After a user performs a login using the portal LoginPortlet the login does not succeed and a WARN was printed to the log:
User 0 is not allowed to access URL http://localhost:8080/web/guest/login and portlet com_liferay_login_web_portlet_LoginPortlet: User 0 did not provide a valid CSRF token for com.liferay.portlet.SecurityPortletContainerWrapper
After a second login afterwards, the login was ok. The issues only occurs if the login page was opened some minutes and the auth token gets invalidated. This is basically fine, but the portal config portlet.add.default.resource.check.whitelist has an exclude for LoginPortlet. But this whitelist seems not avoid the unwanted check. Are there any other places how the avoid CSRF checking for LoginPortlet?
I could not reproduce this issue, I used this server for testing:
Liferay Community Edition Portal 7.3.5 CE GA6
Here are my steps, please let me know what I should change to experience the issue:
I extracted this zip file to my ubuntu linux pc:
liferay-ce-portal-tomcat-7.3.5-ga6-20200930172312275.tar.gz
Started the server and completed the 1st time setup
I re-started the server and visited localhost:8080 in an Opera browser
Waited 7 minutes
I clicked on "Sign in" in the upper right corner
Waited again 5 minutes
I entered my credentials
Results:
I could log on successfully, there were no errors about CSRF
A couple of suggestions:
A. Do a search for CSRF in:
https://github.com/liferay/liferay-portal/blob/master/portal-impl/src/portal.properties
and see if you can find a property that solves your issue
Such properties can be:
auth.token.impl=com.liferay.portal.security.auth.SessionAuthToken
auth.token.check.enabled=false
auth.token.ignore.origins
B. Maybe you can try to set up something like this in your portal-ext.properties:
portlet.add.default.resource.check.whitelist.actions=/login/login
C. You can do a search in Liferay Jira, for example this ticket talks about something similar:
https://issues.liferay.com/browse/LPS-129976
I didn't have any problems before with signin into ms account, but now I can't get access to any account (to my account and even to new accounts) from any browser on my pc (but can signin from other pc, so, I know for sure - my account is active and havn't been blocked).
How it works (or, actually, doesn't):
1. Open https://azure.microsoft.com/en-us/services/devops/
2. click on "Sign in to Azure DevOps"
3. enter email and press enter
4. after few seconds and few requests (and few redirects), browser shows signin page again
OR:
1. Open https://portal.azure.com
2. enter email and press enter
3. after few seconds and few requests (and few redirects), I retrieve page "Sign-in failed. Sorry, we had some trouble signing you in, Click 'Try again' to try again."
Other details:
OS: Windows (maybe it happend after latest windows update, I'm not sure)
No installed antivirus or security software (just windows defender)
Browsers: Chrome, Edge on chromium, Firefox, Opera
It happened one week ago, and I still can't signin
There is no failed responses (4xx or 5xx), and no errors in console, so I really dont know how to fix it, maybe someone can help me with this problem
Importang thing: If I change network from my home wifi to another, I can signin there, so problem somewhere in wifi/router
Check to see what's under Credential Manager and, if the account is there, clear it out.
To go there, simply open Start and type credential manager.
You should be good to go.
This is now the 4th time I am sending my app for review. I want to use Instagram Basic Display API and therefore require instagram_graph_user_media permission to access media (and incidentally instagram_graph_user_profile). I have 2 test users, my personal IG account with a bunch of pics and a test user that I created with an empty feed. I can login with both users. But when the Instagram app reviewer is logging in, my app can't access their media. I successfully retrieve the access token but when comes the time to call the Graph API here is what happens:
https://graph.instagram.com/me/media?fields=media_type,media_url,permalink,thumbnail_url&access_token=IGQV....
returns
{"error":{"message":"Application does not have permission for this action","type":"IGApiException","code":10,"fbtrace_id":"A99vuaAC41DSvlt0Hxvcly-"}}
Here is an update from my latest app review rejection. This time, I added the code above to catch code 10 errors and if I did, try to fetch the user profile data. Guess what, that failed with a code 10 error as well. So, whatever the app reviewer is doing, it is granting access to neither the profile or the media API.
Another update. The reviewer I had this time sent me two screenshots, one of the Instagram login screen and one of my app's error screen. Interestingly, the Instagram login screen had a strange Instagram username that I have never heard of before. It certainly wasn't my test Instagram account. So I now have evidence of them both using my test account and their own special test accounts.
The question in my mind now is, is there something special about their test accounts that ruins the process? After all, I have not added them to be testers of my app, although if someone who hasn't accepted my test invite tries to log in, it errors in an entirely different way.
I am running out of ideas here. My next thing to try is to exchange the short-lived access token for a long-lived token, as well as trying to use the new access token to server-side (where I exchange the code for the access token) to check if the access token ever works or if it is created with insufficient access.
This whole process is a nightmare.
I will put this as an answer because we have dealt with this thing now for over 2 weeks and quite a few submissions. I think you should remove the bounty though.
What you have done so far:
Created and approved IG test accounts
Double and triple checked parameters & permission
Tested your app a dozen times
Created dozens of screencast spoon-feeding, making sure a 5 yo kid would be able to test your app
Having the above, I am sure you noticed:
The reviewer will add a generic text as 'reject reason.'
The reviewer will submit the irrelevant and out-of-scope screenshot(s)
The reviewer will not test with the Instagram credentials provided.
Maybe he WILL test with the Instagram test credentials provided (in fact you're left in the dark as to how they actually simulate IG access)
The reviewer will claim he's unable to sign in using provided credentials
The reviewer claims having tested, but you see no traces in your DB whatsoever (would be smart to do so, to know whether they're actually doing something or not, up to a certain point)
Conclusion
You have to know that your app is at the reviewer's mercy and approval sometimes arbitrarily. Eventually, you will find your app being approved while having submitted it to change at all.
This should be obvious but when you are so deep in the hole and try to think why your app is being rejected you stop thinking logically.
Here is what I did:
Create a dummy Instagram account.
Link this account to an email provider that doesn't require a phone/another way of verification (I used ProtonMail).
Use an Instagram Tester account (do the whole process).
In your instructions let the reviewer that they need to log in to ProtonMail to get the Instagram confirmation code; since they will do login from an unknown location (if you could simulate the above in your screencast that would be great, but I didn't do it).
If you apply for both instagram_graph_user_profile and instagram_graph_user_media you need to do this in 2 steps individually.
The second step getting the instagram_graph_user_media permission is much easier.
I lost a couple of days and tried everything and anything before I realized that.
Hopefully, this should help someone that is having the same problem.
The app was approved the first time.
It is possible that the App Reviewer is unchecking the instagram_graph_user_media access in the authentication screen, thus giving you only access to instagram_graph_user_profile. I had the exact same error code being thrown back my way, and I did the following:
Catch the error code 10 error
Try to fetch the https://graph.instagram.com/me?fields=account_type,username&access_token=${accessToken}
If that works, then display a page that makes it clear that you have successfully connected to the Instagram User Profile (and here is your username and account type) but, if the user wants to do X they also need to approve media access, and here is a button to go and reauthenticate again.
See the image I have below.
Now, I did the above and I still got an app review failure of code 10, which means that the second fetch to only the username and account type failed, and I do not know how they could possibly have managed to do that.
They admitted issue but not fixed yet: https://developers.facebook.com/support/bugs/543633182940083/
To get approved for Instagram Basic Display:
create a Facebook test user
create an Instagram account with that FB test user
give the credentials (email/address) of the Facebook test user to the reviewer in the Instagram Basic Display submission
Basic Display API review process is so bad its beyond words. I have been hitting the brick wall of their rejections for 3 weeks and almost got bald by pulling my hair in frustration. You really have to read between the lines to get a hint of what they are doing.
Turns out what the reviewer was doing is selecting "Continue with Facebook" on the Instagram Login screen and going that route (via Facebook login) instead of entering the instagram credentials directly. Only once I realized that I was able to pin point the problem. Interestingly though testing on the Simulator was fine but the problem only became apparent once I tested on the real device. The reason - simulator doesn't have neither Facebook app nor Instagram app installed, so it behaves differently versus the device where these apps get involved in the flow via deep linking.
The bottom line:
Test on real device.
Make sure to test both the direct Instagram log in and the "Continue with Facebook" option.
Test on the device with and without the Facebook and/or Instagram app installed.
Make sure to use brand new instance of WKWebView with non persistent data store to bring up the login screen, so that it doesn't have any cookies from previous logins:
let configuration = WKWebViewConfiguration()
configuration.websiteDataStore = WKWebsiteDataStore.nonPersistent()
let webView = WKWebView(frame: .zero, configuration: configuration)
Pray the God of your choosing.
I created an App that needs a login for getting user details and sending the challenge to choose the opponent by searching with their email id or giving Random search.
In Game Engine, its working properly. But, After completing the build from the Visual Studio I tried to put email id and giving submit will shows "please check the internet connection."(text that i used for getting if no internet connection in the system)
I enabled Internet(client & server) in the Appx.manifest. Is that any other operation need to done for getting the acccess of those data...???
I am running S60 SDK 5th with Eclipse pulsar on win 7.
I have oauth_token using with this Url https://www.linkedin.com/uas/oauth/authorize?oauth_token=. To get that grant access screen by LinkedIn.
I am loading above Url using htmlComponent, and adding HtmlComponent to form and show it.
Occasionally when I click on the "Ok I'll Allow It" button (i.e. after the button has been pressed) I get the following error message.
We’re sorry, there was a problem with your request. Please make sure you have cookies enabled and try again.
But I'm receiving the response with oauth_token, oauth_token_secret, oauth_callback_confirmed = true, xoauth_request_auth_url, oauth_expires_in.
Please help.
My guess is that the error is happening with the callback. Once you click the "OK, I'll allow it" button in the LinkedIn authentication page, the user should be redirected back to your application. Can you run the network for your phone through a laptop system where you can snoop the traffic to see what's happening? I'm not familiar with HTTP snooping capabilities in the Windows 7 system, but there may be some logging you can do to determine what's happening.