We have run into a problem using aspnet core 2.2 with Facebook WebView (https://developers.facebook.com/docs/messenger-platform/webview/).
The issue occurs only in desktop browsers using chat function in messenger.com or facebook.com.
We have developed a chatbot and there are buttons in the conversation. When the user click that button a WebView shows our webpage.
This webapplication is an aspnet core mvc webapp (hosten in Azure App Service) where a controller action at server side creates a cookie and writes it into the Response.
var cookieOptions = new CookieOptions()
{
IsEssential = true,
Expires = DateTime.UtcNow.AddYears(1),
};
Response.Cookies.Append("COOKIE_NAME", "cookievalue", cookieOptions);
When this page loaded from a Facebook WebView (from a FB chatbot) the cookie created above (on server side) is missing.
In the aspnet core web project Startup.cs cookie middleware is configured like this:
public void ConfigureServices(IServiceCollection services)
{
...
services.Configure<CookiePolicyOptions>(options =>
{
options.CheckConsentNeeded = context => false;
options.MinimumSameSitePolicy = SameSiteMode.None;
});
...
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
...
app.UseCookiePolicy();
...
}
What I've tried:
if the same cookie inserted from client side javascript, the cookie is available in Facebook webview.
document.cookie = "COOKIE_NAME=cookievalue";
Same scenario works correctly using asp.net fwk 4.7.2 and Facebook webview.
from a mobile app (messenger) it works as I expected, cookie available
I think the problem source could be in the WebView, because the page works perfectly when loaded from a normal browser – not from WebView (Chrome, IE, Edge, FF, Safari, etc), both cookie (server and client side created) are available.
What could be the problem with scenario using aspnet core 2.2 and Facebook WebView?
Thanks for helping!
At the end I found the problem. The chrome's cookie policy settings changed: https://www.google.com/chrome/privacy/
Thats why I run into the problem above.
Solution:
I have to change these cookies samesite settings to 'SameSiteMode.None'.
var cookieOptions = new CookieOptions()
{
Secure = true,
SameSite = SameSiteMode.None,
IsEssential = true,
Expires = DateTime.UtcNow.AddYears(1),
};
Related
I have installed an IdentityServer4 and a Client (Hybrid Mvc Client). All is ok. The following flow works:
1. User call secure page PageX (the controller is protected with Authorize attribute)
2. than system redirects the flow to Login page on IdentityServer
3. After authentication/authorization the IdentityServer redirect the user to url defined (redirect_uri) in the client configuration (page named Home) .
Now i don't know how to implement at the step 3 the redirection to PageX, the original page requested.
I have to create a custom AuthorizeAttribute to save on session storage the url of PageX and than using it in callback page? or is there any configuration on IdentityServer or client that could help me?
Thanks in advance
This is typically what you’d use the state parameter for. Your callback will receive the state value back unaltered and then you can verify the URL within is local and redirect to it automatically.
I’d recommend protecting the value from tampering using the DataProtection features in .net.
After successful login, by default the IdentityServer middleware tries to redirect to a consent page where to inform the user for the "allowed scopes". In this page are shown the claims that the client mvc site will receive access to: user identifier, user profile, email etc.
If you didn't setup such, you may set: "RequireConsent = false" when you define your MVC client. In such scenario the IdentityServer will redirect back to "RedirectUris" without showing consent page.
Example:
public static IEnumerable<Client> GetClients()
{
return new List<Client>
{
new Client
{
ClientId = "mvc",
ClientName = "mvc Client",
ClientSecrets =
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.Implicit,
AllowAccessTokensViaBrowser = true,
RedirectUris = { "http://localhost:5002/signin-oidc" },
PostLogoutRedirectUris = { "http://localhost:5002/signout-callback-oidc" },
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email
},
RequireConsent = false
}
};
}
The other thing that I've noticed in the IdentityServer4 demos and quick starts is that you need the following NuGet packages:
For client website:
IdentityModel,
Microsoft.AspNetCore.All
For IdentityServer Authentication app:
IdentityServer4,
IdentityServer4.AccessTokenValidation,
IdentityServer4.AspNetIdentity,
Microsoft.AspNetCore.All
You may install these packages just to get the demo working.
Testing on desktop works fine, the various provider's popups come up. On mobile device however with each provider a new browser window opens, but the address is the non-customized hosting URL of the firebase app and the sign-in flow halts.
Originally the Firebase documentation advises the non custom hosting URL to be used in the redirect URLs. I changed those for all providers to the custom one: https://valleydevfest.com/__/auth/handler instead of https://valleydevfest-620d6.firebaseapp.com/__/auth/handler (for both Facebook app, Twitter app and my Github app too). That didn't help at all and the mobile Chrome still redirects to some https://valleydevfest-620d6.firebaseapp.com/... address, which either halts loading or it loads a very broken version of the website (instead of the OAuth login).
Most relevant code:
var signIn = function(providerId) {
var provider = getProviderForProviderId(providerId);
var that = this;
return this.auth.signInWithPopup(provider).catch(function(error) {
...
https://github.com/gdgfresno/valleydevfest/blob/develop/scripts/helper/firebase.js#L43
How can I overcome that?
(Whole source of the app: https://github.com/gdgfresno/valleydevfest/tree/develop)
I am using Worklight 6.0 and in this case testing with iOS7.
I'm trying to setup saml 2.0 SSO with Worklight and I seem to have succeeded, but I don't know how it works... At first, I have my app attempt to access my url like this:
WLJQ.ajax({
url: 'url.com',
type: 'GET',
xhrFields: {
withCredentials: true
},
success: function(data, status, xhr) {
console.log(data);
},
error: function(result) {
console.log("error");
console.log(result);
}
});
The request goes to success and returns me the url of the login page, which is correct because I haven't authenticated yet, but it does not display the login (as I intended).
Next I click a button to display a Native page (iOS) which is a UIWebView of url.com. This displays the login page via:
WL.NativePage.show('LoginController', backFromNativeLoginPage, params);
I log in successfully and see the contents of url.com that I expect. Then I return back to the non-native app via:
[NativePage showWebView:0];
Now that I'm back in the non-native code, I sent the same request above and I expect for it not to return the contents of url.com, but rather the login page because I have no headers attached to my request and I think the non-native code shouldn't have any knowledge of the cookies I may have made in the UIWebView.
My question is how does this work? Does my non-native part of worklight have knowledge of all the cookies that were created in the native code's UIWebView?
Let me start by saying my answer is partly based on speculation, but I think this is whats happening:
Since your Native page is using the a WebView and Cordova is also using the WebView, any headers and cookies that your Native page is using will be visible when you return from native since cookies are shared across differet UIWebViews.
If your native page was using the native URL request methods or some third party / open source mechanism for connecting to your backend server, then I would think that your non-native page would not be able to see the headers and cookies.
I am using ASP.NET MVC 4 Mobile application, in which I am trying to redirect to an external website. However its failing with "Error loading page" message.
public void RedirectToGoogle()
{
Response.Redirect("http://www.google.com");
}
Also I see the following script in _Layout.cshtml which is created automatically while creating the application.
<script>
$(document).bind("mobileinit", function() {
// As of Beta 2, jQuery Mobile's Ajax navigation does not work in all cases (e.g.,
// when navigating from a mobile to a non-mobile page, or when clicking "back"
// after a form post), hence disabling it.
$.mobile.ajaxEnabled = false;
});
</script>
I tried changing $.mobile.ajaxEnabled to true, but no success.
Any thoughts on how to do url redirecting in ASP.NET MVC 4 Mobile application?
Response.Redirect is for WebForms and uses the WebForms page lifecycle. For MVC you should use return Redirect("http://www.bing.com");
I've reproduced the problem on ASP.NET MVC 4/Beta with a mobile project. It's a CORS (Cross Origin Resource Sharing) issue. See http://www.webdavsystem.com/ajax/programming/cross_origin_requests
Use the F12 developer tools to Fiddler to see the problem.
EC7118: XMLHttpRequest for http://www.bing.com/ required Cross Origin Resource Sharing (CORS).
localhost:52137
SEC7119: XMLHttpRequest for http://www.bing.com/ required CORS preflight.
localhost:52137
I have developed a Facebook app using the C# SDK and it is working fine. Now I want to also enable it on mobiles, so I tried to set the "mobile url" to the same one as my canvas url (which is a cloudapp.net address). However, when I try to access it from a mobile, it seems to go into a redirect loop involving my canvas url, the apps.facebook url and the m.facebook/apps url. Sometimes it goes out of the loop and I get the facebook error message saying : "the mobile version of the app is unavailable because it is misconfigured. It appears to be caught in a redirect loop."
I think it may have to do with the fact that the facebooksettings in the webconfig file specify that my cloudapp page should redirect to the apps.facebook.com page, which then redirects to the mobile url and so on. Can someone tell me how to solve this problem - I just want my mobile url to be the same as my canvas url.
Thanks.
If the request is from mobile add extra logic
For v6,
var fb = new FacebookClient();
var desktopLoginUrl = fb.GetLoginUrl(new { .... });
var mobileLoginUrl = fb.GetLoginUrl(new { ...., mobile = true });
For v5,
var urlBuilder = new UrlBuilder(oauthClient.GetLoginUrl(...));
urlBuilder.Host = "m.facebook.com";
var loginUrl = urlBuilder.Uri;