ACS - bypassing user redirection to IdP? - acs

I have only recently been looking into ACS, AAL, WAAD and I would like to avoid redirecting users to the login page of their IDP. I want to keep my users within my site and present them with a dropdown to choose who they wish to authenticate with and an area to request a username and password, then acquire token via code. Is this possible?
I have been reviewing some sample applications and produce a quick mock-up, but cant seem to get things working e.g.
_authContext = new AuthenticationContext("https://littledeadbunny.accesscontrol.windows.net");
string enteredEmailDomain = UserNameTextbox.Text.Substring(UserNameTextbox.Text.IndexOf('#') + 1);
IList<IdentityProviderDescriptor> idpdList = _authContext.GetProviders("http://littledeadbunny.com/NonInteractive");
foreach (IdentityProviderDescriptor idpd in idpdList)
{
if (String.Compare(ServiceRealmDropDownList.SelectedValue, idpd.Name, StringComparison.OrdinalIgnoreCase) == 0)
{
Credential credential;
credential = new UsernamePasswordCredential(enteredEmailDomain, UserNameTextbox.Text, PasswordTextbox.Text);
_assertionCredential = _authContext.AcquireToken("http://littledeadbunny.com/NonInteractive", idpd, credential);
return;
}
}
Using the code above, when I try to use the Windows Azure Active Directory User (admin), i get the error "Data at the root level is invalid. Line 1, position 1." where I attempt to acquiretoken.
When I use Google, I get an error "0x8010000C: No identity provider matches the requested protocol".
If there is a working sample? if I am doing something obviously wrong, I would appreciate the correction.

This is not supported for passive identity providers. IdPs like Google, Facebook, etc. don't want other people collecting credentials for them, as this leads to security issues and possible phishing attacks. They also don't support it because they need to be able to show a permission dialog (that screen that asks the user if they want to release data to you) which they can't do without the browser redirecting to them. Furthermore, Google in particular supports two-factor auth, which you couldn't replicate, and generally collecting credentials opens up whole cans of worms around other UI problems such as incorrect or forgotten passwords.
This is also generally a bad user experience, because your users are fairly likely to already be logged in to Google and have cookies there. If so, and if they've already consented to your app, they would just be silently redirected back to you. In your scenario, even if the user is already logged in they'd still have to provide a username/password.
The correct way to do these sorts of logins is to render a browser control in your app that allows the user to log in at their IdP, which is what AAL helps with.

I had the same error, executing a powerscript solved that error
PS C:\windows\system32> $replyUrl = New-MsolServicePrincipalAddresses
-Address https://mydomain.accesscontrol.windows.net/
PS C:\windows\system32> New-MsolServicePrincipal -ServicePrincipalNames
#("https://mydomain.accesscontrol.windows.net/") -DisplayName
"MyDomain Namespace" -Addresses $replyUrl
But i'm stuck anyway with a 403 permission error
If you get any further i would like to know how :)

Related

Are there new facebook restriction for Rfacebook package?

I want to get some data from Facebook, so I wanted to create application to get token for 60 days like I did few months ago. Then everything worked well, I just followed steps from the tutorial like this:
http://thinktostart.com/analyzing-facebook-with-r/
So It was enough to create "empty" application, write in R with proper id and secret
fb_oauth <- fbOAuth(app_id="123456789", app_secret="1A2B3C4D",extended_permissions = TRUE)
fill website page as http://localhost:1410/ and autenthication was complete and I was able to make get some data from facebook. It seems that it is not so easy anymore.
When I try to follow exactly the same steps it seems that now I have to fill in my application (with some description, photos...) and "send" it to submission.
Do you have similar problem or I just miss something? I just want to use information from facebook for my own use, not for business or something. Is there any (other) way to get a token for R which allows me to get some information from Facebook without filling application. I don't think that filling it with some fake data will pass facebook verification.
I just want to use information from facebook for my own use
Then you don’t need to submit it for review.
See https://developers.facebook.com/docs/apps/faq#roles – it explains that you can ask any user that has a “role” in the app (meaning admin, developer or tester) for any permission without prior review.
For one, this is of course implemented this way, so that people can actually test the functionality they are developing properly. And it is also an “official loophole” for apps such as yours, that are for “private use” only, and not meant to be used by the general public in the first place.
(And this has nothing whatsoever with the Rfacebook package – it is the same for all apps, no matter what framework/SDK they might be using.)
UPDATE
As #CBroe said earlier, you do not need an approved app, you just need to add the users of the app as admin in the app's role menu in Facebook Developers.
Follow these steps and you will get your permanent FB token:
Create new application at https://developers.facebook.com/apps/ with basic setup
Fill in the app name in lower case and without the words Facebook or FB for display name and namespace, category set to Business
In "Settings/Basic" I added a new "Website" platform with the URL of http://localhost:1410/ and localhost as the "App Domain"
In the "Settings/Advanced" tab I added http://localhost:1410/ as the Valid OAuth redirect URIs
Then, run this code:
library(httr)
app <- oauth_app('facebook', appid, appsecret)
Sys.setenv("HTTR_SERVER_PORT" = "1410/")
tkn <- oauth2.0_token(
oauth_endpoints('facebook'), app, scope = c('ads_management', 'read_insights'),
type = 'application/x-www-form-urlencoded', cache = FALSE)
save(tkn, file = "~/Documents/RFiles/fb_token") # save the token for future use
Make sure you put 'read_insights' in scope, otherwise you are not telling Facebook what kind of permissions you want the app to take.
Finally you can use the token:
library(Rfacebook)
load("~/Documents/RFiles/fb_token")

Not able to get nJupiter.DataAccess.Ldap work with our Internal LDAP (Lotus Domino)

I've tried everything possible, to setup nJupiter.DataAccess.Ldap as the membership provider on our intranet based web application built using asp.net 3.5.
Challenges I am facing:
Not able to authenticate the user using the default login webpart (says Your login attempt was not successful. Please try again)
I tried this code and I receive a COMException : "There is no such object on the server."
var ldapMembershipUser = System.Web.Security.Membership.GetUser("username") as LdapMembershipUser;
if (ldapMembershipUser != null)
{
var givenName = ldapMembershipUser.Attributes["givenName"];
}
I have placed my web.config and the nJupiter.DataAccess.Ldap.config here:
web.config : http://pastebin.com/9XdDnhUH
nJupiter.DataAccess.Ldap.config : http://pastebin.com/WsSEhi98
I have tried all possible permutations and combinations for different values in the XML and i am not able to take it forward. Please guide. I just am not able to connec to the LDAP and authenticate the user or even search for users.
Just looking at your config is unlikely to be enough since I don't know your Domino server's confguration, so my answer isn't an attempt to fix your problem. It's an attempt to teach you how I would approach it if it were my problem. Here's what I do to troubleshoot connections and queries from code to Domino LDAP:
Configure the Domino LDAP server for logging the highest level of debug information with the notes.ini setting LDAPDEBUG=7. See this IBM technote for more info.
Use an LDAP client and figure out how to successfully connect to the Domino LDAP server. I like the free Softerra client for this. Check the logs and save off the info from your successful connection.
Now run your code and compare what you see in the logs against the successful connection.
If the code is making it past authentication but failing on the query, then find the actual query in the log, go back to your LDAP client, figure out what the query should have been, and adjust your code's configuration appropriately.

Getting Access Token Data From OAuth Template of Asp.net

I'm trying to get access token of facebook client when a user logged in with asp.net's oauth template. But I couldn't acquire the access token when i tried some methods that i found on internet like;
AuthenticationResult result = OpenAuth.VerifyAuthentication("RegisterExternalLogin.aspx");
string actok = result.ExtraData["accesstoken"];
This try wasn't successfull. How can i acquire the access token?
I see noone has replied to your question even though it has been 10 days so I'll take a stab at it.
You mentioned that you are using asp.net's OAuth template. So I think you are looking at the line
AuthenticationResult result = OpenAuth.VerifyAuthentication("RegisterExternalLogin.aspx");
in the ExternalLoginCallback() action in AccountController.cs
As far as I can tell your syntax is correct. In fact also tested it out myself and it works. I guess you can try another way of accessing the same property
String myaccesstoken_value1 = result.ExtraData.Values.ToArray()[5];
That will give you the same result as result.ExtraData["accesstoken"]
If that does not work either then I would imagine that there is some problem with the authentication itself, rather than with your syntax here. I'm assuming you have VS2012 Express, so use the debugger to see what values are present in your variable 'result'. If it is empty, then it would indicate why you second statement errors out, and it would also indicate that there is a problem in the code before you get to this point.
Also keep in mind during testing that when you log into your app using OAuth providers such as Facebook, even when you log out of the website you continue to remain logged into facebook. You actually have to go to facebook.com and click logout there also (unless you write some additional code in your asp.net app to do a remote logout). I don't know if this applies to your situation, just giving you a heads up.
Please vote if this helps.

How to use SharpSVN in ASP.NET?

Trying to use use SharpSVN in an ASP.NET app. So far, it's been nothing but trouble. First, I kept getting permission errors on "lock" files (that don't exist), even though NETWORK SERVICE has full permissions on the directories. Finally in frustration I just granted Everyone full control. Now I get a new error:
OPTIONS of 'https://server/svn/repo': authorization failed: Could not authenticate to server: rejected Basic challenge (https://server)
This happens whether I have the DefaultCredentials set below or not:
using (SvnClient client = new SvnClient())
{
//client.Authentication.DefaultCredentials = new System.Net.NetworkCredential("user", "password");
client.LoadConfiguration(#"C:\users\myuser\AppData\Roaming\Subversion");
SvnUpdateResult result;
client.Update(workingdir, out result);
}
Any clues? I wish there was SOME documentation with this library, as it seems so useful.
The user you need to grant permission is most likely the ASPNET user, as that's the user the ASP.NET code runs as by default.
ASPNET user is a local account, preferably youd'd want to run this code in an Impersonate block, using a network account set up for this specific reason

Connecting an ASP.NET application to QuickBooks Online Edition

I am trying to create an ASP.NET page that connects to QuickBooks Online Edition, read a couple of values, and display the results. So far I have downloaded the QuickBooks SDK but I have been unable to find a simple step-by-step example on how to create an asp.net page to connect to QuickBooks Online. The QuickBooks SDK documentation and the SDK itself is very confusing and overwhelming. Anyone know of a simple step by step tutorial on where to get started... or maybe a hint on the very first thing to do.
Yishai's answer is partially correct, but not entirely.
You can have your ASP .NET application log in and issue requests without having to send the user over to the QuickBooks Online log in page if you make sure to set the security preferences correctly when you connect up your application to QuickBooks Online Edition.
During the application registration process/connection process, it will ask you if you want to turn on or off login security with a prompt as below. You must tell it you want to turn off login security if you want to be able to access QuickBooks Online Edition data without forcing the user to log in every time. The prompt is something like:
"Do you want to turn on login security?"
You must select:
"No. Anyone who can log into [Application Name] can use the connection".
Outside of that, Yishai is correct about the process. To re-iterate, in a nutshell:
Register for a QBOE account
Register your integrated application with Intuit's AppReg service
Visit a specific link to tie your AppReg application to your QBOE account (make sure you turn off login security when it asks you!)
Make HTTPS POST requests to Intuit's servers to sign on using the connection ticket Intuit will provide you with
Make HTTPS POST requests to send qbXML requests to Intuit's servers, which you can use to add, modify, delete, and query records within QuickBooks Online Edition.
There is some additional documentation and some example requests on my QuickBooks development and integration wiki, specifically the QuickBooks Online Edition integration page.
I have built a solution that does what you're asking in PHP which adds, modifies, and queries data within QuickBooks Online Edition without requiring the user to log in everytime, and it works like a champ. It pushes and pulls order data between a PHP shopping cart (VirtueMart) and QuickBooks Online Edition. The PHP code is available here:
QuickBooks PHP Framework
As a side note, unless you're very familiar with generating SSL certificates and sending them via HTTPS POSTs, you'll save yourself a whole lot of trouble by using the DESKTOP model of communication, and not the HOSTED model. Just make sure to keep your connection ticket securely encrypted.
Also, Yishai's suggestion to: "One is to programatically hit up their login page and submit the credentials as if you were a user. I'm sure its not "supported" but it would likely work." goes specifically against the security/developer guidelines Intuit and the SDK set forth. If they catch you doing that, they'll ban your application from connecting to QuickBooks.
Here are all the steps I took to get this working. Special thanks to Keith Palmer for his comments, answers, and his website which really helped me get this working.
Register your application at http://appreg.quickbooks.com. This will give you your App ID and Application Name. I used these settings:
Target Application: QBOE
Environment: Production
Application Type: Desktop
(using Desktop made things much easier as far as not needing certificates)
A verification key is sent to your email address which you need to enter on page 2 of this wizard.
Set up your QBOE Connection. Once you finish registering your application in Step 1, you will then have an Application ID. Use this ID in the url below to set up your QBOE Connection:
https://login.quickbooks.com/j/qbn/sdkapp/confirm?serviceid=2004&appid=APP_ID
NOTE: Make sure to replace APP_ID in the above url with the Application ID that was created when you registered your application.
The wizard will take you through the following steps:
Specifying a name for your connection.
Granting Access Rights - I gave All Accounting rights since this was easiest.
Specify Login Security - I turned Login Security Off. This is important since it makes submitting the xml to the QBOE much easier since you do not need to get a session ticket for each user.
You will then be given a Connection Key.
At this point you now have the 3 important pieces of information in order to gain access to your QuickBooks Online Edition (QBOE) account.
Application Name
Application ID
Connection Key
Post the XML to QBOE with the 3 pieces of access information and the actual request into your QBOE database. Here is sample c# code that will post to the QBOE gateway. This will return all customers in your QuickBooks database. Make sure to update the xml below with your Application Name, Application ID, and Connection Key.
string requestUrl = null;
requestUrl = "https://apps.quickbooks.com/j/AppGateway";
HttpWebRequest WebRequestObject = null;
StreamReader sr = null;
HttpWebResponse WebResponseObject = null;
StreamWriter swr = null;
try
{
WebRequestObject = (HttpWebRequest)WebRequest.Create(requestUrl);
WebRequestObject.Method = "POST";
WebRequestObject.ContentType = "application/x-qbxml";
WebRequestObject.AllowAutoRedirect = false;
string post = #"<?xml version=""1.0"" encoding=""utf-8"" ?>
<?qbxml version=""6.0""?>
<QBXML>
<SignonMsgsRq>
<SignonDesktopRq>
<ClientDateTime>%%CLIENT_DATE_TIME%%</ClientDateTime>
<ApplicationLogin>APPLICATION_LOGIN</ApplicationLogin>
<ConnectionTicket>CONNECTION_TICKET</ConnectionTicket>
<Language>English</Language>
<AppID>APP_ID</AppID>
<AppVer>1</AppVer>
</SignonDesktopRq>
</SignonMsgsRq>
<QBXMLMsgsRq onError=""continueOnError"">
<CustomerQueryRq requestID=""2"" />
</QBXMLMsgsRq>
</QBXML>";
post = post.Replace("%%CLIENT_DATE_TIME%%", DateTime.Now.ToString("yyyy-MM-ddTHH:mm:ss"));
XmlDocument xmlDoc = new XmlDocument();
xmlDoc.LoadXml(post);
post = xmlDoc.InnerXml;
WebRequestObject.ContentLength = post.Length;
swr = new StreamWriter(WebRequestObject.GetRequestStream());
swr.Write(post);
swr.Close();
WebResponseObject = (HttpWebResponse)WebRequestObject.GetResponse();
sr = new StreamReader(WebResponseObject.GetResponseStream());
string Results = sr.ReadToEnd();
}
finally
{
try
{
sr.Close();
}
catch
{
}
try
{
WebResponseObject.Close();
WebRequestObject.Abort();
}
catch
{
}
}
Couple things to note:
As pointed out by Keith Palmer the qbxml version needs to be 6.0 (even though the IDN Unified On-Screen Reference shows 7.0)
I needed to include the onError="continueOnError" attribute.
Setting the WebRequestObject.ContentLength property is required.
Content Type needs to be "application/x-qbxml"
And finally I received many "The remote server returned an error: (400) Bad Request." exceptions which were not helpful at all but in the end I was able to trace them to something wrong with the xml. So if you get this exception look to your xml as the source of the problem.
The outline of what you have to do are outlined in Chapter 7 of the QBSDK documentation (at least in the 7.0 version of the SDK that I have). You have to open a test account and get permission to connect to their servers.
Once you have your account setup, the basic authentication procedure consists of redirecting your user to the QuickBooks Online site to log in, and once the user has done that, QuickBooks calls back your application with an HTTPS post with a ticket, which is basically a session handle that you can use for your requests, so that the system knows you are authenticated. When you get that response, you parse it and send your own login request to the system based on what you got back.
Then (if I understood the documentation correctly) you are basically doing Https POSTS of xml files with the QuickBooks requests, and you get XML responses that you have to parse to get the data you want.
I hope that gets you started.
The rest of the SDK is documentation (which you will need to know how to form your requests and parse your responses) and everything else is concerned with how to communicate with the desktop product. The only thing you are going to need from the rest of the documentation is how to do error handling, which is really only important if you are posting data to QuickBooks. If you are just reading, it doesn't matter (either your request works out or it doesn't, you don't need to worry about if you need to retry or if that would result in duplicate data).
EDIT: Given your specific use case I see two options. (You aren't crazy, just not the typical QuickBooks Online scenario).
One is to programatically hit up their login page and submit the credentials as if you were a user. I'm sure its not "supported" but it would likely work.
The other is to cache the results (which you should probably do anyway) and have an admin screen where someone does log into QuickBooks online and update the results every morning or evening or whatever makes sense.
In most small businesses, they are going to opt for the first option, but the second one is going to work more consistently, robustly and actually be supported by Intuit if you have an issue.
This looks pretty close to what you need: www.QuickbooksConnector.com
Wasn't able to download it yet.

Resources