Using ARC'ss Authorization editor - advanced-rest-client

I'm using the advanced REST client and wan't to create a request with a Java Web Token.
Hence i used the authorization editor and selected "Bearer" and inserted my token into the respective field.
I assumed that the Authorisation Editor automacially generates the header for the autorization, but the request doesn't seem to work (I got a role error depending on the missing authentication).
When i type the Authorization header manually, it works.
So how can i use the Authorization Editor to automatically insert the information to the header?

I'm the author of the application. There was a bug in version 16 regarding this issue. This upcoming release (currently in beta) has this fixed.

Related

How to disable SAS authorization for Logic App?

Is there a way to disable the SAS authorization scheme for a Logic App HTTP-trigger?
In the documentation I read the following:
"Inbound calls to a request endpoint can use only one authorization scheme, either SAS or Azure Active Directory Open Authentication. Although using one scheme doesn't disable the other scheme..." - Source: https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app
What I'm trying to do:
I would like to disable the SAS authorization scheme. The logic app should not be triggered when the correct SAS parameter is provided. Or if SAS authorization can't be deactivated, than it should return an error in the case that SAS was used. Only OAuth authorization should give a valid result. Is this possible?
We can't disable the SAS authorization in logic app and according to some research, it seems we can't have it return an error in the case that SAS was used. For your requirement of disable SAS, you can go to feedback page and raise a post to suggest develop team add this feature.
The Logic App only accepts authorization through either SAS or OAuth and it returns an error when both a SAS-query-parameter and Authorization-header are provided. This means there are two scenario's:
Authorization header is present, so authorization was acquired using OAuth
Authorization header is missing, so authorization was acquired using SAS
By default the Logic App removes the Authorization header from the incoming request. You can by-pass this default behavior, by adding the operationOption to the Request trigger, see here:
https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-workflow-actions-triggers#operation-options

Set the logo for an Azure Application using Microsoft Graph

Using the Microsoft Graph API it is possible to create Azure Applications using the applications end point.
https://learn.microsoft.com/en-us/graph/api/application-post-applications?view=graph-rest-1.0&tabs=http
An application has a logo and when you add it through the Azure Portal then the info/logoUrl property has a value. How do you set the logo through the graph? I've tried setting it to a url and there is no error, but the value does not get set.
Microsoft Graph API v1.0 now supports uploading logos, although I was unable to find this particular endpoint in their documentation but this may be because the v1.0 API is only a couple of weeks old at time of writing.
Request:
Content-Type: image/png
PUT https://graph.microsoft.com/v1.0/applications/<object-id>/logo
<binary content>
In Postman, you can set binary body content by going to Body and then clicking binary from the radio buttons. Make sure you set the Content-Type header accordingly, e.g. image/png for a .png file
You will receive a 204 No Content empty response on success, it appears to take effect immediately in the Azure Portal when viewing the App Registration.
As mentioned in another reply, the info/logoUrl is Read-only in Microsoft Graph, we could not set it directly, also per my test, even the request returns 204, it will not take effect.
My workaround is to use the Azure AD Graph API, you could try the request below in the postman, it works on my side.
Request URL:
PUT https://graph.windows.net/<tenant-id>/applications/<object-id>/mainLogo?api-version=1.6
In the postman, Authorization -> Bearer token -> fill your token, in the Body, select binary -> Select file, then Send.
Note: Your picture could not be large, otherwise you will get a The stream write request would result in an excessive number of bytes being written error.
Check in the portal:
Besides, if you just want to set the logo Programmatically, you could use the powershell Set-AzureADApplicationLogo, it is the easiest way I can find.
Set-AzureADApplicationLogo -ObjectId <object-id> -FilePath C:\Users\joyw\Desktop\pic1.jpg
I'm afraid we can't modify the logo through the Microsoft Graph API.
The info/logoUrl is read-only based on informationalUrl resource type.

MS Graph, daemon app 401 unauthorized on Files.ReadWrite.All calls

UPDATE: I've received notice from Microsoft that this problem is a bug in the Graph API. They're working on a solution.
I'm using the new v2.0 OAuth flow to authenticate my app for use with Microsoft Graph to make it able to list any users files, download and upload files in any users OneDrive and set permissions to files. This without the user being logged in, that is running it as a service account/daemon.
I've set up a new "Converged application" in the new Application Registration Portal. I've set all necessary scopes/application permission, including Files.ReadWrite.All. (I actually checked all possible boxes...). In the Microsoft Graph docs this should be the only scope necessary when calling the endpoints I'm interested in:
/v1.0/users/{userID}/drive
/v1.0/users/{userID}/drive/items/{ItemID}/children
/v1.0/users/{userID}/drive/items/{ItemID}/content
/v1.0/users/{userID}/drive/items/{ItemID}/invite
/v1.0/users/{userID}/drive/items/{ItemID}/createLink
Then I've followed the documentation for the Client Credentials flow, including giving Admin Consent to the app for use in my company tenant.
I'm successfully receiving an access token. After receiving the access token I've double checked at jwt.io that the token actually contains all scopes (incl. Files.ReadWrite.All).
I'm able to use this access token to get any user's drive and list any users files (the first two endpoints listed above). I've also tried to get thumbnails of any users files which works fine. But as soon as I try to download a file, add permissions to a file or create a Sharing Link (the last three endpoints listed above), I receive an 401 Unauthorized error. From this, I assume the scope Files.Read.All works fine, but the scope Files.ReadWrite.All is not working.
As to what I can understand from the Scopes documentation, the scopes I'm trying to use should work. It the "App-only permissions requiring administrator's consent" section, it describes Files.ReadWrite.All as:
Allows the app to read, create, update and delete all files in all site collections without a signed in user.
I've hit a wall. Are there limitations to the new v2.0 OAuth token and/or Microsoft Graph regarding App-Only access that I'm missing?
Closing the loop for those who stumble on this question. There was an issue with Files.ReadWrite.All in App-Only scenarios when it came to uploading or changing permissions of a file.
The issue with downloading is unrelated. Authorization errors when downloading a file stem from passing an Authorization header in the download request. The `/content/ endpoint returns a URL that can be used to download the file. This is a pre-authorized URL that exists for a short period of time. Passing an Authorization header in that request results in an error since it doesn't expect to receive such a header, nor can it determine which credentials it should use (super-oversimplification but this the general idea).

Is this how Spring Security CSRF Protection Works?

I've looked at the following SO example which says that a unique token must be placed in the URL posting data.
That way if anyone creates a url like http://example.com/vote/30 it won't work because it does not contain the unique token.
I'm also reading through this tutorial which places a XSRF-TOKEN in the header. I'm just curious as to how this provides protection because if the user is logged in and clicks on http://example.com/vote/30 won't that request still pass?
In other words if I'm logged in and someone sends me the http://example.com/vote/30 link in an email and I click on it, wont that link still pass the the CSRF check, or will the browser not send the required headers since the the link will most likely open in a new tab?
It seems like the when the link is clicked the new tab will request the page. However the new browser window will not have the same XSRF-TOKEN that the logged in browser window has? Am I understanding this correctly?
CSRF
This above article offers a good explanation of what a CSRF attack looks like. The basic premise is you don't want a malicious website to make use of a valid session you have on another website. You prevent this by using a CSRF token. The malicious website doesn't have access to this token so they won't be able to make any POST requests on your behalf.
Spring Security CSRF
When using Spring Security, CSRF protection is enabled by default. The token is automatically configured when using supported HTML templating engines like Thymeleaf, but you can easily set it up on your own by following the documentation.

How to protect my api call from CSRF attack

I am working on angular js app,and tried to make a simple login page and tried to request my server API for authenticate my login call.Here what and how i planned to do.
Note: I am assuming that server is responsible for validating my token and request.
Provide username password to server via API call.
On getting authenticated the server will generate a token for my App(through which i made a call).
I stored this in my browser's COOKIE.
This Cookie (auth token) will be further used by app to to make each and every HTTP call to API.
Now this approach is working fine for me,but I believe it is openly available for CSRF attack.
In order to avoid the CSRF attack from my browser,i provide APP id or (version id) to my code which also travel with cookie to the API for http call.
The idea behind using this version id or App id,is this can be treated as a signature of my code,ie request is coming from the signed (verified) app who has alloted token=cookie value.
i just want to know how better my approach is and how much secure it is for my basic app point of view and for my major (wide project) app.
Here i am trying to show via a rough diagram
apologies for this tiny view and bad handwriting of the diagram.
Backend frameworks like Laravel have this pretty built in: csrf-protection.
You can pass the token to Angular by using angular's constant function: $provide#constant.
So after you initialize your app you could say: angular.module('myApp').constant('<?php echo csrf_token(); ?>'); and Laravel would do the rest. If you would want to implement a technique like this yourself, you should look into Laravel's source code: https://github.com/laravel/framework/blob/a1dc78820d2dbf207dbdf0f7075f17f7021c4ee8/src/Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php.
Adding App ID + Version ID to each request won't protect your system from a CSRF attack, unless these are in a custom header - and if they are you might as well just use X-Requested-With because any non standard header is protected going cross domain, provided you haven't enabled CORS with an open policy.
The reason that checking App ID + Version if set in the query string or POST data is that the attacker can readily gain this information to add the App ID + Version ID to their cross site requests. Another method that would work for you is the Double Submit Cookies technique. Generate a random 128 bit string using a CSPRNG and then set this as a cookie value (e.g. CSRFCookie). On each request to your API, also pass this value. e.g. in the query string: CSRFCookie=<generated value>. On the server side you simply check that the values match. An attacker does not know the cookie value, therefore they cannot add the same value to the query string.
This method does have some minor vulnerabilities, only really exploitable in a MITM scenario or if you do not control all subdomains. Short answer: Use HTTPS only for all your subdomains and implement HSTS.

Resources