I have some working code that I have been using on a test O365 site- it works perfectly. I can authenticate, and pull data using the sharepoint client object model.
On another site, that was migrated from BPOS, claims based auth fails. Specifically, in the SAML token for the working site the structure is like this:
<wst:RequestedSecurityToken>
<wsse:BinarySecurityToken Id="Compact0">bunch of token stuff here</wsse:BinarySecurityToken>
</wst:RequestedSecurityToken>
On the site that does NOT work, this section looks like this:
<wst:RequestedSecurityToken>
<EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#" Id="Assertion0" Type="http://www.w3.org/2001/04/xmlenc#Element">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"></EncryptionMethod>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey>
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"></EncryptionMethod>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509SKI>stuff in here</ds:X509SKI>
</ds:X509Data>
<ds:KeyName>microsoftonline.com</ds:KeyName>
</ds:KeyInfo>
<CipherData>
<CipherValue>lots of stuff in here</CipherValue>
</CipherData>
</EncryptedKey>
</ds:KeyInfo>
<CipherData>
<CipherValue>Loads more stuff in here</CipherValue>
</CipherData>
</EncryptedData>
</wst:RequestedSecurityToken>
This is really different! The surrounding areas look pretty much the same as far as I can tell.
What is this telling me? That authentication has failed? The claims auth code I am using is dependent on the 'BinarySecurityToken', so this is why it fails- its not there.
Is there some sharepoint setting I need to tweak? Contact MS support? Anyone?
It's an encrypted response using a KEK (Key Encryption Key). You'll need the public key of the sender to decrypt the EncryptedKey. That lets you use that key to decrypt the CipherData which is what you're after I would think.
Related
I have a simple API that return Something for a given ID and it must be used without any kind of authentication, the URL should be permanent and yet I want to avoid as much as possible it to be botted.
The Url is something like this:
https://url/{SomeId}/doSomething
The problem is that this is very predicable and a bot could easily try all the ID and get everything associated to it.
I'm looking for a way to make the URL non predictable like for example:
https://url/{SomeId}/doSomething?Key=SomeVeryLongCryptographicKey
In this way except if you run a supercalculator you shouldn't be able to deduce all the URLs
I know that there is probably a lot of ways to do that, like using a DB which I want to avoid.
I guess I'm looking for a kind a JWT associated to the ID without expiration but maybe there is better solution.
Edit: to give a better example i'm looking to do a bit like did Zoom for permanent invitation Links. They had predictable room Ids and they added a password making it unpredictable lie so:
https://us05web.zoom.us/j/132465789?pwd=SUxIU0pLankyhTRtWmlGbFlNZ21Ndz08
What would be the best/light/"secure" way to achieve that ?
Also I'm using .Net if there is a library doing that, it would be great.
I think your idea of using a JWT makes the most sense. Better to use something standard from a cryptographic point of view, and the JSON format allows for encoding whatever you need to provide to the receiving endpoint (user names, entity names, entity IDs, other things).
There are standard Microsoft libraries for building and validating JWTs, but I prefer the library Jwt.Net (https://www.nuget.org/packages/JWT). It lets you do something like this quite easily:
var token = JwtBuilder()
.WithAlgorithm(new RS256Algorithm(publicKey,privateKey))
.AddClaim("uri", String.Format("https://example.com/api/{0}/{1}", entityName, entityId))
.Encode();
Just add whatever claims you like, and the JWT will then contain what you want to transfer (I've used an example of the URI that you want to give to the entity) and a signature with your private key. You could even just give a URL like https://example.com/from_token/eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ1cmkiOiJodHRwczovL2V4YW1wbGUuY29tL2FwaS90ZXN0RW50aXR5LzEyMzQifQ.K2P4wSF6g1Kt-IHMzlklWTV09_MIkoiNHQztSIYOohmOWe7aBfFSQLIKSbdTECj9XPjNNG_AjH9fdjFglkPuYfr2G9rtl2eh5vTjwdM-Uc0X6RkBu0Z2j7KyMKjkaI3zfkIwhtL1mH873xEBtNOGOW18fuBpgnm8zhMAj1oD3PlDW8-fYBrfLb6VK97DGh_DyxapbksgUeHst7cAGg3Nz97InDPtYcWDi6lDuVQsj3t4iaJBRL8IM785Q8xjlHHhzdfcX3xU4IhflyNHHXxP56_8ahNNMOZKWdwgbTSIxEEB98b3naY3XknC-ea7Nc1y4_5fszrYdy3LaQWV43jpaA
and have the handler decode the entity name and ID you want to retrieve directly from the URI while verifying the signature. Decoding with the library is just as easy:
var json = JwtBuilder.Create()
.WithAlgorithm(new RS256Algorithm(_key))
.MustVerifySignature()
.Decode(token);
I've been using Doorkeeper in a Ruby app and I have an AccessGrant (AccessCode) which is being exchanged for an AccessToken in an OIDC flow
Given I am using the default encoders/decoders, I am wondering if there is any structure to the AccessGrant(code) and if its possible to peek into its contents ?
Tried to UUDECODE, Base64/Base64URL Decode, read the source code and still cannot figure out any structure to it
I'm trying to build a simple payment flow using Bluesnap. Currently I've been able to capture the users billing information using Hosted Fields, and then saved it to a "Shopper" in bluesnap. Now I'm trying to use the same Shopper to create an order (https://developers.bluesnap.com/v8976-Extended/docs/create-order), but I can't get it to work.
I'm sending this:
<order>
<ordering-shopper>
<shopper-id>
--Shopper ID--
</shopper-id>
<web-info>
<ip>127.0.0.1:61106</ip>
<remote-host>www.merchant.com</remote-host>
<user-agent>Mozilla/5.0 (Linux; X11)</user-agent>
</web-info>
<fraud-info>
<fraud-session-id>1234567890</fraud-session-id>
</fraud-info>
<authorized-by-shopper>true</authorized-by-shopper>
</ordering-shopper>
<cart>
<cart-item>
<sku>
<sku-id>2425735</sku-id>
</sku>
<quantity>1</quantity>
</cart-item>
</cart>
<expected-total-price>
<amount>15.00</amount>
<currency>USD</currency>
</expected-total-price>
</order>
Using a POST-request to BLUESNAPDOMAINPATH/services/2/orders
The only response I get is a status code 400 with the body containing "Server Error"
Does anyone know how to solve this issue?
Your root xml element is missing the namespace:
<order>
Should be:
<order xmlns="http://ws.plimus.com">
I'm working on a website for a client that integrates into QuickBook desktop. I need to get a listing of all the checks for a specific account (ideally I would like all transactions for that account [regardless of their type] but if I have to get them one at a time that's fine). When I send the following XML:
<ns1:sendRequestXMLResponse>
<ns1:sendRequestXMLResult>
<xml version="1.0" encoding="utf-8" ?>
<qbxml version="12.0"?>
<QBXML>
<QBXMLMsgsRq onError="stopOnError">
<CheckQueryRq>
<AccountFilter>
<ListID>800000F1-1362066981</ListID>
</AccountFilter>
<IncludeLineItems>true</IncludeLineItems>
</CheckQueryRq>
</QBXMLMsgsRq>
</QBXML>
</ns1:sendRequestXMLResult>
</ns1:sendRequestXMLResponse>
I receive the following error:
<CheckQueryRs statusCode="1" statusSeverity="Info" statusMessage="A query request did not find a matching object in QuickBooks" />
If I go into QuickBooks I can see there are checks associated with the account so I'm not sure why this doesn't return a result.
Update 1: I rewrote this without the AccountFilter so it returned every check and I found checkes with the 800000F1-1362066981 account. It's also 10 MB so it's really hard to work with. :-)
I have to code a PHP front end for my Jasper reports. I could successfully connect to the server, authenticate and view the repositories using the jasper REST calls. However, when I try to access a report, I get the following error in the response body:
Report not found (uuid not found in session)
The php code is given below:
$uri = "http://localhost:8080/jasperserver/rest/report/samples/Client_Information_Report?RUN_OUTPUT_FORMAT=html";
//PUT request to run the report
$response = Httpful\Request::put($uri, $payload)
->authenticateWith("jasperadmin", "jasperadmin")
->send();
$xml = new SimpleXMLElement($response->body);
$uuid = (String)$xml->uuid; //The uuid is successfully returned
$uri = "http://localhost:8080/jasperserver/rest/report/$uuid?file=report";
$report = Httpful\Request::get($uri)
->authenticateWith("jasperadmin", "jasperadmin")
->send();
I am able to confirm that a uuid is returned with the first PUT. Is there anything I am missing here? Any help is appreciated.
Janenz,
First check the info that is coming from the PUT response to see if there is actually a report being generated and that is not empty, you should receive something like this:
<report>
<uuid>d7bf6c9-9077-41f7-a2d4-8682e74b637e</uuid>
<originalUri>/reports/samples/AllAccounts</originalUri>
<totalPages>43</totalPages>
<startPage>1</startPage>
<endPage>43</endPage>
<file type="image/png">img_0_0_0</file>
<file type="image/gif">px</file>
<file type="text/html">report</file>
<file type="image/jpeg">img_0_42_27</file>
<file type="image/png">img_0_42_26</file>
</report>
Notice the number of pages and the files available.
I have not used the Httpful library, but another thing to check is the way that library uses the Basic Authentication. It may happen that the second call is logging you in again and creating a new session; that is why you cannot find the UUID of the current session.
I have a full JasperServer and PHP sample in GitHub that you can check, it has the repository browsing and input control rendering implemented.
I'm not sure what version of JasperReports Server you are using but in the new version there is a new REST API that makes requesting reports a lot easier; check the JasperReports Server Web Services Guide (Section 3.2). I have that implemented in the JRS-Wrapper Branch of my project.
Hope this helps!!
MarianoL