I am following the document https://learn.microsoft.com/en-us/azure/active-directory-b2c/access-tokens
However, it does not generate the authorization code after replacing all placeholders below. The message I get on Postman is as follows: When I attempt on the browser nothing is returned.
<noscript>
<div id="no_js">
<div class="error_container">
<div>
<h1>We can't sign you in</h1>
<p>Your browser is currently set to block JavaScript. You need to allow JavaScript to use this
service.</p>
<p>To learn how to allow JavaScript or to find out whether your browser supports JavaScript, check
the online help in your web browser.</p>
</div>
</div>
</div>
</noscript>
GET https://<tenant-name>.b2clogin.com/tfp/<tenant-name>.onmicrosoft.com/<policy-name>/oauth2/v2.0/authorize?
client_id=<application-ID>
&nonce=anyRandomValue
&redirect_uri=https://jwt.ms
&scope=https://<tenant-name>.onmicrosoft.com/api/read
&response_type=code
Once you make the below request using browser by Seting the Scope to scope=https%3A%2F%2Fcontoso.onmicrosoft.com%2Fapi%2Fread%20openid%20offline_access and by updating the tenant and client id
GET https://<tenant-name>.b2clogin.com/tfp/<tenant-name>.onmicrosoft.com/<policy-name>/oauth2/v2.0/authorize?
client_id=<application-ID>
&nonce=anyRandomValue
&redirect_uri=https://jwt.ms
&scope=https%3A%2F%2Fcontoso.onmicrosoft.com%2Fapi%2Fread%20openid%20offline_access
&response_type=code
You will receive the response with the authorization code as below in the URL
https://jwt.ms/?code=eyJraWQiOiJjcGltY29yZV8wOTI1MjAxNSIsInZlciI6IjEuMC...
After successfully receiving the authorization code in the above response URL copy the code value and make the post request to get an access token
POST <tenant-name>.onmicrosoft.com/<policy-name>/oauth2/v2.0/token HTTP/1.1
Host: <tenant-name>.b2clogin.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
&client_id=<application-ID>
&scope=https%3A%2F%2Fcontoso.onmicrosoft.com%2Fapi%2Fread%20openid%20offline_access
&code=eyJraWQiOiJjcGltY29yZV8wOTI1MjAxNSIsInZlciI6IjEuMC...
&redirect_uri=https://jwt.ms
&client_secret=2hMG2-_:y12n10vwH...
Replace the code with the authorization code which you received in the responce of first request and use the client_secret of Client application.
Apparently, the documented process works only when you open the browser in private mode to generate authorization code in my case
Related
We are trying to get access token from sharepoint online.
using this postman api call https://mydomain.sharepoint.com/_forms/default.aspx?wa=wsignin1.0.
but not getting fedauth and rtfa cookies in return.only getting conext response cookie.
Following this Link for Postman call.
Anyone facing the same issue?
First , You need to get a binary security token, you need to use Microsoft Security Token Service, please enter the following URL:
https://login.microsoftonline.com/extSTS.srf
Then ,needs to add following XML Envelope as a message body, replace [username], [password] & [yourdomain] with your data.Please set Content-Type to application/x-www-form-urlencoded in Request Header.
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</a:Action>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">https://login.microsoftonline.com/extSTS.srf</a:To>
<o:Security s:mustUnderstand="1"
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:UsernameToken>
<o:Username>[username]#[YourDomain].onmicrosoft.com</o:Username>
<o:Password>[Password]</o:Password>
</o:UsernameToken>
</o:Security>
</s:Header>
<s:Body>
<t:RequestSecurityToken xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<a:EndpointReference>
<a:Address>https://[yourdomain].sharepoint.com/</a:Address>
</a:EndpointReference>
</wsp:AppliesTo>
<t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType>
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
<t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>
</t:RequestSecurityToken>
</s:Body>
</s:Envelope>
In the return request, you will get "BinarySecurityToken", please copy it and add it to the "body".you can send a POST request to the following URL ,finally you will get fedauth and rtfa cookies.
https://[YourDomain].sharepoint.com/_forms/default.aspx?wa=wsignin1.0
Here are some screenshots you can refer to:
i'm integrating the docusign api with my angular application, everything is working good, i created a proxy configuration in order to do the api calls, im using the demo url since i have a demo developer account.
The problem is that when i run my program in local (using localhost) the authentication token is successfully returned by the oauth call but when i upload my program on an external domain the same call returns me an html with irrelevant information with status 200 OK.
I tried to search this on google but i can't find nothing good.
What should i do?
this is the error i get:
ERROR qm
error: {error: SyntaxError: Unexpected token < in JSON at position 0
at JSON.parse ()
at XMLHtt…, text: "<!doctype html>↵↵↵ <meta ch…b0a19788ec.js" defer="">↵↵"}headers: DmlazyInit: ()=> {…}lazyUpdate: nullnormalizedNames: Map(0) {}proto: Objectmessage: "Http failure during parsing for http://frontendly.it/oauth/token"name: "HttpErrorResponse"ok: falsestatus: 200statusText: "OK"url: "http://frontendly.it/oauth/token"proto: Bm
The OAuth call you are making has a parameter called redirectUri.
Look for &redirect_uri= in the URL.
You have to change that for each location, if you put this in a domain - then you cannot use localhost in there.
This URL has to match exactly to where you deployed your application.
For the second call, make sure to make it a POST, not GET, add the headers like this: (more information)
curl --header "Authorization: Basic NWMyYjhkN.....FhODg2MQ=="
--data "grant_type=authorization_code&code=eyJ0eXAi.....QFsje43QVZ_gw"
--request POST https://account-d.docusign.com/oauth/token
I have been at this for sometime now and wanted to see if anyone had and idea of what I could be doing wrong. What I am trying to do is add a song to a playlist using the provided Spotify Web APIs. According to the documentation on this https://developer.spotify.com/documentation/web-api/reference/playlists/add-tracks-to-playlist/ I need to establish the scope of the user.
"adding tracks to the current user’s private playlist (including collaborative playlists) requires the playlist-modify-private scope" I have created the playlist as collaborative and I am using the login credentials of my personal account to reach this playlist I created. all this is under the same login.
What I am finding is that my scope is not getting added to my token on my call for my token causes a 403 error when I try to add the song.
Here is what that call looks like
https://accounts.spotify.com/authorize/?client_id=mynumber&response_type=code&scope=playlist-modify-private&redirect_uri=http:%2F%2Flocalhost:55141/Home/GetToken/
here are the docs on using authorization to get the correct token.
https://accounts.spotify.com/authorize/?client_id=894400c20b884591a05a8f2432cca4f0&response_type=code&scope=playlist-modify-private&redirect_uri=http:%2F%2Flocalhost:55141/Home/GetToken/
further more if I go into the dev support here
https://developer.spotify.com/documentation/web-api/reference/playlists/add-tracks-to-playlist/
and click the green try button and then request a new token it works.
Bottom line some how my request is not taking my scope request. Any Ideas?
Thanks
To get the token with a specific scope you need to go to the authorize endpoint and get the code. The code is what you want to get to be able http post to the endpoint https://accounts.spotify.com/api/token and get a token with your desired scopes. You can simply get the code by pasting a url like this in your browser...
https://accounts.spotify.com/authorize?client_id=<client_id>&response_type=code&scope=streaming%20user-read-email%20user-read-private&redirect_uri=<redirect_uri>
Only add %20 in between scopes if you have multiple ones
You will then be sent to spotify's website and they'll verify you want to do this. Once you verify it your browser will redirect you to what you set the redirect_uri to be in the url above. At the end of the url that you are sent to, you should be able to see the parameter name code with the code value assigned to it. You then get that code and put it in your http post body params to the https://accounts.spotify.com/api/token endpoint. Make sure you accurately follow the query params requirements in your post method.
An example of the post in python using the requests library:
authorization = requests.post(
"https://accounts.spotify.com/api/token",
auth=(client_id, client_secret),
data={
"grant_type": "authorization_code",
"code": <code>,
"redirect_uri": <redirect_uri>
},
)
authorization_JSON = authorization.json()
return authorization_JSON["access_token"]
In the end you should get a json that shows the scopes you set a long with a refresh the token later on to make more requests.
I know this answer is quite late but I was experiencing the same issue as well which is how I came across this question. I hope this helps anyone that sees this at a later date.
Source: https://developer.spotify.com/documentation/general/guides/authorization-guide/#client-credentials-flow
I am facing roadblock on a owasp zap form based authentication. I setup zap property as per guidance. When i run active scan then "when to attempt login it give FORBIDDEN error. CSRF token not available.
Owasp ZAP not performing authentication during active scan using "Form-Based-Authentication" ON python project.
[
My target url is:
http://example.com:84/admin/login/?next=/admin/
Post data ;
csrfmiddlewaretoken=IjYwHHavnCYgcWYMy2oL3L9Z0ldUH95s&username={%username%}&password={%password%}&next=%2Fadmin%2F
here is the html response i got:
<div id="summary">
<h1>Forbidden <span>(403)</span></h1>
<p>CSRF verification failed. Request aborted.</p>
</div>
<div id="info">
<h2>Help</h2>
<p>Reason given for failure:</p>
<pre>
CSRF token missing or incorrect.
</pre>
<p>In general, this can occur when there is a genuine Cross Site Request Forgery, or when
<a
href="https://docs.djangoproject.com/en/1.8/ref/csrf/">Django's
CSRF mechanism</a> has not been used correctly. For POST forms, you need to
ensure:</p>
<ul>
<li>Your browser is accepting cookies.</li>
<li>The view function passes a <code>request</code> to the template's <code>render</code>
method.</li>
<li>In the template, there is a <code>{% csrf_token
%}</code> template tag inside each POST form that
targets an internal URL.</li>
<li>If you are not using <code>CsrfViewMiddleware</code>, then you must use
<code>csrf_protect</code> on any views that use the <code>csrf_token</code>
template tag, as well as those that accept the POST data.</li>
</ul>
<p>You're seeing the help section of this page because you have <code>DEBUG =
True</code> in your Django settings file. Change that to <code>False</code>,
and only the initial error message will be displayed. </p>
<p>You can customize this page using the CSRF_FAILURE_VIEW setting.</p>
</div>
Unfortunatley ZAP doesnt currently support the automatic regeneration of CSRF tokens when authenticating.
A way around this is to record a Zest authentication script - make sure that you start by requesting the page token that generates that token.
Recording Zest scripts is covered in this FAQ (which is otherwise unrelated): https://github.com/zaproxy/zaproxy/wiki/FAQreportFN
Feel free to hassle us about supporting ACSR toeksn when authenticating on https://groups.google.com/group/zaproxy-users :)
I created a custom form in app and I set it's action to an url that is mapped by one of my RestControllers. I send the form, and get the following error message in my browser:
Your request cannot be processed
Sorry, an error has occurred.
Status: Forbidden (Forbidden)
Message: Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.
I took a look in chrome dev tools at the request itself and in the headers I found this:
Cookie:visited=yes; NG_TRANSLATE_LANG_KEY=%22en%22; tmhDynamicLocale.locale=%22en%22; JSESSIONID=FB0F8F19DE9B17AE4038C0149A81D829; SPRING_SECURITY_REMEMBER_ME_COOKIE=NEY5SnBQMUExcForNWFuUzVJbWlpdz09OmErQkE0bWZhbURubzFDamd5ckNJUUE9PQ; CSRF-TOKEN=ab678757-2326-4ebe-99e5-c97c1372fc9a
Does this mean that the request got a CSRF token but with the wrong name or thi is something else entirely? How can I insert the correct CSRF token into a form or rather how should it get there automatically?
If you just whant to see yor form working, you can disable CSRF protection to the URL form. Just add an entry on web.ignoring()
On SecurityConfiguration.java, find the configure method and add an entry like this:
web.ignoring()
.antMatchers("/api/yoururl/**")
.antMatchers("/scripts/**/*.{js,html}")
.antMatchers("/bower_components/**")
.antMatchers("/i18n/**")
.antMatchers("/assets/**")
.antMatchers("/swagger-ui/**")
.antMatchers("/test/**")
.antMatchers("/console/**");