I would like to send some information to a 'HTTPS' server and get the cookies and html code from the server. I have already complete the cookies and the html part. However, when I use the 'GET' method to set the url and use the statusCode to see the http status code, I found that the status code is 0. I found the error is about the 'untrust server certificate'.
How can I add the certificate to the NSHTTPURLResponse in order to receive the 200 or 302 status code? The error display the Error Code = -1202. Thank you.
I had the same problem a few days ago, the following post solved it.
Adding an untrusted certificate is (at least in the simulator) not possible, but you can tell your NSURLConnection Delegate to accept self signed certificates (or generally untrusted ones)
How to use NSURLConnection to connect with SSL for an untrusted cert?
hope I could help!
Related
I'm following step by step guide on Microsoft's site (https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow#refresh-the-access-token), everything is working correctly but every time I try to refresh the access token, I get this error: AADSTS70000: Provided grant is invalid or malformed. error_codes: 70000.
I've created a Postman collection for testing, also downloaded the official postman collection from the Microsoft's site, everything is working correctly until the access token does not expire. When it expire, trying to refresh the token always lead to an error and I'm pretty stuck with it. I've double and triple checked correspondence between redirect_url, permission, grant, copy/paste errors, waited for the access_token to expire before trying to refresh... I've done almost 100 tests, and every time I'm stuck at the refresh part!
I start with doing the normal call to Microsoft Login API in my browser, and getting the code in query string from the browser (no problems here) (please note that client_id is URL encoded because, in my test environment, client id is an URL due to the configuration of the Drupal portan we're using, I'm truing to recreate the same behaviour in postman)
https://login.microsoftonline.com/{tenant_guid}/oauth2/v2.0/authorize?client_id={myclient_id_urlencoded}&response_type=code&redirect_uri={redirect_uri_urlencoded}&scope=offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fuser.read&state=12345
Then with the code in query string, i POST to the token endpoint:
POST /{tenant_guid}/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-url-form-urlencoded
cache-control: no-cache
Postman-Token: a0456a8d-6979-491f-b61e-86b5d614c577
client_id={myclient_id_urlencoded}
scope=https%3A%2F%2Fgraph.microsoft.com%2Fuser.read
redirect_uri={redirect_uri_urlencoded}
grant_type=authorization_code
client_secret={client_secret_urlencoded}
code=OAQABAAIAAADCoMpjJXrxTq9VG9te-7FXujKZhF...
I receive back an accesso token (that is working like a charm in accessing https://graph.microsoft.com/v1.0/me for an hour) and a refresh token. I would love to get a new pair of access/refresh token when the original access token expires, using the refresh_token grant_type
POST /tenant_guid/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-url-form-urlencoded
cache-control: no-cache
Postman-Token: 5d71f813-768e-476c-a97f-c109fba3165e
client_id={myclient_id_urlencoded}
scope=https%3A%2F%2Fgraph.microsoft.com%2Fuser.read
redirect_uri={redirect_uri_urlencoded}
grant_type=refresh_token
cclient_secret={client_secret_urlencoded}
refresh_token=OAQABAAAAAADCoMpjJXrxTq9VG9te-7FX8m6YMg-.....
But no matter if I try before access token expiration or after, closing and reopening postman, I always receive that error back. I've done almost 50 tests (always with the full round of login/authorization to use always a fresh refresh token) with no luck.
Seems like I'm missing something really stupid here because I can't imagine that everybody else is behaving correctly... but really can't find a way out!
So I just got mine working! Here are the required parameters I needed:
client_id = your client id
refresh_token = the refresh token here
grant_type = refresh_token,
client_secret = secret
NOTE: Everything I read told me to URLEncode the values. I found it worked with them UNENCODED - no idea if it will really make a difference or not. Since it is going in the body of the post, which means it is TLS encrypted.
The other important thing was the url I posted to. There seem to be so many examples and none seem to be consistent. I used this format:
https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token
The last thing is to be sure you are using the correct app id. In my case I was using the appId for the wrong app and it didnt have consent. Hope this helps. I do wish Microsoft would make a concerted effort to spell out things consistently and think like someone who doesn't do security for a living.
Finally resolved thanks yo the Azure Support.
The problem is the client id: as I supposed before, Microsoft allow you to define another application name, but always want to use the GUID client id to submit any request. Unfortunately, it was warning me when I didn't url-encoded it, but did not alert me that it was not correct until I tried to use the refresh token.
So just read very very well the documentation: client_id: The Application (client) ID that the Azure portal – App registrations experience assigned to your app (so not the one you choose).
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
Maybe including a format validation in the documentation would help!
One of the method that I am testing sends a XMLHttpRequest to "http://localhost:4848/qrs/extension/schema?xrfkey=asdfasdfdf". I am getting an error which looks like this -
XMLHttpRequest cannot load http://localhost:4848/qrs/extension/schema?xrfkey=asdfasdfdf. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:9875' is therefore not allowed access. The response had HTTP status code 404.
Now I understand that test are served on "localhost:9876", and trying access localhost:4848 is actually violating cross domain policy. I have seen the karma proxy settings and tried -
proxies: {
'/qrs': 'http://localhost:4848/qrs'
}
But doing this actually serves my content from "http://localhost:9876/qrs/extension/schema?xrfkey=asdfasdfdf". But this way my client code will not work. Because client code directly sends XHR request to "http://localhost:4848/qrs/.....", but NOT to "http://localhost:9876/qrs/.....".
Any suggestion how can I solve this?
Also, wouldn't it be better to have an option to set different headers in the config file? At lest we know that we are talking about test here (I mean not in production).
Thanks in advance.
I was thinking 403. From http://www.restapitutorial.com/httpstatuscodes.html:
The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead.
Edit: Endpoint - POST /users.
The normal HTTP error code for situations like this is 409 Conflict:
The request could not be completed due to a conflict with the current state of the resource. This code is only allowed in situations where it is expected that the user might be able to resolve the conflict and resubmit the request. The response body SHOULD include enough
information for the user to recognize the source of the conflict. Ideally, the response entity would include enough information for the user or user agent to fix the problem; however, that might not be possible and is not required.
This should be issued in response to a POST or PUT, typically as part of some sort of RESTful API. It should include a useful error message in addition to the status, and the error should be appropriately encoded (e.g. with XML or JSON).
Obscure HTTP errors are less useful in front-end web services. If you are developing a user-facing website, it's preferable to simply deliver an HTML page explaining the problem with a standard 200 OK.
If you are creating a REST API to create accounts, I would expect the request to be something like:
POST /accounts HTTP/1.1
{userid: "someone#example.com", password: "passw0rd!"}
In this case, I guess an appropriate response code would be 409 Conflict with an error description in the body
HTTP/1.1 409 Conflict
{ error: "Account already exists"}
That status code is for an HTTP error, not what you need. Also, it would be very unhelpful as it does not describe the problem at all.
Why not just send:
Username already exists! Please select another.
403 is an ok response in my opinion. 409 and 412 are also possible choices.
I am trying to debug a http get request i sent via AFNetworking's AFJSONRequestOperation to see if the cookies are being sent correctly. However, i dont see any cookies in http header. Can some expert help me out here? thanks! :)
You can set the cookie to your AFHTTPClient or it's subclass with the following line
[_httpClient setDefaultHeader:#"Cookie" value:#"cookie=value"];
I've tried this with my server and it works. It can clearly catch the cookie named cookie and it's related value.
I am developing an app that will upload the image from the iphone to a server. In server side there is a php program to handle the uploaded image. I am using the NSURLConnection with the Post method and have set the post body of the request. When I upload the image, I could see the image uploaded 3 times(in the server), but after sometime didFailWithError: is called stating that "lost network connection". What could be the reason for this? My doubt is that why is that image is uploaded multiple times? I have set the timeout of the request to 3600.0
Any help is appreciated.
Thanks
In my case, i have forgot to set method to POST like this:
[aRequest setHTTPMethod:#"POST"];
Hope it helps
How does your server respond to the upload? What status does it return to the client? If it accepts the image then resets the connection without replying to the POST request, you'll see the behaviour you've described.