _password = $("#pwd").val();
// and submit to the second login page
$.post("http://thirdparty/login", { user: _user, password: _password } );
// once the method returns and you don't do return false then the login form will be submitted as usual.
});
});
There may be one issue here that is that you are posting to a different url than the server that served the page. This may not be allowed, but you could bypass it by sending the post action of the original login page to the thirdparty page and login to your own system using the code above.
Reference:
JQuery Post: http://docs.jquery.com/Ajax/jQuery.post
JQuery Intercept Form Submit: http://blog.james-carr.org/2008/01/17/jquery-binding-submit-on-a-forms-action-attribute/