I am building my first ever Chrome browser extension and I am struggling to find the right solution for handling authentication. There is a requirement that the extension stay logged in as long as possible, to reduce the need for the user to log in often. This means we would need to use Refresh Tokens. I would very much like to handle all authentication on the background script but this is no longer persistent in MV3 nor does it have access to the DOM.
This being the case, I see these options:
use Auth0 React SDK on the content scripts - this means all my authentication logic will run in a somewhat less secure environment but the token will be handled by the library and I will be able to access it in all my content and popup scripts (if I need persistence across page refreshes, I would still need to use localStorage, I believe). But this means that the background script will not have access to the token and it will need one of the other scripts to retrieve it and send it through a message
implement the Authorization Code Flow with PKCE following the steps in this tutorial on the background script - this will mean that all my auth logic is running in a more secure environment but I don't have a way of storing the token, other than using chrome.storage. It's also a bit tricky to silently retrieve the token (or check if user is still logged in) from the background script (it can be done using an injected iframe and the web_message response type or with chrome.identitybut there are still issues with the redirect_uri which needs to be listed in the Allowed Origin config of the Auth0 app - so you can only easily do this on the pages of the extension).
I know that the recommended solution for an SPA is using the SDK but I would like to know if this is also the right solution for a browser extension. Based on this article on Token Storage, localStorage is dangerous especially due to third-party scripts. Seeing that the MV3 manifest has now removed the ability to execute remote code, is localStorage an acceptable way to store tokens?
I have implemented both options using the docs provided but I am unsure as to what is the best solution, given the changes introduced by MV3.
Thank you
New to the forum :) - first post. I am trying to set up DocuSign in Salesforce for a client and keep running into an issue when trying to create an envelope template. Some context: my client has a DocuSign Business account (not Gen/ Negotiate), I have added the documents, and can add non-merge fields fine. The only issue is when I try to place the merge field, not create it, I receive an error:
Save Error: Some fields might be out of sync. Unable to connect to the service. Failed to connect to the salesforce service.
So far I have tried: adding IP addresses to Salesforce, removed MFA authentication for API, I have tried clearing cache and cookies, in different browsers, and in incognito mode - no success. I think I just have missed a step in set up? OR is this just not a feature of the client's current account and they need to enable the "Gen" feature to use merge fields?
Appreciate the help - I am also new to Salesforce administration and coding - so I am learning as I go and bear with me if I am not picking up all the "lingo" up front.
It sounds like you're using the legacy DocuSign for Salesforce package if you're not using Gen/Negotiate, so there are typically a couple of issues that could cause the error that you're seeing. The first is a caching issue, so you could try in an incognito browser or by clearing cache and cookies for the browser.
The other issue could be that the connection between DocuSign and Salesforce was broken and needs to be connected again. If that's the case, you could follow the steps in this article. If you're still running into problems, I'd advise to reach out to the DocuSign support team so that they can take a look with you (https://support.docusign.com/).
I have an application system that developed based on IdentityServer4 and .NET Core 2.0. Just recently I noticed that log into the server will timeout in 30 minutes regardless of user activity. Client applications cannot launch other SSO enabled applications after the 30 minutes boundary. After 30 minutes, launching any new app will force user login. I looked at the cookies that might affect the SSO functionality, there are three: AspNetCore.Identity.Application, Identity.External and idsrv.session. But they are all browser session cookies. I don’t see how they would timeout. Anyone knows what’s going on?
My related settings:
Absolute Refresh Token Lifetime: 2592000
Access Token Lifetime: 3600
Authorization lifetime 300
Identity Token Lifetime: 300
mode777 is right. This issue is not related to IdentityServer4 nor OpenID Connect. It's related to the AspNetCore.Identity. I find this link very helpful and solved my timeout issue by adding a line like this:
services.Configure<SecurityStampValidatorOptions>(options => options.ValidationInterval = TimeSpan.FromHours(24));
So, what happened is this: After the 30 mins default interval, a request to the server will go through the user security stamp check. For some unknown reason, the logic that checks my user security stamp think the stamp is invalid and hence calls SignInManager's SignOutAsync, which kills everything. What I still don't understand is that my user security stamp is never changed! It shouldn't cause the invalidation. For now, I will let my application works with a much longer check interval, and will keep an eye on the security stamp.
First of all this is not a Identity Server 4 or OpenID Connect related issue. This concerns the local login probably goverened by Asp.Net Identity which is probably Cookie based (It all depends on your configuration - Startup.cs would be nice).
You can configure the session timeout for Asp.Net Identity which is described here: ASP.NET Identity Session Timeout
Have you tried that?
Digging though source code I found that the cause is missing SecurityStamp claim (default name: AspNet.Identity.SecurityStamp) in auth cookie (.AspNetCore.Identity.Application). After 30 minutes (default value for options.ValidationInterval) security stamp is validated against stamp in the store. If it's missing in cookie - validation fails immediately.
So the solution would be to put security stamp in the cookie.
In my case problem was caused because I was using wrong Sign-In method: HttpContext.SignInAsync instead of build-in Asp.Net Identity SignInManager.SignInAsync which is preferable to use in most cases. SignInManager.SignInAsync puts that claim in the cookie.
From my salesforce application, I need to connect to quickbook api and create vendors by a batch job.
For this Do I need to add whole Oauth process (add 'Connect to quickbooks' button and there will be a auth page, which when successfull will redirect me to the application).
Or there are other ways in which I can do this.
Can I use connection ticket. If yes, the how ?
Reall stuck here. Any help is appreciated.
Thanks,
You can have a look at IPP's docs. - https://developer.intuit.com/docs/0025_quickbooksapi
The only way to make a call to QBO endpoints is through 3-legged OAuth (using consumerKey, consumerSecret, accessKey and accessSecret). If you have desktop application then you need to have a web component/embedded browser for the first time users. Once you have the end-user tokens, you can store and reuse those for all future API calls.
If you create an app in appcenter, you'll get consumerKey and consumerSecret.
https://developer.intuit.com/Application/Create/IA
Using the above two tokens, you can generate accessToken and accessSecret using the OAuthPlayground.
https://appcenter.intuit.com/Playground/OAuth/IA
Devkit Download link - https://developer.intuit.com/docs/0025_quickbooksapi/0055_devkits
You need to plugin the above 4 tokens with java devkit code to make any QBO V3 REST call.
https://developer.intuit.com/docs/0025_quickbooksapi/0055_devkits/0201_ipp_java_devkit_3.0/0001_synchronous_calls/0001_data_service_apis
Re - Can I use connection ticket. If yes, the how ?
No, OAuth is the only process here.
Vendor API doc - https://developer.intuit.com/docs/0025_quickbooksapi/0050_data_services/030_entity_services_reference/vendor
Hope it will be useful.
Thanks
Apparently I do not need a 'Maps API key' to use the 'Google Geocoding API' according to:
http://code.google.com/apis/maps/documentation/geocoding/index.html
However, I obtain this:
{
"status": "REQUEST_DENIED",
"results": [ ]
}
Does this mean that my IP is blocked? What can I do to overcome this?
Until the end of 2014, a common source of this error was omitting the mandatory sensor parameter from the request, as below. However since then this is no longer required:
The sensor Parameter
The Google Maps API previously required that you include the sensor parameter to indicate whether your application used a sensor to determine the user's location. This parameter is no longer required.
Did you specify the sensor parameter on the request?
"REQUEST_DENIED" indicates that your request was denied, generally because of lack of a sensor parameter.
sensor (required) — Indicates whether or not the geocoding request comes from a device with a location sensor. This value must be either true or false
Remove the API key parameter and its value.
eg. https://maps.googleapis.com/maps/api/geocode/json?address=[YOUR ADDRESS]&sensor=true
I found that in my case, calling to the service without secure protocol (meaning: http), after adding the key=API_KEY, cause this issue.
Changing to https solved it.
I've noticed that you also get REQUEST_DENIED for some addresses if you don't properly URL encode your address. For example, in
123 Main St #B, Mytown, CA 94110
the '#' character needs to be encoded as %23
For those who are looking this page in 2017 or beyond, like me
Sensor is not required anymore, I tried and got the error:
SensorNotRequired
I just needed to activate my Google Maps Geocoding API, that seems to be necessary nowadays.
Hope it helps someone like me.
If you just copy&paste the example URL that Google gives in their website
http://maps.google.com/maps/api/geocode/json?address=1600+Amphitheatre+Parkway,+Mountain+View,+CA&sensor=true_or_false
it will fail because of the wrong parameter of the sensor. You should change it to true or false and not the one that they wrote.
Maybe is the error that you have had, like it happened to me...
I had this problem and I realized that I was assuming that Geocoding came with the JS maps API. However, it is a separate API which I hadn't enabled in the cloud console. Enabling it fixed it right away.
I got this problem as well using the drupal 7 Location module. Autofilling all empty locations resulted in this error. Executing one of the requests to the location api manually resulted in this error in the returned JSON:
"Browser API keys cannot have referer restrictions when used with this API."
Resolving the problem then was easy: create a new key without any restrictions and use it only for Geocoding.
Note for those new to google api keys: by restrictions they mean limiting requests using an api key to specific domains / subdomains. (eg. only request from http://yourdomain.com are allowed).
It's suck Google don't let you that your service is not enabled by this account. Try to enable it first.
Go here https://console.developers.google.com/project
and create a new project with place service activated this may solve your problem.
If you not have configured a billing account with your credit card, the API do not work. The Google is now very hungry for money and not open more your products "free". Obviously that him offer a free limited access number of consults and over this acces, the billing is very high.
https://cloud.google.com/maps-platform/pricing
As you say, this can mean that your IP address has been blocked. I'd make sure that you specify the key parameter on the query string for the Geocoding API request.
https://maps.googleapis.com/maps/api/geocode/xml?sensor=false&address=Placename&key=XXxxxXXxXxxxxXXxx
Also make sure that if you've set up IP Address Restrictions within the Developer Console, you've allowed the correct IP address, just click the project within the list and you'll see the allowed IPs.
If you're still running into issues, you might want to look into printing out the values of the status and error_message elements from the response from Google, you'll see something like this:
REQUEST_DENIED - This IP, site or mobile application is not authorized to use this API key. Request received from IP address 123.4.5.678, with empty referer
If it doesn't mention an IP address restriction, it may well give you enough information about the problem to Google a fix.
For anyone struggling with this issue, I just found out that the Geocoding API can't be used with API keys that have referrer restrictions. Just remove all your referrer restrictions and you should be good.
If you're using any other APIs that do allow keys with referrer restrictions (like the Maps JS API), it's probably best to create a 2nd key with no restrictions to use exclusively for geocoding, because other APIs might display your key publicly and someone else could start using it on their own site.
Google is returning a very useful error message, which helps to correct the issue!
Dim Request As New XMLHTTP30
Dim Results As New DOMDocument30
Dim StatusNode As IXMLDOMNode
Request.Open "GET", "https://maps.googleapis.com/maps/api/geocode/xml?" _
& "&address=xxx", False
Request.Send
Results.LoadXML Request.responseText
Set StatusNode = Results.SelectSingleNode("//status")
Select Case UCase(StatusNode.Text)
Case "REQUEST_DENIED"
Debug.Print StatusNode.NextSibling.nodeTypedValue
...
Error Message Examples
Message 1:
Requests to this API must be over SSL. Load the API with "https://"
instead of "http://".
Message 2:
Server denied the request: You must use an API key to authenticate each request to Google Maps Platform APIs. For additional information, please ...
If none of given solutions fixed the error, the issue probably about Google Cloud Billing settings. You must enable Billing on the Google Cloud Project at billing/enable.
Learn more
{
"error_message" : "You must enable Billing on the Google Cloud Project at https://console.cloud.google.com/project/_/billing/enable Learn more at https://developers.google.com/maps/gmp-get-started",
"results" : [],
"status" : "REQUEST_DENIED"
}
I created another Credential(New API) only for Geocoding, with "Key restrictions" 'None' and "API restrictions" 'Restrict key'
Selected APIs:
Directions API
Geocoding API
Geolocation API
Maps JavaScript API
Places API
and then it's worked.
I just ENABLED my geocoding API, geolocation API and places API on my google cloud platform (where I had generated my API key I was using) and it worked.