I am creating a MS word add-in using office.js library and react. I have implemented login using third party authentication. I am showing login pop up using displayDialogAsync with displayInFrame:False.
I knew that embedded browser for word add-in in my environment is MS edge. I need to manually clear the cookies of third party authentication site but I didn't find the cookies information in MS edge devtools.
I tried to find required cookies info in Microsoft edge browser -> settings -> cookies and site performance -> manage and delete cookies and site data -> see all cookies and site data. But the third party authentication cookies are not available there.
Can anyone please help me to figure out how I can clear third party authentication site cookies for office word add-in embedded browser.
Note: I can find and clear the third party cookies from MS edge settings if I run load the add-in in office word web version.
Related
I want to create a simple VSCode extension that does a REST API POST of the contents of the editor window to a URL.
The issue is the URL is in a corporate environment behind a browser based single sign on sequence that requires multi-factor authentication with a hardware token and does multiple redirects when a user logs on normally through the browser. I'm not looking to circumvent this in any way, but simply authenticate the VSCode extension somehow so it can do the POST (and re-authenticating every session is fine, just not for every post).
The SSO authentication process seems to be fine with multiple windows in the browser, so e.g. you can login in one window and then do say AJAX POSTS from Javascript in another window to the REST API. So I kind of want VSCode to be considered just another window in that scenario.
I am thinking something like opening a browser window within VSCode itself to allow the user to manually authenticate, then somehow the session is maintained and VSCode can POST to the REST API URL when it wants?
Or perhaps triggering a window in an external browser for the authentication but then how would VSCode be authenticated to do the POSTS as the external browser would be a separate application.
Client OS is Windows 8 (corporate policy!) if that makes any difference. I don't have any access to modify anything on the server.
Any thoughts/suggestions welcome, thanks.
I'm currently working on a browser extension project for an affiliate marketing business. Affiliate marketing usually works by setting tracking cookies on click to identify the referrer in case an article is bought on the partner's website and rewards the referrer afterwards.
How can some browser extensions "activate cashback" or "activate affiliation" without having the user to go through a redirect page? How can they apply all the tracking cookies with no apparent redirection?
Options I considered:
Creating an API endpoint that would store an array of cookies set during the chain of redirection then applying them directly on the browser. Problem: some platforms use client script with URL matching to set cookies on landing on the partner's website.
Maybe it has something to do with form posting hack: https://stackoverflow.com/a/4702110/7576507
Furthermore, how can one know that the tracking cookies have been well set?
It seems that these browser extensions create a tab using a standard affiliate link without focusing it.
Once it is completely loaded (DOM, external scripts etc...), they close it and display on the main tab that tracking has been activated.
I'm trying to create an Outlook add-in using Angular 7 that can access all the users in my organization with Microsoft Graph API. In order to do that, I need to authenticate the current user and get an access token for calling graph API. I am planning to do the authentication using Single Sign On (SSO).
I read the documentation and didn't find any solution to my problem. My current add-in doesn't have a back-end, just a front-end.
This will only work with Office add-ins in Preview right now and requires you to have a server side component and an Azure AD registered application. There are detailed steps on accomplishing that here for asp.net and nodejs. There is no examples with Angular though unfortunately:
https://learn.microsoft.com/en-us/office/dev/add-ins/develop/sso-in-office-add-ins
We just went live with a new Website that's using Sitecore. In the last couple of days, we have heard users complain that they are seeing the Sitecore login page on the live website for the links they bookmarked or just randomly. We are using a load balancer with 3 servers behind that load balancer. Also, the authoring server is behind a firewall and the authoring interface is only accessible via VPN.
Any ideas/suggestions?
Thanks
Would it be possible to have a deny permission on sitecore shell directory for your main website? This way users cannot access sitecore from your main website.
You can still have sitecore enabled on your authoring server though.
This issue has happened to me a couple of times, and I figured out that at some point you must have logged in to sitecore from that browser. Can the users try accessing your website from another browser? It should work fine.
I haven't been able to figure out why this happens though, may be because of cookies.
Like techphoria414 said, opening the site in a new browser or clearing the cookies solves the problem.
But to add more detail to this, the cookie responsible for this is:
website#sc_mode with the value "edit" or "preview".
If the users with the problem have been editing the site or using the page editor mode, this cookie gets created. Even if they log out, sometimes the cookie stays there and when they try to access the live site, Sitecore answers with a 302 (redirect) to the login page because of this cookie.
They can either delete all cookies or simply this one.
I have been reading the developer blog on Facebook this morning and stumbled across this article saying that all Canvas pages are to use OAuth and SSL.
• an SSL Certificate is required for all Canvas and Page Tab apps (not
in Sandbox mode)
• old, previous versions of our SDKs will stop working, including the
old JavaScript SDK, old iOS SDK
Does this really mean that any application that has been created before this date will stop working? Am I really going to have to buy an SSL certificate for each application?
Yes looks like it. They told developers on 11th May 2011 :
Today, we are announcing an update to our Developer Roadmap that
outlines a plan requiring all sites and apps to migrate to OAuth 2.0,
process the signed_request parameter, and obtain an SSL certificate by
October 1.
Migration to OAuth 2.0 + HTTPS timeline:
July 1: Updates to the PHP and JS SDKs available that use OAuth 2.0
and have new cookie format (without access token). September 1: All
apps must migrate to OAuth 2.0 and expect an encrypted access token.
October 1: All Canvas apps must process signed_request (fb_sig will be
removed) and obtain an SSL certificate (unless you are in Sandbox
mode). This will ensure that users browsing Facebook over HTTPS will
have a great experience over a secure connection. We believe these
changes create better and more secure experiences for users of your
app. A migration plan below outlines the potential impact on your
apps.
From here:
Please Note: An SSL certificate is not required for user
authentication on your site, Likes, Comments or other things. It's
only used if you want to show your site (or parts of it) inside the
Facebook.com domain.
Once your SSL certificate is installed on your site, you'll simply
need to enter your new secure URL into the "Secure Canvas URL" and
"Secure Tab URL". To obtain and install an SSL Certificate, we've
partnered with The SSL Store in order to make the process as smooth as
possible. SSL Certificates that work with Facebook can be purchased
for as little as $11/year (multi-year) or $18 for just one year.
Purchasing a certificate through The SSL Store takes about 10 minutes
and they have a 30-day money back guarantee.
Below are instructions on how to purchase a new SSL certificate for
your site so that you can use the Facebook Page features without any
issue.
It does seem that you need to have one, and not one per app.