We're trying to integrate Yammer on our website, getting and putting posts is done, but we have an issue with getting images.
When the user is logged into Yammer, we can show the images with no problem.
When the user is not logged in to Yammer, the image request will give a 401 Unauthorized.
We tried getting the image blobs dynamically by adding an Authorization header, but CORS will block us this way.
Could anyone give some pointers on how to resolve this issue? Thanks in advance!
var req = {
method: 'GET',
url: 'https://www.yammer.com/api/v1/uploaded_files/123456/preview/IMG-20160413-AA0001.jpg',
headers: {
'Authorization': 'Bearer ' + yammertoken
},
responseType: 'blob'
}
return $http(req)
In the end we created a proxy in our PHP backend which was able to get the images serverside. This circumnavigated the CORS issue.
I would highly suggest not trying to subvert authentication for data. Data such as files live behind authentication in order to ensure that only the users who are allowed to see such data can do so.
Have you explored using https://developer.yammer.com/docs/authentication ?
Related
I need to auto login on my React App. To do this, I use NTLM authentication. Both , API (php coded) and React App are on an IIS server.
I use axios for API calls. When I do GET request, all is right, crendentials are successfully sent (but I must disable anonymous login on IIS).
When I use POST query, it fails with 401 error.
I tried several headers but nothing works. That's why I need help.
Image : Nothing weird in headers
When I do GET, I see cookie sent, not with my post query
axios.post(apiUrl+'deleteUserReportFolder.php', {
reportFolder: e.target.value,
id: user.login
},{
withCredentials: true,
credentials: 'include',
headers: {
'Content-Type': "application/json",
'Authorization': 'NTLM',
'WWW-Authenticate': 'NTLM'
}
})
The API Site is sending these HTTP Response Headers:
Image : IIS API
Thanks for your help. I've seen a lot of posts but nothing worked.
Edit :
I tried by setting my server (API PHP) with anonymous and Windows login, anonymous login cause no logon user, so I must set Windows enabled only.
I tried by removing all headers except "withCredentials" in axios query. I still have 401 error on CORS Pre Flight.
var_dump($_POST);
Check this code,May be it's helpful!
I am trying to send and receive messages to/from SFB (Skype for business) through UCWA web apis but facing access denied issue.
1) I created Azure AD application.
2) I am able to login successfully and fetching access token and refresh token.
3) But when i try to auto-discover with the above access token, it is giving 403 access denied error. Please see the request in the code below.
Is it because of SFB deprecation or something else? Please help.
let options = {
method: 'GET',
url: 'https://webdirin1.online.lync.com/Autodiscover/Autodiscoverservice.svc/root/oauth/user',
headers:
{
accept: 'application/json',
'x-requested-with': 'XMLHttpRequest',
'access-control-allow-origin':'*',
cors:true,
'Access-Control-Allow-Origin':'*',
'x-ms-diagnostic': `PNQIN100EDG08.infra.lync.com`,
'x-ms-origin': `MAAIN100EDG03.infra.lync.com`,
authorization: `Bearer ${users[0].access_token}`
}
};
In general, 403 means you have provided the wrong access token.
Please refer to Requesting an access token using implicit grant flow.
Note: It seems that the request in the official example is incomplete, you can refer to mine:
https://login.microsoftonline.com/{Tenant ID}/oauth2/authorize?response_type=id_token+token&client_id={Client ID}&redirect_uri={Reply URL}&state=8f0f4eff-360f-4c50-acf0-99cf8174a58b&resource=https://webdirXX.online.lync.com&nonce=12434152345
Modify the above string based on your need and put it directly into the browser for access and log in with your admin account. The access token will be included in the string returned in the address bar.
At last, you could use the access token to call
Get https://webdirXX.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth/user.
Are there any CORS issues?
check in the response header if you see something like : "Service does not allow a cross domain request from this origin."
Refer: https://ucwa.skype.com/documentation/itadmin-configuration
I'm running a test site built on AngularJS and am having issues trying to getting Forge OAuth going. Here's the request I'm trying to make...
$http({
method: 'POST',
url: 'https://developer.api.autodesk.com/authentication/v1/authenticate',
data: 'client_id=' + token.clientId + '&client_secret=' + token.secret + '&grant_type:client_credentials&scope=data:read',
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
withCredentials: false
}).then(function (r) {
authToken = r.access_token;
toastr.success('success');
}, function (e) {
toastr.error('fail');
});
It's erroring out with:
XMLHttpRequest cannot load https://developer.api.autodesk.com/authentication/v1/authenticate. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8080' is therefore not allowed access. The response had HTTP status code 500.
I know this is a CORS related issue, which I'm not an expert about. Is this not possible using $http.post()? If not, how should I go about authenticating using Angular?
I assume you call your $http from the angular client side. Whether the call is successful or not, I need to mention here that it is a bad idea to share your client id and secret in your code. Anyone can read javascript code and stole your keys - once they do that, they can use them to request an access token and use your account to process files - and you'll pay the bill. This is valid for any WEB services - free or paid - such as Twitter, google maps, etc... Never, ever, compromise your keys on the client side. Use an endpoint on your server instead.
Now, I believe there is an error your data string formatting:
data: 'client_id=' + token.clientId + '&client_secret=' + token.secret + '&grant_type:client_credentials&scope=data:read',
should probably be
data: 'client_id=' + token.clientId + '&client_secret=' + token.secret + '&grant_type=client_credentials&scope=data:read',
grant_type: => grant_type=
For the CORS issue, this is because you are calling the http request for this endpoint from the browser. Watch for the Origin header sent by your browser, you'll see that it is something specific. Once you'll get the Authorization header, the CORS issue will go away.
Hope that helps,
I am trying to make a post request from AngularJS to WebAPI on a different domain.
$http({
method: 'POST',
url: 'http://www.test.com/api/app/controller',
data: postdata,
headers: {
'Content-Type': 'application/json'
}
})
.then(function(response) {
// Do stuff
}, function() {
// Show error
})
.finally(function() {
// Cancel loading indicator
});
I believe Web API is setup correctly to handle CORS requests. If I make a CORS OPTIONS request using Chrome Advanced REST client, the correct headers and a 200 response code are returned.
When I make the POST call above, a preflight OPTIONS request is made. This always times out with a 504 code. The logging in my Application_BeginRequest is never hit (which it is when calling from Chrome plugin).
What is the difference between calling from AngularJS and the Chrome plugin? Both are being run from the same machine and AngularJS is running in an application on localhost. The same headers are being set in both calls.
This was a stupid mistake on my behalf. I am answering the question (rather than deleting) in case somebody does the same.
I was pointing to a service containing a typo:
url: 'http://www.test2.com/api/app/controller',
Instead of:
url: 'http://www.test.com/api/app/controller',
My CORS pre-flight request was working without an issue, it was just never getting to the right server.
I have the an Angular JS app (front-end) that communicate to Laravel app (back-end).
I'm stuck in this issue, not always happen but when it does, right after I authenticate some of random requests get 401 (Unauthorized). But if I access the same url using postman it work perfectly.
I'm not sure what show as code, so here's some details that could be valid:
At the Angular JS I have 25 different uri (xhr) to my back-end.
I'm using $httpProvider.interceptors to add the headers:
'Accept': 'application/json',
'Authorization': (AuthService.valid() ? `Bearer ${AuthService.get().token}` : ''),
'Content-Type': 'application/json',
'X-Requested-With': 'XMLHttpRequest'
I'm using JwtAuthenticate at Laravel.
Sorry for low description, if you need some more please tell me.
Did you got this sorted out already? I am experiencing an issue that is very similar to this.
I have a Laravel application and when I log in and open a modal that does an ajax call, it will randomly result in a 401 error and I'm logged out. There is no real pattern when this occurs.