I'm working on a C coded server that have to reply to browsers' requests. It have to give authentication when using url like this:
http://user:pass#website/
but I really don't know how or where get this information on my server, because what I got when I read the request is the same that I can read when I interact with the server simply using
http://website/
Second question is that sometime I have this favicon.ico request from browsers.. what can I reply to the browser to say "I have not this fu*** stupid icon"? :D
I'm of course using socket for this
Look for a request header named Authorization: containing the string Basic followed by the BASE64 encoded username and password. This method of authenticating is called HTTP Basic Authentication.
For the favicon, simply respond with a HTTP 404 response if you don't have one.
Related
I added additional API to the Duende IdentityServer 6.2 as described here. Then I tried to access it from a sample App, using typed httpClient using their own library called AccessTokenManagement (aka Identity.Model) pretty much following their simple example. I use Authorization Code flow, everything pretty much simple and default.
It works well until both server and client are on the same dev machine under localhost. As soon as I publish IdentityServer to IIS, the API stops to work, while the rest still works well (I can be authenticated, and I see in the Fiddler that token exchanges work normally).
The call to API consists from two calls:
Calling to /connect/token using refresh token. Server returns access token.
Calling my endpoint using this new access token.
The flow fails on the step 1. Call to /connect/token is already unauthorized and I can't understand why. The "good" and "bad" calls looks the same, I cannot see any differences. Previous call moment ago to /connect/userinfo consists of the same two steps and it works. Logs on both server and client give no clues.
No reverse proxies, just good plain simple URI. Automatic key management is enabled and the keys are in the SQL table, common for dev and published server. Asp.Net Core Data Protection is enabled and keys are also common.
Relevant parts of logs are below. I noticed that "No endpoint entry found for request path" is specific to IdentityServer and it doesn't actually mean that endpoint was not found. It was found but not processed. I also noticed reacher response headers from bad request and log entry about "Cookie signed-in" in good request but not sure what does it mean and whether it's relevant.
I'm running out of ideas.
Bad response from IIS while trying to get new Access Token:
Proper response while developing:
///////Relevant part of log for BAD request
|Duende.AccessTokenManagement.OpenIdConnect.UserAccessAccessTokenManagementService|Token for user test#test.com needs refreshing.
|Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler|AuthenticationScheme: cookie was successfully authenticated.
|Duende.AccessTokenManagement.OpenIdConnect.UserTokenEndpointService|refresh token request to: https://auth.mysite.org/connect/token
|Duende.AccessTokenManagement.OpenIdConnect.UserAccessAccessTokenManagementService|Error refreshing access token. Error = Unauthorized
|System.Net.Http.HttpClient.IdsService.ClientHandler|Sending HTTP request POST https://auth.mysite.org/mycontroller/myaction
|System.Net.Http.HttpClient.IdsService.ClientHandler|Received HTTP response headers after 117.7278ms - 401
///////Same part of GOOD request
|Duende.AccessTokenManagement.OpenIdConnect.UserAccessAccessTokenManagementService|Token for user test#test.com needs refreshing.
|Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler|AuthenticationScheme: Cookies was successfully authenticated.
|Duende.AccessTokenManagement.OpenIdConnect.UserTokenEndpointService|refresh token request to: https://localhost:5001/connect/token
|Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler|AuthenticationScheme: Cookies signed in.
|System.Net.Http.HttpClient.IdsService.ClientHandler|Sending HTTP request POST https://localhost:5001/mycontroller/myaction
|System.Net.Http.HttpClient.IdsService.ClientHandler|Received HTTP response headers after 1994.9611ms - 200
///////Server log during BAD request
Duende.IdentityServer.Hosting.EndpointRouter No endpoint entry found for request path: "/mycontroller/myaction"
Duende.IdentityServer.Hosting.LocalApiAuthentication.LocalApiAuthenticationHandler HandleAuthenticateAsync called
Duende.IdentityServer.Hosting.LocalApiAuthentication.LocalApiAuthenticationHandler AuthenticationScheme: "IdentityServerAccessToken" was not authenticated.
Duende.IdentityServer.Hosting.LocalApiAuthentication.LocalApiAuthenticationHandler AuthenticationScheme: "IdentityServerAccessToken" was challenged.
Okay, found it. Thankfully, looked at Fiddler's WebView and had seen familiar picture!
Then, found this topic. The solution was disabling Basic authentication in IIS settings. Access token request has basic authentication header and it seems like IIS intercepts it. Still a bit unclear why other parts of flow worked.
I am sending some perameters to the third party application using rest api In one of the perameter I am sending A URL, This URL will use by third party application to send a json response after 5 or 10 min. My question is how may i create that URL for third party app that they will use to send the response.
If the 3rd party can send HTTP headers too you could send to them the current user's session id. If that user is API enabled (checkbox in profile/permission set) - you could write an Apex REST service that accepts POSTs. They'd call it with Authorization: Bearer <session id here> and it could work very nice. This trailhead might be a good start for you. (or can you contact their developers and maybe agree to make a dedicated user in SF for them so they'd log in under their own credentials and send it back?)
If they cannot send any special headers (it'd have to be unauthenticated connection to SF) - maybe you could make a Visualforce page, expose it as Site and then page's controller can do whatever you need. Maybe you already have something public facing (community?), maybe it'd be totally new... Check https://developer.salesforce.com/docs/atlas.en-us.206.0.salesforce_platform_portal_implementation_guide.meta/salesforce_platform_portal_implementation_guide/sites_overview.htm
If none of these work for you - does the url have to ping back to Salesforce. Maybe you have control over another server that can accept unauthenticated requests like that and have that one then call SF. Bit like a proxy. You could even set something up fairly easily on Heroku.
Last but not least. This would be extremely stupid but if all else fails - in a sandbox enable Web-to-Case or Web-to-Lead and experiment with these. At the end of the day they give you an url you can POST to and pass a form with data. I think it'd have to be Content-Type: application/x-www-form-urlencoded and if you mentioned JSON they're likely to send it as application/json so might not work. If it works - you could maybe save the payload in Description field of Cases (special record type maybe?) and do something with it. I'm seriously not a fan of this.
Background
I have a simple NodeJS server hosted on localhost/Heroku which handles JWT authentication for adding data to the registered user amongst other (unrelated) things.
Here's the GitHub: https://github.com/mlee93dev/pw-keychain-server
I also have a simple Angular2 client on localhost/Heroku for this server:
https://github.com/mlee93dev/pw-keychain-app
Currently, I have my JWT access tokens configured to last only 5 seconds in my server for development purposes.
I have my CORS stuff configured to the best of my knowledge as shown below in server.js:
CORS configuration pic
The Problem
On Postman I test the POST request and I get the expected response - a JWT expiration error:
Postman POST pic
However I don't get the same response on my client - rather, I get a 'JWT must be provided' error:
Client POST pic
As you can see in the pic above, I know I'm actually attaching a token as I console.log it. Here's a pic of the code:
Client POST code pic
So what's confusing me more is that my DELETE request (for logging out) also implements the same x-auth token to request code, and it works in both Postman + client, as seen here:
DELETE error response
DELETE code
So yeah, I'm pretty confused. My guess is I have to configure my CORS some more to allow x-auth header on POST requests specifically somehow? Even though I think it should do that already with my current configuration.
You are providing the body in post request instead of headers.
Angular POST request
So in your post request just do the following
this.http.post(yoururl, {},{headers:new Headers({'x-auth':token})})...
And it should work.
I am trying to develop a website that reads a JSON response from a certain endpoint and post it after certain processing to the page.
I am using $http.get(url) (AngularJS)
However I am facing problems getting the response.
I have tried to use other URLs and it worked then the cause of the problem probably is not the code.
The Error is: "No Access Control Allow Origin header is present on the requested resource".
Other responses suggested something related to CORS and privacy issues ; but when i type the URL directly in my browser it gives a JSON response directly. (So basically there is no privacy issues in the server side right?)
My question is what should I do ? Is there another way to get the content of the page pointed by the url (i am sure that it will only contains the JSON response)
Thanks in Advance
I came across this question:
1. If we substitute the URL in the address bar, it is similar to receiving data from the server of this site
In order to send requests to other servers need to use JSONP HTTPS for secure channel
Sending data can be carried out, but with the replies received will be a problem in the form JSON
Please send to the server if use PHP, then use CURL
JS->Our server->Server api->Our server->JS
I'm trying to get an arduino to login in to a website that I have created.
On the website there is a basic form that has two fields one for password and one for username, it also has a submit button labelled login.
I used fiddler2 to sniff the http packets when I login in using chrome and am trying to use the information from that http post to recreate my own post to login.
Here is the portion of the code that I am using for the login:
if (client.connect(server, 80)) {
Serial.println("connected to server");
// Make a HTTP request:
client.println("POST/username=slwhore&passwd=1234qwer%21&op2=login&lang=english&force_session=1&return=B%3AaHR0cDovL3JlbW90bGV0LmNvbS8%3D&message=0&loginfrom=loginmodule&cbsecuritym3=cbm_56b7d5e7_00583e07_b0b6f81b4c86d117542f5cc7b7c3416e&Submit=Login HTTP/1.1");
client.println("Host:www.remotlet.com");
client.println("Content-Type: application/x-www-form-urlencoded");
client.println("Content-Length: 229");
client.println("Connection: close");
client.println();
I then have another piece of code that recieves the information coming back from the host which I know works. When I run this code I am able to connect to the server but I don't get any response form it at all. Any help would be greatly appreciated.
Your HTTP request is completely wrong, it will never ever be accepted by any kind of server web.
1st line: the HTTP 1st line is METHOD URI VERSION.
You didn't put a space between the method and the URI, also the POST data is not part of the URI as it is when using GET requests. I don't know what your server uses but usually sane logins don't use GET and don't pass the login inside the URI.
2nd line: you forgot a space
4th line: you set a content length but you don't send any content apparently.
General consideration: in HTTP the line terminator is \r\n, not just \n.
I suggest you do the request with the browser, intercept the traffic with wireshark and see how it's done.