I was following the tutorial at here to get access tokens for accessing Facebook from a web browser. Basically, this tutorial instructs people to get a URL in form of
http://www.facebook.com/dialog/oauth/?
client_id=YOUR_APP_ID
&redirect_uri=YOUR_REDIRECT_URL
&state=YOUR_STATE_VALUE
&scope=COMMA_SEPARATED_LIST_OF_PERMISSION_NAMES
Then the user logs in in a dialog. Afterwards, the web browser will go to the redirect_uri followed by an access time and an expiration time in form of
YOUR_REDIRECT_URI#
access_token=USER_ACCESS_TOKEN
&expires_in=NUMBER_OF_SECONDS_UNTIL_TOKEN_EXPIRES
It worked fine with Chrome and Firefox. But IE won't show the access token after the redirect_uri. Actually it does not show any parameters in the return url. I have tried IE on two different computers, with the same problem occurring.
Anybody knows why the problem occurs and how to fix it? Any help is much appreciated!
Related
I want to open a website in my mobile app to make the user log in to a specific page (so he can trust that it's the real website), if the login succeeds, there is data in the response which I need for my application. Is there a way to get the response data from the Xamarin.Essentials WebView or Browser or something else?
Some additional Information after Juan Sturla's hint:
I've got this url:
https://steamcommunity.com/openid/login?openid.claimed_id=http://specs.openid.net/auth/2.0/identifier_select&openid.identity=http://specs.openid.net/auth/2.0/identifier_select&openid.mode=checkid_setup&openid.ns=http://specs.openid.net/auth/2.0&openid.realm=https://MYAPP&
openid.return_to=https://MYAPP/signin/
This link refers to the Steam login page. Can I somehow tell the Authenticator to return to the app after logging in without setting up a Backend? Like is it somehow possible to magically bind the app as return URL? I'm on iOS btw.
Thanks a lot in advance
We have been working on an app that requires access to a users google calendar. We have been using the grantOfflineAccess() method described in google api's documentation - https://developers.google.com/identity/sign-in/web/reference#googleusergrantofflineaccessoptions
However, the problem we are facing is that this opens a pop up and we need to do this via a redirect. Does anyone have any ideas todo this without a pop up showing up?
Safari and Firefox block pop ups and this does not really work well on safari on mobile.
I was able to find a GitHub issue for this https://github.com/google/google-api-javascript-client/issues/288 but I have seen other websites do this without a pop up. You can check zendesk & frontapp.com - both of whom take offline grant for the users signing in.
Any ideas or help would be appreciated.
The only way to access a users data is to have a user grant you permission to access that data. This is done though Oauth2 a user is promoted to login to their google account then they are given a screen with the scopes of permissions that you are requesting.
There is no way around this. YOu will always have to ask a user at lease once to grant you permission to access their data if you are requesting offline access you will be given a refresh token that you can use to request a new access token and access the users data when they are not online.
As for popups they shouldn't be displaying as popups they should be opening in a new browser window.
I was going through AzureAD msal library for javascript. I tried to run the test app given in the same github link.
The app runs smoothly with facebook or microsoft account login. But when I try to login with twitter, it throws the following error:
Refused to display 'https://api.twitter.com/oauth/authenticate?oauth_token=....' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' https://tweetdeck.twitter.com https://tdapi-staging.smf1.twitter.com https://tdapi-staging.atla.twitter.com https://tweetdeck.localhost.twitter.com".
Also, the example works well when I have a single google account logged-in in my browser or when I enter google credential on the google login page. But when I have multiple google accounts logged-in and choose one of them for the app, it throws the following error:
Refused to display 'https://accounts.google.com/o/oauth2/auth?.....' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
In both the cases (twitter and multiple google accounts), the login happens, id token is generated but it fails to get access_token using acquireTokenSilent() and throws the above mentioned error. Then because of the acquireTokenpopup(), the login popup window shows again and when I enter my same credentials again, I get the access_token.
I have tried using loginRedirect() & acquireTokenRedirect() instead of popup but I have seen the same behavior.
What I have understood so far:
In the error cases, iframe is trying to add the google/twitter link into iframe src in the app home page (which is obviously not allowed).
In case of successful acquiring of access_token, I saw the iframe src has a microsoft login link (https://login.microsoftonline.com ...).
Can somebody help me understand why is it happening? And if someone has got a way to solve this, please help me out.
I haven't changed anything in the code, I just wanted to understand how msal.js works so that I can implement it in another project.
Good day!
I've been googling for a long time, but still no success.
Problem:
Let's supose we have a google document, which have embeded into some site with iframe, following google docs guide. User have one tab in which he is authorized with it's account in google. He visites our site and see document. He can access it, edit it, and whatever he whants.
Now, he desides to change his auth in google, he logs out and than logs in with different account. He DOESN'T reload our site (because it is ajax based), and now he tries access our document. And here comes a fail. He sees a blank page. in chrome js console there is an error:
Refused to display https://**docs**.google.com/SamplePDFURL in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN.
In iframe src = "docs.google.com" .
What happens? When user changed authorization, it's cookies have been changed and he became not authed for this doc and google automaticaly redirects frame to account.google.com auth page. BUT! This auth page is on different domain ACCOUNT. , and since google follows "same origin" security policy, we get error in console and blank iframe for user.
How to work around this?
Please help somebody.
As I said, I didn't find any working solution for this.a
I have a small query. I have a website with login, I am allowing the user to be logged in only once. I took help of StackoverFlow to achieve that. Refer this: stackoverflow link
Here's the brief about it: When a user logs in I am adding a value to a session variable and application variable. And when user tries to loggin in again I check the session as well as Application variables and if it does not exists then I am allowing user to login. This is working perfectly fine in chrome but gives some issues in Firefox and IE. In Chrome I could still get the saved session variable even if browser is closed and opened again. But in case of IE and firefox I cannot do that. My session variable goes blank when user closes the browser and opens again.
How do I save my session variables even after user closes the browser? Does it have something to do with sessionState?
This is working perfectly fine in chrome but gives some issues in Firefox and IE.
That is because Chrome preserves session information. This feature isn't added to other browsers I am aware of. Since this feature isn't a documented standard, you can't rely on that.
Instead, you should set a cookie which contains a token and an expiration date. That cookie can be read when trying to log in the user.
The post How can I manually create a authentication cookie instead of the default method? can be useful to you since you use ASP.NET.