I'm working on a proof of concept with Azure Active Directory and a native client obtaining an OpenID token for authentication to a web app. The native client uses Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.AcquireTokenAsync. My native client app is called "Proof of concept" and the web app is called "PoC server".
The first time that a user logs in, the embedded browser opened by ADAL requires the user to authorise the application, with this page:
Translation:
Authorise Proof of concept
Proof of concept
Website of the application's publisher: nathexperimental.onmicrosoft.com
Proof of concept needs permission to
Access PoC server (PoC server)
Log in and read your profile
You've logged in as: test2#nathexperimental.onmicrosoft.com
Show details
[Accept] [Cancel]
If I now click on the "Show details" link, it throws an exception:
Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: Non-HTTPS url redirect is not supported in webview
en Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenInteractiveHandler.VerifyAuthorizationResult()
en Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenInteractiveHandler.<PreTokenRequest>d__8.MoveNext()
--- Fin del seguimiento de la pila de la ubicación anterior donde se produjo la excepción ---
en System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
en System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
en System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task)
en Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase.<RunAsync>d__55.MoveNext()
I'm not sure what the non-HTTPS URL it's trying to redirect to is, but my best guess is that it's the redirection URI of the native client, which I had set to hook://login with the intention to implement a custom protocol handler and see what calls were made.
This seems to be confirmed by the fact that when I changed the redirection URI to https://codegolf.stackexchange.com (it was the first HTTPS-enabled site that came to mind...), the behaviour changed. But not in the way I expected. Now when I log in for the first time as a new user, it skips the entire "Authorise Proof of concept" page.
What's going on? Under what conditions is the user required to authorise the application? Does the scenario where they must authorise permit me to supply a "More details" page?
Javascript code in the Trident webview is getting accounted as non https url in ADAL. The issue has been filed and the commit is under review for Adal.NET.
https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/issues/544
Related
We have an embedded microApp that is setup on a thirdparty website (Saba) that is designed to pass a session token to our Application. We are initiating a User login by presenting them an embedded browser session using WebView2 in our wpf application. Then after a successful login the microApp on the Saba homepage passes back a session token. This appears to be where the application is hanging, waiting for the valid session token to be returned.
This had been working great up until the last 24 hrs, when we are experience hangs on logging in. It appears that trying to access webview via the console/inspector from Edge doesn't work either. "window.chrome.webview" shows undefined.
We are actively scouring any reference we can find to see if there is information about webview support being deprecated or moved but we haven't yet. If anyone has any ideas or resources of where we may be able to find some answer that would be much appreciated.
I got an old application that run for 2 years now without problems. Recently the login part starts to fail with a 404 Not found.
Here part of the error:
System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode() +94579
Microsoft.IdentityModel.Protocols.<GetDocumentAsync>d__8.MoveNext() +375
[IOException: IDX20804: Unable to retrieve document from: '[PII is hidden]'.]
Microsoft.IdentityModel.Protocols.<GetDocumentAsync>d__8.MoveNext() +663
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +102
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +64
Microsoft.IdentityModel.Protocols.OpenIdConnect.<GetAsync>d__3.MoveNext() +291
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +102
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +64
System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task) +26
Microsoft.IdentityModel.Protocols.<GetConfigurationAsync>d__24.MoveNext() +1129
The line that create this 404 error not found is:
HttpContext.GetOwinContext().Authentication.Challenge(authenticationProperties);
So something changes in Azure Authentication with old MSAL and OWIN authentication (for B2C Azure)
In the B2C Azur portal, I can see my apps in Applications (Legacy) with this note: The new App registrations experience is now generally available and is the recommended way of registering applications. Click the App registrations blade to access the new experience. The Applications (Legacy) blade has been deprecated and will no longer be available going forward.
Quite annoying because I do not want to make too much time in development for this old app. I try to found some info for migrating this kind of app. Do I have to only create a new App in AD B2C do I have to change my code?
Thanks
EDIT1:
That the code called by the login button. All was working couple month ago. I do not change anything or push anything on Azure on this projet for about 2 years!
public void SignUpSignIn()
{
// Use the default policy to process the sign up / sign in flow
if (!Request.IsAuthenticated)
{
string returnUrl = "/";
if (Request.UrlReferrer.AbsolutePath != null && Request.UrlReferrer.AbsolutePath != "")
returnUrl = Request.UrlReferrer.AbsolutePath;
var authenticationProperties = new AuthenticationProperties { RedirectUri = returnUrl };
HttpContext.GetOwinContext().Authentication.Challenge(authenticationProperties);
return;
}
EDIT 2:
After adding some PII diagnostique I got this detail:
Unable to retrieve document from: 'https://login.microsoftonline.com/tfp/hidenb2c.onmicrosoft.com/B2C_1_SignInOut/v2.0/.well-known/openid-configuration'
Finally, after many tries, I found that I just need to change the URL from
https://login.microsoftonline.com/tfp/hidenb2c.onmicrosoft.com/B2C_1_SignInOut/v2.0/.well-known/openid-configuration
to
https://{tenant}.b2clogin.com/tfp/{tenant}.onmicrosoft.com/B2C_1_SignInOut/v2.0/.well-known/openid-configuration
now all is working. Thanks for your help.
I'm testing GeOrchestra to share maps between collegues. I've used the ansible script to install it and it was working fine. Today, connecting to the server displays a message that the site is on maintenance.
Original message in french: "En raison d’une opération de maintenance, les services geOrchestra sont momentanément indisponibles. "
I have no idea of what I have to do regarding this message. I've restarted the server but this does not solve anything.
Any idea of what has happened and what can I do to disable the maintenance mode?
Thanks a lot.
This means that, for some reason, Apache is not able to contact the security-proxy (HTTP 503 unavailable), and as a result, displays the ErrorDocument /errors/50x.html as per https://github.com/georchestra/georchestra/blob/17.12/docs/setup/apache.md#configuration
Is your servlet container (tomcat-proxycas) hosting the security-proxy up and running ?
All the sites on this DNN installation stopped sending emails yesterday. When you try and test SMTP in host settings, it sends the test email without any issues.
At first I thought my IP might be blacklisted, but then surely the SMTP test would also fail?
I'm pretty sure the Test SMTP setting in Host directly calls the send mail service in DNN's API. But many other emails are queued up for dispatch for scalability.
Check to see if your "Messaging Dispatch" job in Host > Scheduler has been disabled. If not, check the history by clicking the Log icon on the right-hand side of the schedule tasks list. See if there are errors logged in there.
If all is good there, check your Logs in /Portals/_default/Logs for any issues related to messaging or SMTP.
I would start by checking to see if you have defined a valid (usable) email address on your ADMIN account. DNN will "send" emails from whatever the Administrator is in the site settings, so check the email address on that user's profile, make sure that the email/domain is valid and the SMTP settings you are using are allowed to send from that domain.
If you are developed contact-form dynamic module in your DesktopModules folder then you have to call below DNN SendMail method in your submit button click event.
DotNetNuke.Services.Mail.Mail.SendMail(FromEmailAddress, ToEmailAddress, CCEmailAddress, BCCEmailAddress,
DotNetNuke.Services.Mail.MailPriority.Normal,
EmailSubject,
DotNetNuke.Services.Mail.MailFormat.Html,
System.Text.Encoding.UTF8,
EmailBodyMessage, "", "", "", "", "");
I'm trying to setup the config.php with my values but I get this fatal error:
Fatal error: Uncaught exception 'Google_AuthException' with message 'Error fetching OAuth2 access token, message: 'invalid_grant'.
I entered the client ID, secret, simple API key, location and sqlite database as the documentation says here:
https://developers.google.com/glass/quickstart/php
Any idea of what I'm doing wrong?
Thanks in advance!
This happens when the URL where you're hosting your Glassware is not listed as a valid OAuth 2.0 redirect URI on the API console. Follow these steps to resolve it.
First, determine your OAuth 2.0 redirect URI. This is where traffic goes at the end of the OAuth dance. The correct value depends on where you're running the php quick start. If you're running it on a local web server, it's likely to be http://localhost/mirror-quickstart-php/oauth2callback.php. If you're running it on example.com, it might be https://example.com/oauth2callback.php.
Go to the API console. This link will lead you to the right panel (services), but double check that you're on the correct project.
Scrolling down you should see a section of the page that looks like this: . Click on 'Edit Settings...'.
This triggers a pop-up where you can enter your OAuth redirect URIs. Add your redirect URI to the top text area. Make sure to put each URI on its own line.
Reload the page for the PHP Quick Start and everything should work.
If you're still having an issue, please share the full error message on the page and the value you have for the base url in config.php.
If you're getting the invalid_grant error from Google : Instead of using the client ID from google developer console as your value for client ID in the code, try using the email address value from developer console. This is actually what they expect. So, to confirm - the value for Client ID should be the value from developer console ending #developer.gserviceaccount.com
Had similar problem in Windows PS dotnet environment when trying to connect to DialogFlow Google Cloud Project recently and it appeared to be intermittent fault but it turned out to be global $env:GOOGLE_APPLICATION_CREDENTIALS in windows PowerShell was pointing to a key file set when first setup access to GCloud days before and since regenereated keys in GCP Console
After generating new key file and setting it with new generated key file using $env:GOOGLE_APPLICATION_CREDENTIALS="[Path_To_JSON_Key_File]" the problem went away but fix only lasted as long as the window was open, then after a while ran $env:GOOGLE_APPLICATION_CREDENTIALS on a newly opened PS window and noticed it was still pointing to the old key file!
setting the system environment variable GOOGLE_APPLICATION_CREDENTIALS to the value of [Path_To_JSON_New_Key_File] fixed it, all newly opened PS windows had the correct key file and authenticated correctly using Service Account and .Net Google Cloud API calls worked after that