I have found a potential bug with Sign In with Apple.
When I configure Sign In with Apple, under Domains and Associated Email Addresses I add the app's domain but gives me the error -
There is a problem with the request entity
Domain name is invalid
The domain is online and working with a valid SSL cert using Let's Encrypt.
Anyone else experiencing this issue?
Tried adding/removing the www. and adding a following slash /.
Related
I am working on an existing OAuth system in my office.
The previous engineer left and I am not really experienced in this OAuth system.
So I read a few documents about OAuth. I see that my office, as the OAuth server
is getting a redirect URL upon getting auth code from the client.
Then I see a validation which preventing a single character in the redirect URL.
Example:
https://m.clientname.us/oauth/redirect
https://pre.m.clientname.us/oauth/redirect
Number 1 would pass, but 2 does not
Do you guys think there is a reason the previous engineer making this validation? Is there a standard about it not to put a single character like sample number 2? Thank you
I'm not sure what you mean by "single character", but the redirect URLs that your authorization server allows should absolutely be whitelisted to only registered redirect URLs. Any added subdomains or paths should cause the request to be rejected. Otherwise, an attacker can craft an OAuth request that looks valid to the end-user, but actually redirects them (with the authorization code) to their server.
I have an application that can send HTTP requests (It uses Alamofire to achieve this). The problem I have is that the URL I'm using isn't secure, it is our company API for connected devices.
At the moment the user has to manually visit the API and trust it, then add a random certificate to keychain... Not very elegant.
I've created my own SessionManager : Alamofire.SessionManager and used .disableEvaluation on the URL, it is listed in the info.plist under App Transport Security Settings -> Exception Domains. All correctly formatted to the best of my knowledge. None of it prevents to user having to manually visit the site to trust it.
Anyone got any ideas?
In my trial account, in US South, I created a Single Sign On service and bound it to an application and now am trying to go back into it and I got this page-
Forbidden
The resource you have requested is secured by Access Manager WebSEAL.
Explanation
There are two possible reasons why this message appeared:
You are not logged in to this secure domain.
You are logged in to this secure domain, but do not have the correct permissions to access the resource.
Solutions
You have an account for this secure domain but need to log in: You must first access this resource via HTTPS (SSL) and login to the secure domain. Re-access the page using HTTPS.
You do not have an account with this secure domain: Please contact your Account Administrator to obtain login and password information.
You are logged in but still denied access to the page: If you continue to get this message, you probably do not have the correct permissions to access the resource. Please contact your Security Administrator for assistance.
This happened yesterday afternoon too.
I was able to click on the Single Sign On service earlier today and update the Logout url and now I'm getting this message.
I tried stopping the app and then restarting and still can't get in.
Any help would be appreciated.
Thanks
This is an odd case. The error message indicates there is problem with your account. You were not authenticated successfully to the secure domain. I see another similar case in which the person's account does not have user's name in it. So you might want to check your account profile to see if any required
information like family name, given name, etc is missing.
I just tried now and am able to get into the Single Sign On service I have bound to my app, so not sure what was wrong the other day. I did not make any changes to my account either.
Thanks for the response though.
Facebook recently changed the security settings on Account Configs, now there is no more an option to force, or not, an application to use HTTPS protocol.
Therefore, it isn't possible to do a App without a SSL key. Previously we could just don't fill Secure Canvas URL field, and access the canvas app through the HTTP protocol. But now, without the option in the security user config, the facebook app keeps redirecting to the HTTPS protocol.
So, there is some workaround for this ?
As CBroe says, you need SSL.
There are 2 things you need in my opinion:
A webserver with SSL.
IF you're in OSX and you run Apache, this tutorial really helps:
http://blog.andyhunt.info/2011/11/26/apache-ssl-on-max-osx-lion-10-7/, plus you might want to add your certificate as a trusted (root?) certificate, or certificate authority. (I'm not very well versed in this)
The only caveat I found, specially for Chrome, is that when you're generating the Certificate Request File, under Common Name place "localhost" or the host you're using for development. This last caveat should be similar in Windows, since it's a browser requirement that the certificate common name matches the actual host. Browsers like Firefox allows you to permanently trust a certificate, thus avoiding all the certificate installation on the OS and trusting.
A proxy app
proxy-like app to act as a man in the middle and decode the encrypted information, in order to see the actual requests and response being sent and received from the server. There should be other software, but the one I use and love is Charles Proxy, which can do this and tons more.
Hope it helps!
Web Servers have settings by which you request client certificates - for eg. SSLVerifyClient require in Apache, a different setting in IIS etc. If this is set, then the browser throws up a dialog asking you to chose a certificate.
Is it possible to ask for a certificate dynamically? i.e. I am really not interested in 2 way SSL - however, I want to ask the user to register his certificate with my application which will be used in a different context. So I need to let the user chose one of the certs registered in his browser and access the cert in my application. How do I do this?
Is this possible at all?
I have figured out one way to do this - I have a upload link in my application - this points to a Virtual Directory which has Client Side Authentication required property. So when the user clicks on the link - it triggers a SSL Renegotiation. The browser throws a dialog which lets the user chose from the registered certs. Once he chosen the certificate, SSL renegotiation happens and the I can access the cert in the application. The SSL renegotiation ensures that the user has the private key corresponding to the Cert.
If there any problems with this method or if there is a better way to do this, I am most certainly interested in doing it.
Also, I am currently doing this in IIS - but I think something like this should be possible in most other webservers also.