I am using Facebook Owin Authentication and more or less follow Microsoft sample. I am more or less following the First time user logs in, everything is ok. But if they sign out and try again, it seems like the previous .AspNet.Correlation.Facebook is not removed, but set to empty string. So my next call to api/getexternallogin looks like this in Fiddler:
This is when we are generating a correlationId and having multiple cookies at this point is not a show stopper. In the response, I set it to the new CorrelationId:
Later when facebook calls back to "/signin-facebook", we try to validate the correlationId in ValidateCorrelationId method. The request seems like this:
So the new CorrelationId has been set but the extra cookie with no value means when I go Request.Cookies["ValidateCorrelationId"], it returns empty string.
I have checked the code and it seems like the only methods modifying this cookie are GenerateCorrelationId and ValidateCorrelationId. Implementation of these methods can be found in here:
http://katanaproject.codeplex.com/SourceControl/latest#src/Microsoft.Owin.Security/Infrastructure/AuthenticationHandler.cs
Curiously enough, my browser does not seem to see the issue:
Any ideas will be much appreciated.
OK this has taken me a fair bit of frustration but when Response.Cookies.Delete(".AspNet.Correlation.Facebook") is called in ValidateCorrelationId method, it sends the following in response:
So the value of "expires" has been concatenated and treated as two separate "set-cookie"s. Hence, the cookie is not expired but its value set to empty string. It seems like the comma after "Thu" is causing it.
The fix I have come up with was to comment out Response.Cookies.Delete(".AspNet.Correlation.Facebook") and do the following instead:
Response.Headers.Add("Set-Cookie", new[] { CorrelationKey + "=; path=/; expires=Fri 02-Jan-1970 00:00:00 GMT" })
No commas there and it is working now.
This does seem like a genuine bug in OWIN.
Related
When using ctx.cookies.set(), KOA adds a 'set-cookie' header to the response. However, ctx.cookies.get() retains the cookie (if any) from the original request. This seems counter-intuitive if I'm overwriting it. Is there not a way to have the getter reflect the new value immediately, in the same request?
h = uuidv4();
console.log('set new cookie',h);
ctx.cookies.set('uuid',h,{httpOnly:false,overwrite:true});
//This outputs undefined or the value that came with the request,
//not the newly assigned value:
console.log('cookie is',ctx.cookies.get('uuid'));
I'm fairly new to node.js. What I'm looking for is something like PHP's $_SESSION[], in which values are updated and available immediately as well as being written to the response cookie. I understand I could pile the new uuid into ctx.state, but it seems cleaner to just be able to access ctx.cookies.get() anywhere further down the middleware chain and have access to what I just set it to.
Having a set() that doesn't change the result of its get() seems like code smell to me. Am I missing something?
I'm using simple-oauth2 in this example to query Microsoft Graph. All works well so far. But when I try to refresh the access token var newToken = await storedToken.refresh();, I get an error:
The content-type is not JSON compatible
This is thrown in wreck's index.js and it seems like there is no content-type set in the headers, while the mode is set to strict. The problem is, that I have no idea how to change this or why this is happening. It only happens on refresh().
I figured this is a configuration problem. The sample provides the config as follows
OAUTH_AUTHORITY=https://login.microsoftonline.com/common
OAUTH_ID_METADATA=/v2.0/.well-known/openid-configuration
OAUTH_AUTHORIZE_ENDPOINT=/oauth2/v2.0/authorize
OAUTH_TOKEN_ENDPOINT=/oauth2/v2.0/token
wreck uses Url.URL to combine OAUTH_AUTHORITY with OAUTH_TOKEN_ENDPOINT which results in https://login.microsoftonline.com/oauth2/v2.0/token and therefore loses common. This results in a 404 and therefore no JSON response anymore.
I changed the config slightly and removed the leading slashes from the relative paths and added a trailing slash to the base URL.
OAUTH_AUTHORITY=https://login.microsoftonline.com/common/
OAUTH_ID_METADATA=/v2.0/.well-known/openid-configuration
OAUTH_AUTHORIZE_ENDPOINT=oauth2/v2.0/authorize
OAUTH_TOKEN_ENDPOINT=oauth2/v2.0/token
So that OAUTH_TOKEN_ENDPOINT is relative. I have not figured why it worked for authorize though, but still works.
I'm trying to make a request with Content-Type x-www-form-urlencoded that works perfectly in postman but does not work in Azure Logic App I receive a Bad Request response for missing parameters, like I'd not send enything.
I'm using the Http action.
The body value is param1=value1¶m2=value2, but I tried other formats.
HTTP Method: POST
URI : https://xxx/oauth2/token
In Headers section, add the below content-type:
Content-Type: application/x-www-form-urlencoded
And in the Body, add:
grant_type=xxx&client_id=xxx&resource=xxx&client_secret=xxx
Try out the below solution . Its working for me .
concat(
'grant_type=',encodeUriComponent('authorization_code'),
'&client_id=',encodeUriComponent('xxx'),
'&client_secret=',encodeUriComponent('xxx'),
'&redirect_uri=',encodeUriComponent('xxx'),
'&scope=',encodeUriComponent('xxx'),
'&code=',encodeUriComponent(triggerOutputs()['relativePathParameters']['code'])).
Here code is dynamic parameter coming from the previous flow's query parameter.
NOTE : **Do not forget to specify in header as Content-Type ->>>> application/x-www-form-urlencoded**
Answering this one, as I needed to make a call like this myself, today.
As Assaf mentions above, the request indeed has to be urlEncoded and a lot of times you want to compose the actual message payload.
Also, make sure to add the Content-Type header in the HTTP action with value application/x-www-form-urlencoded
therefore, you can use the following code to combine variables that get urlEncoded:
concat('token=', **encodeUriComponent**(body('ApplicationToken')?['value']),'&user=', **encodeUriComponent**(body('UserToken')?['value']),'&title=Stock+Order+Status+Changed&message=to+do')
When using the concat function (in composing), the curly braces are not needed.
First of all the body needs to be:
{ param1=value1¶m2=value2 }
(i.e. surround with {})
That said, value1 and value2 should be url encoded. If they are a simple string (e..g a_b) then this would be find as is but if it is for exmaple https://a.b it should be converted to https%3A%2F%2Fa.b
The easiest way I found to do this is to use https://www.urlencoder.org/ to convert it. convert each param separately and put the converted value instead of the original one.
Here is the screenshot from the solution that works for me, I hope it will be helpful. This is example with Microsoft Graph API but will work with any other scenario:
I have encounter recently an interesting problem.
I am trying to access sametime by using the integrated REST API. To do that i wanted to prepare an XAgent that is doing the lookup and data connection for me.
The first two steps to connect to the Sametimeserver work perfectly fine but i have a problem with the last step. Regardless what i do i cant set the header of the GET request. I tried it with other fields then one mentioned below but it looks like its not setting the header.
Anybody any idea why setting the header in SSJS doesnt work?
var url = new java.net.URL("http://oursametimeserver/stwebapi/RTCServlet?"+sid);
conn= url.openConnection();
conn.setRequestProperty("Rtc4web-Nonce",pid);
conn.setRequestMethod("GET");
writer.write(#Implode(conn.getHeaderFields()));
Please see the results:
{null=[HTTP/1.1 400 Bad Request], Cache-Control=[no-cache="set-cookie, set-cookie2"], Expires=[Thu, 01 Dec 1994 16:00:00 GMT], X-Powered-By=[Servlet/3.0], Content-Length=[170], Content-Language=[en-US], Content-Type=[application/json], Connection=[Close], Date=[Mon, 09 Mar 2015 19:18:54 GMT], Set-Cookie=[JSESSIONID=0000zwXn8VhNWlZ78jN4yfMJQrU:-1; Path=/; HttpOnly]}
Please ignore the Error 400. The rest api returns it because i am not submitting the RTC4WEB-NONCE field in the header. I get the same result when i use POSTMAN in chrome. With that value everything is fine.
You need to change your approach slightly:
1) Write a small Java class that wraps all the call to Java objects, so you can call that one with a simple JS call. It takes the "map a untyped js variable to a typed Java method" guesswork out of the picture
2) Don't use the HttpUrlConnection class. Either use the ApacheHttp Client which is both available and has methods to set the header - or use the social business toolkit that has ready functions to connect to Sametime
I have a rest service that requires passing an encrypted key as part of the path. I urlencode the key and it works great when just placed in the browser. However, in my code I user WebRequest.Create and that appears to replace any backslashes that are generated by the encryption key. This results in the service thinking that it part of the route and fails with a 404. IS this a known defect in the .net framework or am I missing something? Seems like a pretty big deal.
Edit: (Simplified sample code)
string key = System.Web.HttpUtility.UrlEncode(TripleDESEncode("sharedkey"));
string uri = string.Format("http://mydomail.com/deposit/{0}.{1}", key, "json");
//uri looks like this here http://mydomail.com/deposit/FHnapfF5yBCEKt3%2f3YOQ5g%3d%3d.json
HttpWebRequest webRequest = (HttpWebRequest)WebRequest.Create(uri);
//Now the address in the HttpWebRequest is this...
//http://mydomail.com/deposit/FHnapfF5yBCEKt3/3YOQ5g%3d%3d.json
Hopefully this helps.
Ok, I ended-up making a compromise with my client and skipped the encryption for straight serializing to base64. This was only acceptable due to the nature of what I am passing. encrytion will be required in the future and I see this as a major problem that needs to be fixed. At least a workaround proposed. If I come across one I will post it.
Thanks everyone!
Final code:
HttpUtil.UrlEncode(Convert.ToBase64String(Encoding.UTF8.GetBytes("sharedKey")));
Use the UrlPathEncode method when the value is part of the path, not part of the query string:
string key = System.Web.HttpUtility.UrlPathEncode(TripleDESEncode("sharedkey"));