IDX21323 error and sometime looping in the URL in azure b2c - azure-web-app-service

I am getting the error IDX21323 OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocolValidatedIdToken.Paylocad.Nonce was not null.
https://testing.demo.com/message=IDX21323:%20RequireNonce%20is%20'[PII%20is%20hidden]'.%20OpenIdConnectProtocolValidationContext.Nonce%20was%20null,%20OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce%20was%20not%20null.%20The%20nonce%20cannot%20be%20validated.%20If%20you%20don't%20need%20to%20check%20the%20nonce,%20set%20OpenIdConnectProtocolValidator.RequireNonce%20to%20'false'.%20Note%20if%20a%20'nonce'%20is%20found%20it%20will%20be%20evaluated.
I checked in other SO links and found this issue is related to redirect URI mismatch like if you have one URL in the code but different one in AZure.
IDX21323 OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocolValidatedIdToken.Paylocad.Nonce was not null
For me Redirect URI same for both i.e. in code and Azure. moreover I registered one application with two redirect URI (http://localhost:11111/ and https://testing.demo.com). so when I am running through local using localhost it's working fine but when I use https://testing.demo.com, I got IDX21323 error in my system, where as in different system its in a loop.
https://login.microsoftonline.com/{tenantID}/oauth2/authorize?client_id={client ID}&redirect_uri=https%3a%2f%2flogin.microsoftonline.com%2fte%{tenant ID}%2foauth2%2fauthresp&response_type=id_token&response_mode=form_post&nonce={nonce 1}state=StateProperties%3deyJTSUQiOiJ4LW1zLWNwaW0tcmM6qswsdwdY2OTAtNzlk
The above URL remains same but only the nonce got changed everytime.
So is it because I have kept two redirect URI for the same application. Do I need to create two different application one for localhost (Redirect URI - http://localhost:11111) and another for Dev (Redirect URI - https://testing.demo.com)
Your expertise matters.
Thanks!!

Its always recommended to use different application for development and production. Mainly from security and isolation point of view.
Your redirect_url seems to be wrong, its pointing to the tenant itself and hence in a loop. The redirect_uri below should be your app's reply url - http://localhost:11111 or https://testing.demo.com,
https://login.microsoftonline.com/{tenantID}/oauth2/authorize?client_id={client ID}&redirect_uri=http://localhost:11111/&response_type=id_token&response_mode=form_post&nonce={nonce 1}state=StateProperties%3deyJTSUQiOiJ4LW1zLWNwaW0tcmM6qswsdwdY2OTAtNzlk

Related

500(Internal Server Error): Forge deployed on Azure

I am new to this topic. I have deployed my app to Azure (following the tutorial from Autodesk). When I try to press to the login to BIM360 is return an error 500 (internal Server Error). I have changed the FORGE_CALLBACK_URL = "htttp://forgeSample1234.azurewebsite.net/api/forge/callback/oauth"
The code has no problem when in localhost.
Does anyone has the same problem?
Please note that when updating the callback URL, you actually have to change it in two places:
in your code (that's typically the FORGE_CALLBACK_URL)
in your Forge app page in https://forge.autodesk.com/myapps
And of course, the URL has to match exactly in both places.
Also, it looks like there might be a typo in your URL: you say htttp instead of http, and I'm also wondering if you shouldn't be using https?

passport-apple inexplainable invalid_client on nodejs backend -- using clean example repository with fresh set of credentials

I've cloned https://github.com/ananay/passport-apple-example and replaced the config with this:
clientID: "com.myname.web",
teamID: "myteamid",
callbackURL: "https://myurldev.com/auth/apple/redirect",
keyID: "mykeyid",
privateKeyLocation: path.join(__dirname, "../apple-key.p8")
I've also added SSL certificate on my machine and starting the server with https, all works fine & is recognized by my browser. I'm also starting the app on port 443 and proxying using my hosts file myurl.dev.com -> 127.0.0.1.
I have the same auth setup for facebook, google & microsoft and everything works fine.
I have:
Created a new APP identifier and enabled Sign in with Apple for it, named it: com.myname.dev
Created a new SERVICE identifier and enabled Sign in with apple, called it: com.myname.web
Added "https://myurldev.com/auth/apple/redirect" to the "Reply URLS" on the service identifier com.myname.web
Set my app identifier com.myname.dev as the main app identifier my service to be grouped with.
Created a private key and enabled sign in with apple, interface confirmed the presence of grouped ID com.myname.web bundled with com.myname.dev for which the key was created.
I have confirmed using console.log that the private key is indeed at the path being passed as parameter.
converted the .p8 file to base64 & then back to UTF-8 in an attempt to use the string for privateKeyString
successfully implemented Apple Oauth several times in the past using passport-apple
This time around, for some reason, auth simply doesn't work.
If I set the clientID as the APP identifier, not the service, I'm getting
invalid_request
Invalid web redirect url.
instead of invalid_client
Any advice on debugging this is highly appreciated. Thank you.
EDIT #1:
I have dug a bit deeper into the passport-apple package to figure out if anything goes against apple's docs around token generation, but the flow never reaches that part, indicating things go wrong on the actual configuration in Apple's console & what I'm trying to use for my project.
EDIT #2
2 of the app Ids I have created always throw "wrong redirect uri" because they're not service IDs so I can't configure redirect_uri, this will change if to "required" if I pass undefined as a redirect_uri.
One of the app ids throws only invalid client_id instead, regardless if I pass undefined or good value for redirect_uri.
EDIT #3
Went full vanilla through the OAuth code flow process and just created a url & redirected the user it, failing with this method is consistent with what is happening when using the passport-apple module.
const url = new URL("https://appleid.apple.com/auth/authorize");
url.searchParams.append("state", "fdbd287b1f");
url.searchParams.append("response_type", "code");
url.searchParams.append("scope", "name email");
url.searchParams.append("response_mode", "form_post");
url.searchParams.append(
"redirect_uri",
"https://raiseitupdev.com/auth/apple/redirect",
);
url.searchParams.append("client_id", "com.myname.web");
return res.redirect(url.toString());
[Creator of the library here.]
Did it stop working in development too? I feel this is a configuration error because the actual thing is working live on my website:
https://passport-apple.ananay.dev
Please follow up on this Github issue. Thanks!
https://github.com/ananay/passport-apple/issues/23

Cors no-access-control-allow-origin when trying to call B2C login

I cannot resolve this error, i have a .net core web api, with a react application inside of it ( net core react template )
I have also added cors:
services.AddCors(options =>
{
options.AddPolicy("AllowMyOrigin",
builder => builder.WithOrigins("https://localhost:44300")
.AllowAnyHeader()
.AllowAnyMethod()
.AllowCredentials()
);
});
I have tried multiple things but i cant get past this error.
I have found loads of material online to try and nothing seems to work i feel like i am missing something really obvious?
Can someone point me in the right direction.
I expect that there should be an allow origin header:
I also tried using the Mosif browser extension to turn cors on, this stoped the cors error from showing but now i have a 404 (notfound ) on:
https://login.microsoftonline.com/tfp/domainname.onmicrosoft.com/b2c_1_sign_up/v2.0/.well-known/openid-configuration
You mention that you get an 404 error when opening the openid-configuration url. This means that part of your configuration is incorrect. You must be able to open this url in your browser and get back a JSON document. Copy it to a new tab and tweak it until you get back a result.
Please double check your configured policy and tenant name. The full url usually looks like this:
https://tenantname.b2clogin.com/tenantname.onmicrosoft.com/<policy-name>/v2.0/.well-known/openid-configuration
https://tenantname.b2clogin.com/tenantname.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=<policy-name>
https://login.microsoftonline.com/tfp/tenantname.onmicrosoft.com/<policy-name>/v2.0/.well-known/openid-configuration
All of these are equally valid and can be used depending on your scenario.
The config should then look something like this:
authentication.initialize({
instance: 'https://tenantname.b2clogin.com/',
tenant: 'tenantname.onmicrosoft.com',
Another issue might be if your B2C tenant quite new, Microsoft could be blocking support for microsoftonline for your tenant. In this case, try switching to the b2clogin.com domain as your instance.
You can see a possible value for this url when opening the user flow in the Azure Portal.
As a sidenote, I would suggest switching to a different react library. The one you are using is not really being maintained. We are currently using https://github.com/syncweek-react-aad/react-aad

Universal Link for IOS is not working

Hi I have done with following steps to implement Universal Link for IOS.
1.My sub domain is npd.nowconfer.com, and my apple-app-site-association file contains,
{
"applinks": {
"apps": [],
"details": [
{
"appID":"R3UDJNSN2P.com.sampleUniversal.teledna",
"paths": ["*"]
}
]
}
}
this file is uploaded into my subdomain npd.nowconfer.com and its serveing over https.
2.I tested using AASA Validator i.e https://branch.io/resources/aasa-validator/#resultsbox and i got Test result as all pass.
you can see attached screenshot.
3.Now In app side,my colleague did configuration such as
Added the domain to Capabilities i.e applinks:nowconfer.com and applinks:npd.nowconfer.com
Handled Universal Links in app i.e in delegate like this
- (BOOL)application:(UIApplication *)application continueUserActivity:(NSUserActivity *)userActivity restorationHandler:(void (^)(NSArray *))restorationHandler {
NSURL *url = userActivity.webpageURL;
// handle url
}
4.my universalink is https://npd.nowconfer.com:5000/calendar/deeplink?url=nowconfer when i click on this link from email ,my app is not opening instead it is redirecting to app store(becasue server side request came handling to redirect app shore if app is not installed on device)
But when i tested universalink validator here https://search.developer.apple.com/appsearch-validation-tool ,i have got some error
Link to Application : Error no apps with domain entitlements
The entitlement data used to verify deep link dual authentication is from the current released version of your app. This data may take 48 hours to update.
I have seen lot of tutorials but not used anything for me.Can you guys help me to figure out what is happening here?
Universal Links have to be standard http:// or https:// links. This means they need to use the standard web ports, of which 5000 is not one. That is why your link is not working — it's not actually a valid Universal Link.
The Apple validator checks for some additional things, and is also somewhat unreliable. This particular error message is confusing, but it has nothing to do with whether your Universal Linking configuration is correct. What it actually means is Apple can't detect applinks: entitlements and 'proper' handling of passed-in link values in the version of your app that is currently live in the App Store. This is expected if you are just implementing Universal Links for the first time. You don't need to worry about this — a number of large and successful apps with working Universal Links implementations fail this step too.

Sharepoint Lists.asmx: The request failed with an empty response

I'm writing a very small app to create and test caml querys for sharepoint. While executing the GetListItems method I'm receiving the following exception;
System.Net.WebException: "The request failed with an empty response."
The service is located on a https address (ssl). I setup the service as follows;
result = new ListService.Lists();
result.Url = siteUrl;
result.Credentials = new NetworkCredential(txtUserName.Text, txtPassword.Text, txtDomain.Text);
I invoke the GetListItems() method as follows;
xmlResult = spList.GetListItems(listName, string.Empty, camlQuery, null, string.Empty, null, string.Empty);
I'm trying to find out why I'm getting the empty result message. I've also tried other methods (i.e. GetListCollection) but to no avail.
At first I thought that the problem might be the URL (http instead of https), but that is not the case. I even checked it with wireshark to make sure the right URL is used.
Did someone come accross this problem and how did you solve it?
OMG...! I've solved it after all. After posting this question, I tried to get hold of the wsdl the check the service itself. When I checked it via internet explorer all was ok. When I tried to add it as a reference in VS it went wrong. So something was not ok. Then it occured to me that there was a new login screen for our company network.
After some quick phonecalls I learned what the problem was; IT Services installed a ISA 2006 server and 'forgot' to tell me. The ISA server was blocking all trafic on the HTTPS port (443) for unkown programs and or clients. That's why internet explorer presented me with a new and shiny login dialog.

Resources