I’m currently implementing the new firebase auth() in my angularjs app with username and password.
firebase.auth().signInWithEmailAndPassword(email, password)
This is all working, until an incorrect password is supplied for a valid email address. The promise returns and I handle the event gracefully. However the console and network logs a 400
POST https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyPassword?key=[key] 400
The response body:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "invalid",
"message": "INVALID_PASSWORD"
}
],
"code": 400,
"message": "INVALID_PASSWORD"
}
}
I have seen all the previous questions on this and I can't find a response that will satisfy my app needs. Intended behaviour is to return an error response to the promise(which is what is does) but not also log to the user which piece of information is incorrect.
From a penetration test perspective this gives away valuable information to a user/hacker. Are there any other suggestions on how to handle this other than changing to another auth implementation?
Any help much appreciated.
Related
I have followed the below stackoverflow link ( The answer provided by Allen Wu)
How to add a custom claim and retrieve the same as part of access_token, when the scope is not Graph API in Azure AD?
to add a custom claim in access token. But I am getting an error when I am trying to
Assign the claimsMappingPolicy to a servicePrincipal.
I have opened microsoft graph and executed a POST call like so -
https://graph.microsoft.com/v1.0/servicePrincipals/8b6e2827-b3fa-467b-940d-324c301ca606/claimsMappingPolicies/$ref
with the request body
{
"#odata.id":"https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/fce7f260-9598-426d-b8c2-7e589b25415b"
}
but I am getting a 409 Response code with the following response preview :
{
"error": {
"code": "Request_MultipleObjectsWithSameKeyValue",
"message": "Request contains property changes that would result in property-uniqueness violation(s). Please retry your request with corrected values.",
"innerError": {
"date": "2020-10-18T06:32:23",
"request-id": "ae69cb4f-716d-4d56-a123-572c76ace2e0",
"client-request-id": "29b0130e-8b7a-d09d-1188-2856c99dad8e"
}
}
}
It means the servicePrincipal has been assigned a claimsMappingPolicy.
If you assign another claimsMappingPolicy to it, you will get the 409 Conflict error.
You need to List assigned claimsMappingPolicy first and then Remove claimsMappingPolicy.
Now you can assign claimsMappingPolicy to the servicePrincipal.
I am attempting to use the Create Contacts endpoint for Microsoft Graph API (Doc is here: https://learn.microsoft.com/en-us/graph/api/user-post-contacts?view=graph-rest-1.0&tabs=http) to register new contact for my user. I created body as described in API documentation but getting the error below:
{
"error": {
"code": "Request_BadRequest",
"message": "A value without a type name was found and no expected type is available. When the model is specified, each value in the payload must have a type which can be either specified in the payload, explicitly by the caller or implicitly inferred from the parent value.",
"innerError": {
"request-id": "daf78520-50e6-444b-97a2-779762b3e6ed",
"date": "2020-01-23T14:20:18"
}
}
}
Requests used:
1. POST https://graph.microsoft.com/v1.0/{{tenant_id}}/contacts;
2. POST https://graph.microsoft.com/v1.0/me/contacts;
Request body example:
{
"givenName": "Yulia",
"surname": "Lukianenko",
"emailAddresses": [
{
"address": "yulia#lukianenko.onmicrosoft.com",
"name": "Yulia Lukianenko"
}
],
"businessPhones": [
"+1 732 555 0102"
]
}
Did somebody meet such kind of issue? How you resolved it?
Thank you in advance for your help!
POST request is incorrect here.
It should be :
https://graph.microsoft.com/v1.0/me/contacts
Also you need to make sure "Contacts.ReadWrite" permission is granted to the app registered in AAD.
P.S: I used the same JSON in your example using graphExplorer and contact was created successfully.
My application was designed to add a user to my Azure AD B2C using Azure AD Graph API. I also handled the case where I'd be calling the add user graph API with an email ID that already exists in AD. I was looking for the error message in the response body to handle this. Has there been any change w.r.t the response message?
POST
https://graph.windows.net/{tenant}/users?api-version=1.6
Request Body :
{
"accountEnabled": true,
"signInNames": [
{
"type": "EmailAddress",
"value": "TestGraphApiCreatedUser#TestGraphApiCreatedUser.com"
}],
"displayName": "TestGraphApiCreatedUser",
"mailNickname": "TestGraphApiCreatedUser",
"passwordProfile" : {
"forceChangePasswordNextLogin": false,
"password": "vhkjds#fceu456VCHU"
},
"creationType": "LocalAccount",
"passwordPolicies": "DisablePasswordExpiration"
}
If a user already exists with the given email address, the error I was getting earlier was
{
"odata.error": {
"code": "Request_BadRequest",
"message": {
"lang": "en",
"value": "Another object with the same value for property signInName already exists."
}
}
}
Now, for the same flow, I'm getting below error :
{
"odata.error": {
"code": "Request_BadRequest",
"message": {
"lang": "en",
"value": "Another object with the same value for property userPrincipalName already exists."
}
}
}
Is there any difference between the two error messages. Since there isn't any error code, I had hard coded the whole error message. Now that there is a slight change in the message, I've to update my code. How can I handle this in a better way?
I didn't check to confirm if they changed the error message, but it wouldn't surprise me at all if they did. The userPrincipalName may be coming from the underlying AAD, maybe MS changed the B2C implementation and now it exposes an error message from there?
In your particular case, a better option may be to check if the email address exists in B2C just before calling the API to create the new user. It's an extra API call, but it shouldn't matter much unless you're creating many users at a time, e.g. in a batch. You'll still have to handle the user creation call failure, but if it happens you could just return a generic error message.
I have a project where when I do a post or get to an endpoint on my local it works fine, but when I do the same exact thing on app engine I get back:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "internalError",
"message": "Internal Error"
}
],
"code": 500,
"message": "Internal Error"
}
}
I have checked my data and it all looks the same. In the log I can see that the method completes successfully and I see no error message, stack trace, etc.
What gives? Thanks!
Though i do not know your code i assume your cloud endpoints have a return value like String[] or List, which doesn't work when deployed but does work on devserver.
Define a class for your return type and use that class, Like
public class StringResult {
String result;
/* getters and setters '/
}
And yes, i did answer the same thing in the other thread so technically this question is a duplicate if the answer solves the issue ;-)
I have an Endpoints API deployed on App Engine. I have no problem using the Google API Explorer to make requests to API methods that do NOT require being logged in. The URL I'm using for that is:
https://developers.google.com/apis-explorer/?base=https://[MY_APP_ID].appspot.com/_ah/api
Where I am stuck is calling API methods that require the user to be logged in, such as this one:
#ApiMethod(name = "config.get",
clientIds = {"[MY_CLIENT_ID].apps.googleusercontent.com", "com.google.api.server.spi.Constant.API_EXPLORER_CLIENT_ID"},
audiences = {"[MY_APP_ID].appspot.com"},
scopes = {"https://www.googleapis.com/auth/userinfo.email"})
public Config getConfig(User user) throws OAuthRequestException {
log.fine("user: " + user);
if (user == null) {
throw new OAuthRequestException("You must be logged in in order to get config.");
}
if (!userService.isUserAdmin()) {
throw new OAuthRequestException("You must be an App Engine admin in order to get config.");
}
...
On the API Explorer there's a switch top right that, when clicked, allows me to specify scopes and authorise. I'm doing that with just the userinfo.email scope checked. It makes no difference. The response I get from my call is:
503 Service Unavailable
- Show headers -
{
"error": {
"errors": [
{
"domain": "global",
"reason": "backendError",
"message": "java.lang.IllegalStateException: The current user is not logged in."
}
],
"code": 503,
"message": "java.lang.IllegalStateException: The current user is not logged in."
}
}
Back when Endpoints was in Trusted Tester phase, I remember there being a manual step in the OAuth2 Playground to get an ID token instead of an access token or some such thing. If that is still required, any mention of that seems to have disappeared from the Endpoints docs now and I see now way to swap out tokens in the API Explorer either.
I see you've got "com.google.api.server.spi.Constant.API_EXPLORER_CLIENT_ID" in quotes. If that's not a typo in your transcription to Stack Overflow, that's a problem. The value is already a string, so you're just passing in the text com.google.api.server.spi.Constant.API_EXPLORER_CLIENT_ID (not the actual client ID) as the whitelisted scope. That won't work. Try this instead:
#ApiMethod(name = "config.get",
clientIds = {"[MY_CLIENT_ID].apps.googleusercontent.com", com.google.api.server.spi.Constant.API_EXPLORER_CLIENT_ID},
audiences = {"[MY_APP_ID].appspot.com"},
scopes = {"https://www.googleapis.com/auth/userinfo.email"})
Edit: isUserAdmin is unsupported within Endpoints, and is likely a secondary cause of error. I'd suggest filing a feature request for supporting this method on the provided User object (we likely won't provide support for the user service itself, so it's separate from OAuth login.)
I don't know when this was introduced, but if you use OAuth2, instead of UserService.isUserAdmin() you can use OAuthServiceFactory.getOAuthService().isUserAdmin(EMAIL_SCOPE) where EMAIL_SCOPE is "https://www.googleapis.com/auth/userinfo.email".
This makes it easy to use the old OpenId or OAUth2:
boolean isAdmin = false;
try {
isAdmin = userService.isUserAdmin());
} catch (IllegalStateException e1) {
try {
isAdmin = OAuthServiceFactory.getOAuthService().isUserAdmin(EMAIL_SCOPE);
} catch (Exception e2) {}
}
The original question was asked several years ago, but maybe this will help others.