I want to get logged in username in Web Api but unable to do so. Below is my problem -
I have a Web App developed using AngularJS and Windows authentication is enabled on it.
I have a API which the Web App calls to get the data.
API application is configured to use basic authentication so I need to pass logged in username whenever I call any API method.
The problem is, I can't find a way to get the logged in username and pass it in the request header as I don't have any control over it.
Any help would be appreciated !!
Related
We currently have a website that is setup to use SSO through Azure AD. it is configured to with SAML.
Yet, we have third application that needs to connect to this website using specific email and password.
This application can do any default connection that POSTMAN can do.
What I do notice is that web all cookies are removed from the browser. the website allows me to enter
the email address and password.
I am trying to configure POSTMAN to test login to this website. And using the POSTMAN configuration i will be able to configure the application.
Any Guidance is greatly appreciated. Thank you!
I have try configuring post using HTTPS POST BASIC Authentication. Not sure if this correct manner as I am not postman expert nor have attempted such authentication method before.
Our expectation is the POSTMAN could login into the website and create a cookie that has an active session.
Postman is not a browser so it doesn't "log in". The authentication in Postman is related to webservice calls. So imagine you have an online shop and you expose your API to a third party (let's say a sponsor or partner). For example you let another site (the partner/sponsor) add items for your common client from his site (instead of him having to logout of that site then login to your site, it's easier and your partnership makes both sites profitable, let's say for our example - so their site would be more like a sort of forwarder - when the user adds an item on the partner's site, they actually add it in the cart on your site).
In our example, they would call your API (for example, adding an item in the cart). The question is, how do they do that? How do you stop abuse from a malicious user? Simple: you add authentication. So what your (theoretical) shop's partner does is use some auth method (as you said, Basic Auth) to call the endpoint that results into adding an item into the cart for purchase.
But this auth is not what the client uses to log in to your partner or your site. It's an internal auth, like a sort of a "technical" user. And what you would do in Postman is simulate that call and the Postman login would be to allow it to call endpoints.
If, on the other hand, you have a separate login call that this is all it does, logging in, then yes, you can use Postman to login, BUT, keep in mind that the login auth info would not AND SHOULD NOT be the same as the API call login info. So you would still use an auth to allow the API call and a (hopefully different) auth for the actual login url as params.
In other words, Postman auth in any POST or GET call is just a way to tell the remote server they can trust you because you identify yourself. A login window like the Microsoft one is one for user accounts which is something totally different.
I have Azure App Service EasyAuth working successfully with Google, Microsoft, and Facebook providers in my Mobile App using the MobileServiceClient.LoginAsync method. However, I'm having trouble getting it to work with Apple.
I am able to successfully kick off the authentication process as follows:
await myMobileServiceClient.LoginAsync("Apple", "myapp");
This does launch a new browser window and display the Apple login. I am able to authenticate successfully in the browser window.
The first problem I have is that post_login_redirect_url is being ignored and not passing back control to the mobile app using the myapp://easyauth.callback protocol. Instead, the login successful page is displayed in my Azure App Service website and there is no redirect.
I managed to hack around this issue by omitting the code_challenge and code_challenge_method parameters in the call to my Azure App Service. This DOES NOT pass back control to the mobile app using a redirect:
https://.azurewebsites.net/.auth/login/apple?post_login_redirect_url=myapp%3A%2F%2Feasyauth.callback%2F&code_challenge=WxdeYYJSn5ZoozK0i7WPwYMryh%2BNokYryHevXD2%2BG3k%3D&code_challenge_method=S256
This DOES pass back control to the mobile app after authentication:
https://.azurewebsites.net/.auth/login/apple?post_login_redirect_url=myapp%3A%2F%2Feasyauth.callback%2F
The second problem, regardless of whether I meddle with the call to the Azure App Service above, I do not get back an authorization_code parameter. Instead, I get a token:
https://.azurewebsites.net/.auth/login/done#token=%7B%22authenticationToken%22%3A%22eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdGFibGVfc2lkIjoic2lkOmFkZTg4ZDIwMjMzNjgzZGFhYTU0NmU1OGE0Zjg5MmYxIiwic3ViIjoic2lkOmFkZTg4ZDIwMjMzNjgzZGFhYTU0NmU1OGE0Zjg5MmYxIiwiaWRwIjoiYXBwbGUiLCJ2ZXIiOiIzIiwibmJmIjoxNjUyMzg4NDI5LCJleHAiOjE2NTIzOTIwMjksImlhdCI6MTY1MjM4ODQyOSwiaXNzIjoiaHR0cHM6Ly9vc3hiYWNrZW5kLmF6dXJld2Vic2l0ZXMubmV0LyIsImF1ZCI6Imh0dHBzOi8vb3N4YmFja2VuZC5henVyZXdlYnNpdGVzLm5ldC8ifQ.ujhWH9B05vc18rsOFKR-k8tHBAHNvzqLxF9fFLaLlAA%22%2C%22user%22%3A%7B%22userId%22%3A%22sid%3Aade88d20233683daaa546e58a4f892f1%22%7D%7D
Does anyone have a working example or insight into the details of OAuth to get this to work?
I have a .net core application that I'm trying to authenticate with azure ad.
I'm using C# web apis for for all backend.
The place where I'm getting stuck is how to force my user to login when coming to my app.
If I add Authorize to my api calls with they just fail and the page loads without getting the information from the api calls.
How do I tell my react app to go to the microsoft login page if they're not logged in? I'm thinking that I don't need tokens because I can just get the ms login link from my api call and login?
Is this something I can set in the startup page?
Hello guys I am trying to authorize my salesforce android application ,I followed this post https://developer.salesforce.com/page/Digging_Deeper_into_OAuth_2.0_on_Force.com
Here I found information regarding authentication but my problem is
I want to get authorization code through http request ,In the post it said that we are able able to get that when the browser redirected with the code contained in the url. Is it possible to do that in a non-browser application
The Username and Password Flow only requires your application to interact with Salesforce servers. You don't need to redirect the users browser.
Of course, you shouldn't be prompting users for their credentials if you can help it.
I'm plan on deploy a Java application to Google AppEngine and use federated login (still experimental according to Google). The application is pretty simple Java EE application which expose RESTful interface for simple CRUD operations.
I then want to be able to authenticate to this application using Windows Client Application written in C#.
I think the application should be able to open a window with a browser in ti which will present the login page of my web application and after successful authentication I should be able to get the login token or a cookie to use in the rest of my HTTP requests.
Is it possible to do such thing using federated login? I've found a post explain how to do it using google proprietary login.
Thank you,
Ido.
I've manage to make this work much easier then I thought it would be.
When I send HTTP request to my web service I get 302 Found response with response header name Location which point to the login page.
I use WebBrowser control, register to it Navigated even and navigate to the URL in the Location header.
When the Navigated even fire I use the code from this answer to get the cookies container.
I check each cookie until I find one with the name ACSID and store it.
For every web request to my service I add cookie name ACSID with the value saved at step 4.
This is not the most secure way of doing this. I will add check for the domain of the cookie but this looks good.