Laravel 7 Socialite ORCID package 500 Internal Server Error - laravel-7

Using Laravel 7, and this package I tried to create an oath using an orcid socialite registration using a simple link.
DOCUMENTATION ("How does “3 legged OAuth” work?"):
https://info.orcid.org/documentation/integration-and-api-faq/#easy-faq-2537
Login Using Orcid
When the user clicks the button, a redirection occurs, but when the redirection occurs the system does not allow the user to "Grand" or "Deny" the connection to the service. Instead, a blank page redirects the user back to my project.
During the whole process, I can see that the URL changes, to Orchid.org/[etc][client_id] so I think a connection is established with Orcid.
But then I get a URL orcid/callback#error=invalid_scope
And an error message:
Server error: POST https://orcid.org/oauth/token resulted in a 500 Internal Server Error response: {"error":"server_error","error_description":"An authorization code must be supplied."}
Did I miss something?
my .env variables
ORCID_CLIENT_ID=XXX
ORCID_CLIENT_SECRET=XXX
ORCID_REDIRECT_URL=https://WEE/login/orcid/callback
ORCID_ENVIRONMENT=production
My LoginController functions for my routes:
public function orchidLogin(){
return Socialite::driver('orcid')->redirect();
}
public function handleOrcidCallback(Request $request){
//How do I get the data for registration???
}
My routes:
Route::get('login/orcid', 'Auth\LoginController#orchidLogin');
Route::get('login/orcid/callback', 'Auth\LoginController#handleOrcidCallback');

After facing the same issue, and dig deep in the mentioned package found that the package by default assume scopes in vendor\socialite\orcid\provider which was protected $scopes = ['/authenticate','/read-limited'];
if you only registered for public API then the scope '/read-limited' not available for you. that's why you get the error #error=invalid_scope and as per ORCID documentation Here the scope /read-limited (for Member API only).
so to fix the issue you have 2 options:
register for member API.
or assign public API scopes only.
like Socialite::driver('orcid')->scopes(['/authenticate','openid'])->redirect()

Related

passport-apple inexplainable invalid_client on nodejs backend -- using clean example repository with fresh set of credentials

I've cloned https://github.com/ananay/passport-apple-example and replaced the config with this:
clientID: "com.myname.web",
teamID: "myteamid",
callbackURL: "https://myurldev.com/auth/apple/redirect",
keyID: "mykeyid",
privateKeyLocation: path.join(__dirname, "../apple-key.p8")
I've also added SSL certificate on my machine and starting the server with https, all works fine & is recognized by my browser. I'm also starting the app on port 443 and proxying using my hosts file myurl.dev.com -> 127.0.0.1.
I have the same auth setup for facebook, google & microsoft and everything works fine.
I have:
Created a new APP identifier and enabled Sign in with Apple for it, named it: com.myname.dev
Created a new SERVICE identifier and enabled Sign in with apple, called it: com.myname.web
Added "https://myurldev.com/auth/apple/redirect" to the "Reply URLS" on the service identifier com.myname.web
Set my app identifier com.myname.dev as the main app identifier my service to be grouped with.
Created a private key and enabled sign in with apple, interface confirmed the presence of grouped ID com.myname.web bundled with com.myname.dev for which the key was created.
I have confirmed using console.log that the private key is indeed at the path being passed as parameter.
converted the .p8 file to base64 & then back to UTF-8 in an attempt to use the string for privateKeyString
successfully implemented Apple Oauth several times in the past using passport-apple
This time around, for some reason, auth simply doesn't work.
If I set the clientID as the APP identifier, not the service, I'm getting
invalid_request
Invalid web redirect url.
instead of invalid_client
Any advice on debugging this is highly appreciated. Thank you.
EDIT #1:
I have dug a bit deeper into the passport-apple package to figure out if anything goes against apple's docs around token generation, but the flow never reaches that part, indicating things go wrong on the actual configuration in Apple's console & what I'm trying to use for my project.
EDIT #2
2 of the app Ids I have created always throw "wrong redirect uri" because they're not service IDs so I can't configure redirect_uri, this will change if to "required" if I pass undefined as a redirect_uri.
One of the app ids throws only invalid client_id instead, regardless if I pass undefined or good value for redirect_uri.
EDIT #3
Went full vanilla through the OAuth code flow process and just created a url & redirected the user it, failing with this method is consistent with what is happening when using the passport-apple module.
const url = new URL("https://appleid.apple.com/auth/authorize");
url.searchParams.append("state", "fdbd287b1f");
url.searchParams.append("response_type", "code");
url.searchParams.append("scope", "name email");
url.searchParams.append("response_mode", "form_post");
url.searchParams.append(
"redirect_uri",
"https://raiseitupdev.com/auth/apple/redirect",
);
url.searchParams.append("client_id", "com.myname.web");
return res.redirect(url.toString());
[Creator of the library here.]
Did it stop working in development too? I feel this is a configuration error because the actual thing is working live on my website:
https://passport-apple.ananay.dev
Please follow up on this Github issue. Thanks!
https://github.com/ananay/passport-apple/issues/23

How can I protect the loopback explorer by username and password?

I've just started using loopback4 and I would like to protect the /explorer from being public. The user would initially see a page where username and password must be entered. If successful, the user is redirected to /explorer where he can see all API methods (and execute them). If user is not authenticated, accessing the path /explorer would give a response of "Unauthorized". Is there a way to easily implement this?
There is issue talking about a GLOBAL default strategy is enabled for all routes including explorer in https://github.com/strongloop/loopback-next/issues/5758
The way is to specify a global metadata through the options:
this.configure(AuthenticationBindings.COMPONENT).to({
defaultMetadata: {
strategy: 'JWTStrategy'
}
})
this.component(AuthenticationComponent);
registerAuthenticationStrategy(this, JWTAuthenticationStrategy)
But in terms of enabling a single endpoint added by route.get(), it's not supported yet, see code of how explorer is registered. #loopback/authentication retrieves auth strategy name from a controller class or its members, but if the route is not defined in the controller, it can only fall back to the default options, see implementation

how to set up web api on azure without security?

I have a very simple Addresses Controller that works when I host the asp.net web app on IIS Express.
public class AddressesController : ApiController
{
public int GetAddresses()
{
//return db.Addresses.Select(x => x.AddressID);
return 3;
//"select AddressID from Addresses";
}
I call the api successfully locally with
GET https://localhost:44385/api/Addresses,
but I want to be able to call it when the app is hosted on azure.
I published my app using publish, and the index page loads fine.
However, the api endpoint is not accessible.
I verified that Azure's
"App Service Authentication" is Off for the application. If the authentication is off, shouldn't I be able to directly hit this endpoint?
Response I get is
500 Internal Server Error:
{
"Message": "An error has occurred."
}
When I try to set breakpoints using the cloud remote debugger, the break points in the HomeController containing the Index Page returns fine.
however, the AddressesController's break point does not get hit. It makes me wonder if creating the controller failed or the routes for the app were not configured properly.
However, when I try to set a breakpoint in route configuration it doesn't get hit when I publish the website (not sure why? maybe the debugger attaches after the website is fully loaded)
edit: thanks to the kind help, I now have more useful error information.
{
"Message": "An error has occurred.",
"ExceptionMessage": "Multiple types were found that match the controller named 'Addresses'. This can happen if the route that services this request ('api/{controller}/{id}') found multiple controllers defined with the same name but differing namespaces, which is not supported.\r\n\r\nThe request for 'Addresses' has found the following matching controllers:\r\nWebApplication1.Controllers.AddressesController\r\nRestAPI.Controllers.AddressesController",
"ExceptionType": "System.InvalidOperationException",
"StackTrace": " at System.Web.Http.Dispatcher.DefaultHttpControllerSelector.SelectController(HttpRequestMessage request)\r\n at System.Web.Http.Dispatcher.HttpControllerDispatcher.<SendAsync>d__15.MoveNext()"
}
the namespace I used was RestAPI.Models. A search doesn't reveal "WebApplication1.Controllers." anywhere in my project. Very strange
There is an issue when publishing if the controller has changed and you don't choose
the "Remove Additional Files at Destination" when publishing to azure.
https://github.com/microsoft/botframework-sdk/issues/3898
Thanks for the help houssem

yii2 CSRF not validating host

One more issue I am facing my site is created in yii2 and CSRF is enabled but when I copy full form including csrf token and create new html file outside server and submit form from outside of server it accepting my form.
What is the expected result?
it should give permission issue
What do you get instead?
it successfully accepting form not sure either I am missing any configuration or what
Yii version 2.0.6
PHP version 5.5.38
Operating system CentOS release 6.9 (Final)
CSRF protection is based on the fact, that third party website should not know CSRF token of your user. If you expose CSRF token, then the whole protection will not work. This is by design.
If you want to block requests from untrusted domains, you should probably use CORS.
That's happening because, as you said, you are using CRSF. If you want to accept data from another domain, you'll need to disable CRSF at least for that particular request. Either this way:
class MyController extends Controller
{
public $enableCsrfValidation = false;
or this way:
class MyController extends Controller
{
public function beforeAction($action)
{
if (in_array($action->id, ['incoming'])) {
$this->enableCsrfValidation = false;
}
return parent::beforeAction($action);
}
From the cookbook: https://yii2-cookbook.readthedocs.io/csrf/
And also, from the official docs: https://www.yiiframework.com/doc/api/2.0/yii-web-controller#$enableCsrfValidation-detail

Using OAuth dialog for facebook app do not allow to use canvas URL as redirect_uri

I am starting a Facebook app. Following the Getting Started tutorial in the Authorization section, it says I should use this URL to get permission from users:
https://www.facebook.com/dialog/oauth?client_id=YOUR_APP_ID&redirect_uri=YOUR_CANVAS_PAGE
I am replacing YOUR_CANVAS_PAGE with my canvas URL, the one I see on my app settings:
https%3A%2F%2Fapps.facebook.com%2F238620302882463%2F
But, then, if I navigate to that page, I get the following error:
An error occurred with Elecciones 2012. Please try again later.
API Error Code: 191
API Error Description: The specified URL is not owned by the application
Error Message: Invalid redirect_uri: Given URL is not allowed by the Application configuration.
If I replace YOUR_CANVAS_PAGE with:
http%3A%2F%2Fwww.example.com%2FElecciones2012
The permission dialog works fine. But then I get redirected to my website, not the app inside facebook.com
Any idea why is this happening??
I have seen other apps using a different permission dialogue:
http://www.facebook.com/connect/uiserver.php?app_id=11609831134&method=permissions.request&redirect_uri=http%3A%2F%2Fapps.facebook.com%2Fpetsociety%2F%3Fpf_ref%3Dsb%26ref%3Dts&response_type=none&display=page&perms=email%2Cpublish_actions&auth_referral=1
But it looks it is part of another set of APIs.
I got the same problem too. Looks like the problem is in "Canvas URL". You cannot use your app id in canvas URL like:
"https%3A%2F%2Fapps.facebook.com%2F238620302882463%2F"
Instead, the namespace should be used as your canvas URL. for example:
"https://apps.facebook.com/myapplication/"
You can set your app namespace in the application settings in facebook.

Resources