I want to add a button in my Firefox web extension to let users make a payment with PayPal directly within the extension, problem is that if I try to use the Client-side REST integration, Firefox complains
Content Security Policy: The page’s settings blocked the loading of a
resource at self (“script-src”).
even if I add "content_security_policy": "script-src 'self' https://www.paypalobjects.com/api/ https://www.paypal.com/; object-src 'self'" to the manifest (and moving the inline script to a separate js file).
So I tried Server-side REST integration, looking at the API I have to create a payment specifying a redirect url where users will be redirected when they give the authorization, but if I try to set an extension page as the redirect I get unsafe:moz-extension://extension_id/extension_page.html?token=XX-1XX23456XX789012X and after the the authorization (I tried with the sandbox profile) it doesn't open the page. Is there a way to make the extension "catch" the redirect page as it does using the identity.launchWebAuthFlow, or any other way to do what I'm asking for? Thanks.
Related
we have an OutSystems Mobile App (PWA)
We would like to add Azure AD SSO
We have tried Idp Mobile, but it is not for PWA
We have tried to embed in an iframe the login to login.microsoftonline.com, but it is not framable (CSP)
So we tried to follow this doc: https://learn.microsoft.com/it-it/graph/auth-v2-user
but again the html returned by the authorize api is not framable :(
is there a solution?
thanks
AAD does not permit framing of pages where credentials are entered as it requires user interaction. When you try Azure Active Directory (AAD) login page inside an iframe, you may go through errors due to defensive measures taken by AAD to prevent malicious attacks.
Some workarounds you may possibly try which may work in few cases.
Make sure reply urls set are same everywhere in app and in portal.
AAD has headers set to prevent their login page from being displayed in a frame.
prompt parameter indicates the type of user interaction that is required.Try setting it to none which means user interaction not required(if it is ok in your case).It is optional parameter added in login url in the iframe (&prompt=none).
Also &domain_hint={userdomain.com} is added at the end or url request where {userdomain.com} is the last part of the user's email address - e.g.user#userdomain.com > OAuth 2.0 authorization code flow | Microsoft Docs
Try to close and test few times to make sure it works and then login with work account in edge or chrome browser.(or from https://portal.office.com)
Reference:
aad-iframe | nafis.dev
The instructions from Janrain for social login provider setup conflict with the hint within the error message from the Facebook https response. Details follow.
Error screen when testing Facebook from Janrain; note that same error happens in any browser such as Firefox, Chrome if you test the sign-in widget.
Error Text from Facebook:
App domains must match the domain of the Facebook Web Games URL (https), Mobile Site URL, Unity Binary URL, Site URL or Secure Page Tab URL.
Please correct these domains: (snip).
Based on the hints from the Janrain Facebook Provider Setup wizard, I have set the website to the URL on rpxnow (i.e. definitely not my web site).
What URL(s) should then be entered into Basic and/or Advanced Settings such that Facebook can process the login? I have tried using the rpxnow URLs and my own web site URLs. Either of 2 things happens regardless of whether I include https:// or start from the subdomain of any combination of names. Either Facebook will not save the details on Basic App Domain and gives the above error, or Facebook will save the details but then gives the error in the first screenshot above.
I do not see how this can ever work because Facebook wants a match on the domain and rpxnow will never be the domain that I use to invoke the sign-in.
For completeness, I will show my Facebook settings, so it will be obvious that they do not match the current Janrain Setup Guide for Facebook.
Basic Settings
Is the Namespace relevant? Better to leave blank? Does it need to match something within Janrain?
Advanced Settings
I could believe that something has to be done to allow cross-domain access. Does anyone have this working with a new Janrain account (3 weeks old) and a new Facebook developer account (old Facebook account, new developer app)?
Replying as an answer so I can attach a picture.
I have a feeling this might be something to do with Facebook's impending changes to their app security (https://developers.facebook.com/blog/post/2017/12/18/strict-uri-matching/ ). It appears that you need to add the Valid OAuth redirect URI for any new API v2.11 apps now (not after March). We were already planning to address this before March but we will have to update sooner.
For your Facebook app you will have to set up the "Valid oAuth redirect URIs" similar to the following screen shot, just replace "pbjanraintest" with whatever your Engage app name is:
Sorry for all the trouble you have had. It's hard to keep up with these providers when the messaging doesn't align with what their apps and api's are actually doing.
I just received the same error this week. Leave off the https:// in the OAuth redirect URIs box.
I'm trying to build a "RSVP to this event" action using the Facebook JS SDK.
All of our sites run on multiple subdomains (event1.example.com, event2.example.com) and I'm trying to setup a single Facebook app that will allow people to RSVP.
Ideally I'd like to be able to specify wildcard subdomains in the Valid OAuth redirect URIs settings, but Facebook doesn't seem to allow that.
Previous StackOverflow answers said that either just putting in the top-level domain or leaving that field blank would work (for example), but I always get the This redirect failed because the redirect URI is not whitelisted in the app’s Client OAuth Settings error.
Frustratingly, we shouldn't need any sort of redirect callback to the server. I just want a short-lived token to post the event RSVP which should be possible client-side only.
Is there any way to accomplish this?
The options I can think of...
One app per subdomain We have 100s of subdomains, so creating Facebook apps for each isn't going to work (plus that's a manual process)
List all subdomains as redirect URIs it appears Facebook has a limit on the number of redirect URIs, plus this is also a manual process - there's no API endpoint for adding these
Set the redirect URI via JS to our root domain and then just ignore the callback - this seemed promising, but calling FB.login with a redirect_uri param gave an error: When using FB.ui, you should not specify a redirect_uri. Is there a way to do this without FB.login?
Somehow let Facebook know we don't care about those redirects at all -- is there some other way to request permissions and make a JS API call without needing the oauth redirect?
Thanks in advance for any insights...
I don't think so that there is a way you can login through Facebook on multiple domains, but there is a proper work-around to implement sign-in on multiple domains it's called Single Sign On:
See:
https://www.sitepoint.com/single-sign-on-explained/
https://github.com/cubiclesoft/sso-server
We could use one specific sub domain/main domain itself to handle the facebook authentication
Every time pass the state which includes subdomain redirect uri so that need not to adding sub domains to redirect uri list
Everything I have read (e.g. https://api.slack.com/docs/oauth) makes it seem as though I can only build an app that integrates with a Slack team I manage. E.g. I have to create my Slack Client ID .. etc ... and then I can oAuth users for my team.
What I want to do is allow my app's users to login to my app using their Slack login (for their Slack team I do not control or have access to.) I don't want to force my users to generate a Client ID to use my app. I want them to login the same way Google Login or Facebook Login works.
The closest thing I have found is a "login with slack" HTML button, but I'd like to do it in iOS using Swift.
Is that possible?
Sadly, that's not possible. For google or facebook, the way authentication works is that they provide you a mobile API which handles the communication between your app and their web service. So you task is simply adopt that API, make simple function call and retrieve information for user from the API. For example, the facebook button is provided by the API.
However from a look at slack site, they only have RESTful API documented. So in this case, you have to handle the passing and storing of parameters by yourself, and send HTTP request manually. You can have a look at Alamofire framework, which is the best choice for making HTTP request. Basically, you have to send needed parameter with the specific url though HTTP request to perform a log in action, and you have to parse the respond data and then see if the login is successful or not, etc
Thanks to some help from friends it looks like the answer is yes.
You must first make sure you "Distribute App"
Then set up the permissions you require and "install app" (which is a bit not "smart" since you can accidentally add conflicting permissions and get an error when trying to install).
Once that is done you will get an Auth Token and can make requests for any user to login using oAuth.
You can also trigger a sign in request like so:
https://slack.com/oauth/authorize?client_id=[client id]&scope=identity.basic
Edit: For future Googlers, Slack now also provides a specific documentation page for this type of OAuth grant/login: Sign in with Slack
I'm building a Page Tab application that will allow Facebook users to make purchases through our client's FB page directly. In order to do that, once the user arrives at checkout, it must be authenticated and the user must be logged in in order to obtain their e-mail address.
However, when I try to authenticate the user via the URL:
https://www.facebook.com/dialog/oauth?client_id=APP_ID&redirect_uri=REDIRECT&scope=manage_pages%2Cemail
Instead of staying within the iframe, it redirects the entire Facebook page, making it impossible to easily authenticate the customer and continue on to checkout.
I'm referencing a similar app that does exactly what I need, but they seem to be using FBML which, to my knowledge, is being deprecated in 2012. If using this URL is an incorrect way to authenticate a customer in a Page Tab app, what would be the proper way to do this without the use of FBML?
Why are you using authentication dialog via that URL? How about using javascript SDK function, FB.login() instead?
http://developers.facebook.com/docs/reference/javascript/FB.login/