It's pretty easy to upload the images to the server but what I want is to load the images from the server on the browser but as the images are protected using JWT access control the backend is throwing Access Denied error.
Is there any way by which we can add the authorization header to the requests going to the backed to load the images?
Did not find any way to solve this issue.
Related
We have a React App which is hosted inside an ASP.NET Core site hosted on an IIS Server.
Originally we had the React App hosted on its own in IIS and protected by HTTP Basic Auth on our Staging server. This worked fine.
We then moved to hosting the React App inside the ASP.NET Core site. This has now caused problems with Basic Auth. If the user enters the site through just the domain they can authenticate with Basic Auth and everything works. However is the user refresh a page in their browser, the Basic Auth header is no longer sent and causes the server to challenge the user again for their username and password. For our testers this makes their lives very hard.
We have reproduced this in both Firefox and Chrome.
Using Fiddler we are able to request the pages/documents directly with the Basic Auth header, so we know that direct access is possible. We just don't understand why the browser is removing the header on a refresh.
IIS basic authentication is not cookie-based authentication. client just send user credential to client side with authorization header. It looks like the fresh page action will clean the cache or override that header. Please check this on other web browser like edge or IE.
i am trying to login with my facebook but i am getting following error.How can i solve this
URL blocked: This redirect failed because the redirect URI is not white-listed in the app's client OAuth settings. Make sure that the client and web OAuth logins are on and add all your app domains as valid OAuth redirect URIs.
Instead of going accessing the webpage, you use the facebook API instead, they have an open API, where you get an API Key, so Facebook can verify, your application, and not block your request.
https://developers.facebook.com/
depending on your use case, they have several open endpoints, that you can access to get different data, about users, applications etc. For security measures, it is always considered the best practice to use an open API to fetch data, from a specific website.
I am currently developing a web application that has separate API and Front end.
For production purpose, I wish to develop the web app locally while hosting the API on the remote server.
The issue is the API is behind a SAML authentication along with Mod Auth in second stage.
Using postman and wget I am able to access the API endpoint by adding a auth_tkt cookie in the request.However I am unable to access the same using AJAX.
I need help in executing the same.
Just to help anyone else facing similar problem. The solution to this problem is using chromium with disabled security. It sends your session cookies along with the request. Also there is no problem of CORS that was coming in picture before.
I have an application developed in Angular JS and Webapi. I have used token based authentication using OWIN Framework. The application is deployed in a Software company and few developers who have knowledge on this techstack, use Chrome developer tool and access the api methods directly and bypass the validations in Client side. Is there a way to control this?
Please find the screen shot of chrome developer tool displaying Bearer token, Webapi method & its payload.
You can't really hide HTTP request showing up on browsers. What you can do is control who gets hold of that access token, its expiry time and what permissions and claims he has.
You can't hide the browser's activities from a user running that browser.
A token should be generated only upon successful login using right credentials and that token showing up on the developer tool can be used to call the API's from tools like the postman until it's expiry(so, set a shorter expiry).
Token A generated using credential of user A should not have the permission to manipulate data of user B and this should be handled explicitly.
So, the one option is that user A can steal his own access token and use it to manipulate only his own data unless the token is alive.
I'm plan on deploy a Java application to Google AppEngine and use federated login (still experimental according to Google). The application is pretty simple Java EE application which expose RESTful interface for simple CRUD operations.
I then want to be able to authenticate to this application using Windows Client Application written in C#.
I think the application should be able to open a window with a browser in ti which will present the login page of my web application and after successful authentication I should be able to get the login token or a cookie to use in the rest of my HTTP requests.
Is it possible to do such thing using federated login? I've found a post explain how to do it using google proprietary login.
Thank you,
Ido.
I've manage to make this work much easier then I thought it would be.
When I send HTTP request to my web service I get 302 Found response with response header name Location which point to the login page.
I use WebBrowser control, register to it Navigated even and navigate to the URL in the Location header.
When the Navigated even fire I use the code from this answer to get the cookies container.
I check each cookie until I find one with the name ACSID and store it.
For every web request to my service I add cookie name ACSID with the value saved at step 4.
This is not the most secure way of doing this. I will add check for the domain of the cookie but this looks good.