Use [Authorize] with Blazor server - facebook

I've looked just about everywhere and tried everything I can find but cannot for the life of me figure this out.
I'm using the default Visual Studio Blazor Server template and using Facebook Authentication.
I need to filter out my controller using the [Authorize] tag and use the UserId for filtering of Data.
Using a normal Blazor Control a call to the Controller returns HTML telling me to log in, although the user is already logged in. Removing the [Authorize] tag allows the application to run as expected.
Calls directly to the Controller through the URI after logged in work as well.
I can see the Authorization Request header is not sent from the Client.
I tried to set the Tokens in the _Host.cshtml but await HttpContext.GetTokenAsync("access_token"), returns null

Related

Yousign API: How to know if a procedure has been completely signed?

I'm using Yousign on my onboarding process to make my users sign a contract before accessing my application.
To achieve that:
On the YouSign UI, I manually create a new procedure from a template and copy the signature link (I get a URL like https://staging-app.yousign.com/procedure/sign?members=/members/a8xxxxxx)
I copy that link on my user account
When the user logs in, I open a modal and display the signature procedure in an iframe
When the users has signed on the iframe, I redirect him to a webpage where I trigger an event that closes the modal
At that stage, when the modal closes I'd like to check through a backend API call to YouSign API if the procedure has been fully signed.
But I can't find anything to do that in the API.
It seems I could use the GET /procedures/xxx method, but the Signature link does not contain any procedureID, only members IDs.
And there is no GET /members/xxx method, so I can't retrieve any procedure from there.
The use case of checking if a document has been signed seems pretty common for a e-signature API so I'm probably missing an obvious solution.

Keycloak URL fragments do not disappear when logged in

Keycloak inserts session_state, state and code in url fragment params.. sometimes after successful login these remain on the url...
Or, when alternate routes are clicked in the app, these appear again.
Unnecessarily exposing the internals of keycloak params to users.
Is there some solution to not have these appear or delete them?
e.g. http://localhost:3000/home/#state=e625140e-c4f9-4500-858e-32c80e89f8a9&session_state=445229c3-d7eb-46e9-bfba-3339253dd17e&code=af0abde4-a60d-4f34-a101-8db5c76546b9.445229c3-d7eb-46e9-bfba-3339253dd17e.59915134-a59b-4ffb-878a-d02e7e84f2dd
Update:
with more tests narrowed down the issue to occur when
anything on the keycloak instance is touched. e.g. keycloak.token
any function call of keycloak is invoked... then after that these params get added and removed for every url route thereafter...
e.g. await keycloak.updateToken()
Keycloak Sever and js lib Version : 9.0.2
It is not a Keycloak issue. That's how used login flow works (maybe you need different flow, which will be more suitable for your use case). Your app code (used OIDC/OAuth library) should "clean" URL fragments. Cleaning can be: exchange code for the token (in this particular case), remove URL fragments, clean browser history, etc.

.HttpContext.User is null after successful login from SAML Identity Provider?

Trying to retrofit an old webforms application.
Got my configuration working so that it's prompting for login and successfully redirecting back to the application. The folks that manage the IP can see the response is generated.
However in the callback to my application the User is null. I'm told if it's configured correctly it should be populated.
We have a custom IHttpModule and that is where I can see getting hit with the call to /Saml2/Acs with the User not populated. I think this may be expected as the handler for that is supposed to populate the User, I think? However the following call (the returnUrl configured in sustainsys.Saml2) still has no User and I don't see any sort of error or anything.
Anyone with experience have an idea how to debug this?
The call to /Saml2/Acs should be taken care of by the Sustainsys.Saml2.HttpModule. It will process the response and then call the SessionAuthenticationModule to set a cookie that preservers the User across calls.
To get some more information about what's happening in the library, you can assign an implementation of ILoggerAdapter to Sustainsys.Saml2.Configuration.Options.FromConfiguration.SPOPtions.Logger to get some logging output from the library.
My issue turned out to be that I had another authentication module loaded before SessionAuthenticationModule and Saml2AuthenticationModule in the web config.
The comment in the example was
Add these modules below any existing. The SessionAuthenticatioModule
must be loaded before the Saml2AuthenticationModule
However in my case with I had another authentication module involved that needed to go last.

Docusign Embedded Signing returnUrl issue

I am displaying an Embedded Signing view in an iFrame. I am able to get the embedded signing view to display correctly using templates. I am calling an internal service (server-side) from the client (browser) and the internal service calls the Post Recipient View endpoint in the Docusign API.
In order to redirect the user to the correct view in my web app after the Signing view redirects to the returnUrl, I need to have query string parameters on the returnUrl. Here is an example of the returnUrl:
{
...
"returnUrl": "http://localhost:5000/#/my/path/redirect?sname=MY_VALUE&debug=foo,baz"
}
I am using the sname query parameter to hold the value for a string I will use to route to a view once the user is redirected from the Docusign Signing view.
The Problem:
When the iframe is redirected to the returnUrl after the Signing view is complete, the query string in the returnUrl is cutoff and the url of the iframe is:
http://localhost:5000/#/my/path/redirect?sname
when it should be
http://localhost:5000/#/my/path/redirect?sname=MY_VALUE&debug=foo,baz
I also read in the api documentation that an event parameter should also be present in the query string when redirecting, but that is not there either.
Is there a step that I am missing or is this a bug in the api?
I've tried a few tests using Postman and the resulting returnUrl is working for me. I even tried using yours directly (even though I obviously won't be able to connect to it) and it came up correctly as
http://localhost:5000/#/my/path/redirect?sname=MY_VALUE&debug=foo,baz&event=signing_complete
I even tried using an iframe for the signing session like you, still seems to be using the right URL when it redirects. So I've not been able to replicate your problem.
Are you attempting this in the demo environment?

App with no DB: You must call the "WebSecurity.InitializeDatabaseConnection" method before you call any other method of the "WebSecurity" class

First things first. I'm a complete OAuth newbie. This will be my first stab at it, and things are getting hairy...
I'm writing a single page application using Durandal & Web API.
The user needs to be able to login using any social network.
I don't have access to a database whatsoever, I have to call an unprotected 3rd party web service which I consume server-side, and need to protect using OAuth.
So I've managed to add the files to my solution which generates the login using facebook contol/button (created a new MVC4 web application, and did a manual copy and paste of all the auth related files, updated bootstrappers etc..), and the code seems to work for the most part.
When facebook redirects back to
[AllowAnonymous]
public ActionResult ExternalLoginCallback(string returnUrl)
{
AuthenticationResult result = OAuthWebSecurity.VerifyAuthentication(this.Url.Action("ExternalLoginCallback", new { ReturnUrl = returnUrl }));
if (!result.IsSuccessful)
{
return this.RedirectToAction("ExternalLoginFailure");
}
if (OAuthWebSecurity.Login(result.Provider, result.ProviderUserId, createPersistentCookie: false))
{
return this.RedirectToLocal(returnUrl);
}
//code removed for brevity ....
}
I get the error specified once the following line tries to execute.
OAuthWebSecurity.Login(result.Provider, result.ProviderUserId, createPersistentCookie: false)
I've removed the [InitializeSimpleMembership] attribute from the controller, as I don't have a database.
Please forgive me if this is the dumbest question ever, but...
Why does the login fail? I mean at that point, isn't the app trying to log into facebook, why does it need a databse? Or am I correct in saying I can remove/replace that code section, with a login/authorise call on the web-service I'm using?
Not the dumbest question ever. Not by a long shot. But you are getting the error because your membership provider is still set to use the SimpleMembershipProvider and OAuthWebSecurity will use the default membership provider. If you don't want to use a database you will have to create or find a different membership provider to use.
EDIT:
I know you said you don't have access to a DB but if you can use SQL Compact you can just stick with the default SimpleMembershipProvider(check out Hanselman's blog) or DevArt has a SQLLite provider. Also the MemFlex Project has a RavenDb provider. If none of those work I think you might just have to write your own.