Develop Reference

ASP.Net Cookies not being saved to the browser

I simply want to save cookies containing security tokens, but they are not persisted in the browser. Here is my AuthController method for saving the cookie (simplified):
[AllowAnonymous]
[HttpPost("authorize")]
[ProducesResponseType((int)HttpStatusCode.OK)]
public async Task<IActionResult> AuthorizeAsync()
{
//generating access token ommited for brevity
SetTokenCookie(accessToken);
return Ok(userIdentity);
}
And SetTokenCookie method:
private void SetTokenCookie(string accessToken)
{
var options = _jwtOptions.AccessToken;
var cookieOptions = new CookieOptions()
{
HttpOnly = true,
IsEssential = true,
Secure = false,
SameSite = SameSiteMode.Strict,
Domain = options.Issuer, //http://localhost:3394 by default
Expires = DateTime.UtcNow.AddDays(14)
};
Response.Cookies.Append(options.Name, accessToken, cookieOptions);
}
Now when I analyze the response from my Api, I see that Set-Cookie header and token itself are fine:
Decoded token:
{
"id": "70132f61-4d83-4772-9685-7a77a9204685",
"name": "admin",
"email": "xyz#xyz.pl",
"role": "Administrator",
"persist": "True",
"nbf": 1646336045,
"exp": 1646336945,
"iat": 1646336045,
"iss": "http://localhost:3394",
"aud": [
"blog.webgateway",
"blog.blogging",
"blog.comments",
"blog.users"
]
}
But when I check the cookies, nothing is saved.
I know that there are many topics related to this issue, but I already ran out of ideas I could find online:
I wiped storage in my browser for localhost
I added custom entry in my hosts file and changed cookie domain accordingly
I tried setting cookie domain = null or different path
I added Cors and allowed credentials, any methods, any headers, any origin
I tried more permissive settings in my browser
I tried changing cookie options (HttpOnly, Secure, SameSite)
I removed UseHttpsRedirection() from my Startup.cs and made sure I connet via HTTP
Nothing seems to work. I'm using Firefox 97.0.1. Do you know what else I could try?

Did you try to change the Domain to localhost?
Per my test, using `` didn't work for me, and then I found that other cookies showed they belong to domain localhost, so I use localhost instead, then I can see the newly created cookie. I test to call the api by tools in chrome, so I think it should be similar to your scenario.
public string saveCookie() {
var cookieOptions = new CookieOptions()
{
HttpOnly = true,
IsEssential = true,
Secure = false,
SameSite = SameSiteMode.Strict,
Domain = "localhost", //using https://localhost:44340/ here doesn't work
Expires = DateTime.UtcNow.AddDays(14)
};
Response.Cookies.Append("testCookie", "Cookie content", cookieOptions);
return "hello world";
}

I've finally managed to solve the issue... Here are the steps I've made:
Changed the controller method to HttpGet, so it just looks like this now:
[AllowAnonymous]
[HttpGet("authorize")] // <-- notice the difference
[ProducesResponseType((int)HttpStatusCode.OK)]
public async Task<IActionResult> AuthorizeAsync()
{
//generating access token ommited for brevity
SetTokenCookie(accessToken);
return Ok(userIdentity);
}
For some reason calling a Post request directly from the browser (Firefox at least in my case) doesn't seem to work for setting the cookies, even if the response looks fine, but when I changed it to Get method and accessed in a standard way (URL) it works. I will have to double-check if Post method works from the client (JavaScript).
Apply above solution from Tiny Wang, which means changing the cookie domain to localhost. Having the full URL indeed prevent cookie from being saved.
Edit: As pointed out by SSchmid in the comments, changing method to "Get" was only a temporary workaround while using Development Tools in Firefox. For further development or production it is not recommend to keep it as a "Get" method.

I managed to get it running by using the [FromBody] Attribute.
This works for me :
[HttpPost("Login")]
public async Task<IActionResult> Login([FromBody] LoginData data)
{
var user = await userManager.FindByEmailAsync(data.Email);
if (user == null || !await userManager.CheckPasswordAsync(user, data.Password))
return Unauthorized("Invalid Authentication");
await signInManager.SignInAsync(user, data.rememberMe);
var roles = (await userManager.GetRolesAsync(user)).ToList();
var sUser = new Models.User(user, roles);
return Ok(sUser);
}
apparently if u use HTTPPOST in combination with parameters it doesnt work.

I'm not getting a scope checkbox when the Authorize tag doesn't contain roles, Ajax authorization request not sending scope either

UPDATE 2: If I change my controller Authorize tag from this
[Authorize]
to this
[Authorize(Roles = "Read")]
then I get the checkbox for scope selection and the ajax token request contains the correct scope and completes successfully. I still end up with a red exclamation mark however. It looks like Swagger or Swashbuckle is requiring that the roles match the scope definitions? Is it possible to use the application flow with no Roles defined when using Swashbuckle? And if so how do you get that to work? Do I have to manually set the scope in the operation filter class? If it's not possible to use Swashbuckle without listing Roles in the Authorize tag, then I need to know how to assign clients roles in IdentityServer3.
UPDATE 3
If I change the Operation Filter to something like this the scope appears, but after selecting the scope and clicking on Authorize, the page just reloads. The ajax authorization was sent successfully first. This is closer, but the authorization still doesn't stick (not sure what term to use here, but stick seems to sum it up.) How do I get the authorization to stick?
public void Apply(Operation operation, SchemaRegistry schemaRegistry, ApiDescription apiDescription)
{
var scopes = new List<string>() { "Read" };
if (scopes.Any())
{
if (operation.security == null)
operation.security = new List<IDictionary<string, IEnumerable<string>>>();
var oAuthRequirements = new Dictionary<string, IEnumerable<string>>
{
{ "oauth2", scopes }
};
operation.security.Add(oAuthRequirements);
}
}
Original Post
I'm trying to configure Swashbuckle to allow clients to test a REST service that is protected by an OAuth2 client credentials flow. The toggle never appears on the page, should it?, but I do get a red circle with an exclamation mark telling me the resource is not protected. I'm using the nuget package Swashbuckle.Core Version 5.4.0. The answer here Enable Oauth2 client credentials flow in Swashbuckle seems to follow what I've done, and have used the AssignOAuth2SecurityRequirements class verbatim. I haven't injected any javascript and don't believe I have to since my authorization scheme is fairly standard. When I remove the Authorize key word on the Controller that method no longer has the red exclamation in the Swagger UI which I'm hoping means I'm close, but I'm not finding the missing link. Since this Flow is "application" and I only have one scope I wanted to make sure that it looks configured correctly and the clientSecret is loaded in the correct spot.
UPDATE 1
I've been able to debug the AJAX call and can see that the scope is not set and therefor not sent in the request. Why is the scope not being set? Why don't I have a checkbox to select the scope?
Here is my SwaggerConfig.cs
public class SwaggerConfig
{
public static void Register()
{
var thisAssembly = typeof(SwaggerConfig).Assembly;
GlobalConfiguration.Configuration
.EnableSwagger(c =>
{
c.SingleApiVersion("v1", "waRougeOneApp");
c.OAuth2("oauth2")
.Description("OAuth2 Client Credentials Grant Flow")
.Flow("application")
.TokenUrl("https://securitydev.rougeone.com/core/connect/token")
.Scopes(scopes =>
{
scopes.Add("Read", "Read access to protected resources");
});
c.IncludeXmlComments(GetXmlCommentsPath());
c.UseFullTypeNameInSchemaIds();
c.DescribeAllEnumsAsStrings();
c.OperationFilter<AssignOAuth2SecurityRequirements>();
})
.EnableSwaggerUi(c =>
{
c.EnableOAuth2Support(
clientId: "client_id",
clientSecret: "client_secret",
realm: "swagger-realm",
appName: "Swagger UI"
);
});
}
protected static string GetXmlCommentsPath()
{
return System.String.Format(#"{0}bin\\waRougeOne.xml", System.AppDomain.CurrentDomain.BaseDirectory);
}
}
And the AssignOAuth2SecurityRequirements class is
public class AssignOAuth2SecurityRequirements : IOperationFilter
{
public void Apply(Operation operation, SchemaRegistry schemaRegistry, ApiDescription apiDescription)
{
var authorized = apiDescription.ActionDescriptor.GetCustomAttributes<AuthorizeAttribute>();
if (!authorized.Any()) return;
if (operation.security == null)
operation.security = new List<IDictionary<string, IEnumerable<string>>>();
var oAuthRequirements = new Dictionary<string, IEnumerable<string>>
{
{"oauth2", Enumerable.Empty<string>()}
};
operation.security.Add(oAuthRequirements);
}
}
I've been trying to find a working example with a client credentials flow without success, so I'm not 100% sure I'll see a toggle button when everything is working correctly. In the examples for the implicit flow if you hover over the red exclamation circle you see the grant types listed, clicking on the red exclamation circle shows the options for scopes listed out in which you select one and then click authorize and it comes back with a blue exclamation.
For me I never get a checkbox to select a scope, but I've only defined one scope. What am I doing wrong? I found this while debugging the swagger ui JavaScript which seems to point to having all the data it needs?
authorizations
:
null
auths
:
Array[1]
0
:
Object
name
:
"oauth2"
type
:
"oauth2"
value
:
Object
description
:
"OAuth2 Client Credentials Grant Flow"
flow
:
"application"
scopes
:
Object
Read
:
"Read access to protected resources"
__proto__
:
Object
tokenUrl
:
"https://security.starrwarrs.com/core/connect/token"
type
:
"oauth2"
__proto__
:
Object
__proto__
:
Object
length
:
1
__proto__
:
Array[0]

Solution!!
The last part was the hardest to figure out, which I finally did with the help of the Chrome Developer tools that showed a little red X on the network tag showing the following error message:
XMLHttpRequest cannot load http://security.RogueOne.com/core/connect/token. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:62561' is therefore not allowed access.
The error message finally connected the dots below, until then the on OAuthComplete complete JavaScript function would be called, but with no token. The network tab show "This request has no response data available", but I'd see a Content-Length in the Response headers with a content-type of Json. Fiddler also showed the response which looked like (and was) well formed JSON.
I described this error here Swagger UI not parsing reponse which was due to IdentityServer3 correctly not adding a response header of "Access-Control-Allow-Origin:http://localhost:62561" You can force IdentityServer3 to send that header by updating you client creation to be the following:
new Client
{
ClientName = "SwaggerUI",
Enabled = true,
ClientId = "swaggerUI",
ClientSecrets = new List<Secret>
{
new Secret("PasswordGoesHere".Sha256())
},
Flow = Flows.ClientCredentials,
AllowClientCredentialsOnly = true,
AllowedScopes = new List<string>
{
"Read"
},
Claims = new List<Claim>
{
new Claim("client_type", "headless"),
new Claim("client_owner", "Portal"),
new Claim("app_detail", "allow")
},
PrefixClientClaims = false
// Add the AllowedCorOrigins to get the Access-Control-Allow-Origin header to be inserted for the following domains
,AllowedCorsOrigins = new List<string>
{
"http://localhost:62561/"
,"http://portaldev.RogueOne.com"
,"https://portaldev.RogueOne.com"
}
}
The AllowedCorsOrigins was the last piece of my puzzle. Hopefully this helps someone else who is facing the same issue

These are the steps which we have done and worked:
In the SwaggerConfig file, add the below settings:
c.OAuth2("oauth2")
.Description("OAuth2 Implicit Grant")
.Flow("implicit")
.AuthorizationUrl(swaggerConfigurations["IssuerUri"].ToString())
.Scopes(scopes =>
{
scopes.Add("user_scope", "Access REST API");
});
The attributes are:
Name of the authorization scheme (oauth2 in the above sample)
Description of the authorization scheme
Flow – Type of grant
to be used
Authorization Url – Should be the Auth Url of identity management system url (eg:
https://auth2.test.com/oauth2/authorize)
Scopes – The scope name
II. In the SwaggerConfig file, add the below settings also under the swagger ui configuration section:
c.EnableOAuth2Support(swaggerConfigurations["ClientId"].ToString(), string.Empty, swaggerConfigurations["RedirectUri"].ToString(), "Swagger", " ", new Dictionary<string, string> { { "resource", GetResources() } });
The method accepts the below parameters:
clientId – This should be client ID for swagger configured in Security Token Service
clientSecret – This should be client secret key. This is required only in case of Code grant type
realm – This should be the redirect url (this should be [base address] + swagger/ui/o2c-html)
appName – This should be swagger
scopeSeperator – This is not required to be passed if there is only scope
additionalQueryStringParams – This should have the list of valid audiences and this corresponds to the resource for which the token is issued.
III. Create a new Operation Filter in the web api project as shown below:
public class CustomOperationFilter : IOperationFilter
{
public void Apply(Operation operation, SchemaRegistry schemaRegistry, ApiDescription apiDescription)
{
string clientId = "clientID";
if (apiDescription != null)
{
var actFilters = apiDescription.ActionDescriptor.GetFilterPipeline();
var allowsAnonymous = actFilters.Select(f => f.Instance).OfType<OverrideAuthorizationAttribute>().Any();
if (allowsAnonymous)
{
return; // must be an anonymous method
}
}
if (operation != null)
{
if (operation.security == null)
{
operation.security = new List<IDictionary<string, IEnumerable<string>>>();
}
var authRequirements = new Dictionary<string, IEnumerable<string>>
{
{ "oauth2", new List<string> { clientId } }
};
operation.security.Add(authRequirements);
}
}
}
This class will be used to bind the OAuth scopes to the individual operations
IV. Add the above filter in the swagger config file (see code below)
c.OperationFilter<CustomOperationFilter>();
V. Configure the Client ID, Secret, Redirect Url and Resource in Security Token Service
VI. In the Web API project, if there is an index.html being used to inject API specific UI fields/styles, then make sure that all the javascript code is kept intact with the Swashbuckle version of the index.html file (as provided in the location - https://github.com/domaindrivendev/Swashbuckle/blob/master/Swashbuckle.Core/SwaggerUi/CustomAssets/index.html)

Authorization from C# with auth2 and linkedin

I have a WebApi that I want to authorize my user with his linkedin information (as in create an access token and inject it in to my owin).
So far I have tried to work with Sparkle.Linkedin and this is what I have
public LinkedInLogic() {
// create a configuration object
_config = new LinkedInApiConfiguration(ApiKey, ApiSecret);
// get the APIs client
_api = new LinkedInApi(_config);
}
public Uri GetAuthUrl() {
var scope = AuthorizationScope.ReadBasicProfile;
var state = Guid.NewGuid().ToString();
var redirectUrl = "http://localhost:1510/api/login/RedirectAuth";
return _api.OAuth2.GetAuthorizationUrl(scope, state, redirectUrl);
}
public void GetAccessToken(string code) {
//If I do api.GetAccessToken(code); here I get an access token
var request = System.Net.WebRequest.Create("http://localhost:1510/api/token?grant_type=authorization_code&code=" + code);
request.GetResponse(); // my owin authorization
}
So I first get the Authorization Url -> it opens a popup -> I enter my data and it goes back to a controller which fires up GetAccessToken.
Problem is even if I completely authorize with linkedin I am not sure how to authorize with my own webapi. So I tried to send an http request to my owin token giver but it doesn't like it. There is also doesn't seem to be anyway I can return the access token back to the user so he can use it in his session.
Any ideas?

Not too sure if the sparkle is working anymore since the changes that where made by Linkedin on May 2015

ServiceStack, authentication and passing session header with request

I need to validate a user against an application with custom UserName and Password. The credentials are compared with those in database and then the user can be authorized.
I configured my AppHost adding the plugin for authentication:
Plugins.Add(new AuthFeature(() => new AuthUserSession(), new IAuthProvider[]{
new CredentialsAuthProvider()
}));
I have decorated the my DTO with [Authenticate] attribute
I then created a service to handle the Authenticate call:
public AuthenticateResponse Any(Authenticate request = null)
{
var response = new AuthenticateResponse();
// code to get user from db
//...
// check if credentials are ok
if (passInDB == request.Password)
{
var session = this.GetSession();
session.IsAuthenticated = true;
session.UserName = userFromDBEntity.Username;
response.UserId = userFromDBEntity.ID.ToString();
}
return response;
}
In the client app I created a call to the service to provides me authentication:
AuthenticateResponse authResponse = client.Post(new Authenticate
{
provider = Axo.WebServiceInterface.AxoAuthProvider.Name, //= credentials
UserName = username,
Password = password,
RememberMe = true
});
Then, still in the client, I have written something like:
if (authResponse.UserId != null)
{
client.AlwaysSendBasicAuthHeader = true;
client.SessionId = authResponse.SessionId;
}
..with the hope to get aware the client that now I am an authenticated user, but after debugging to death I'm still having an UNAUTHORIZED Exception.
I am able to reach the Authenticate Service I created, and check the credentials against the db, but after that it seems the jsonclient needs something more than "SessionId" to know that it is authenticated, because I get the error for any other request. I suppose that headers are missing something.
I read a lot of posts, and I tried also to define my custom AuthProvider and then override TryAuthenticate to see if may be helpful (for someone it was) but the method doesn't even get fired..

There's an example of using ServiceStack's Authentication to implement a Custom Auth Provider by inheriting CredentialsAuthProvider and overriding TryAuthenticate() to determine whether the userName/password is valid and OnAuthenticated() to populate the Users IAuthSession with info from the existing DB:
public class CustomCredentialsAuthProvider : CredentialsAuthProvider
{
public override bool TryAuthenticate(IServiceBase authService,
string userName, string password)
{
//Add here your custom auth logic (database calls etc)
//Return true if credentials are valid, otherwise false
}
public override IHttpResult OnAuthenticated(IServiceBase authService,
IAuthSession session, IAuthTokens tokens,
Dictionary<string, string> authInfo)
{
//Fill IAuthSession with data you want to retrieve in the app eg:
session.FirstName = "some_firstname_from_db";
//...
//Call base method to Save Session and fire Auth/Session callbacks:
return base.OnAuthenticated(authService, session, tokens, authInfo);
//Alternatively avoid built-in behavior and explicitly save session with
//authService.SaveSession(session, SessionExpiry);
//return null;
}
}
Then to get ServiceStack to use your AuthProvider you need to register it with the AuthFeature plugin, e.g:
//Register all Authentication methods you want enabled for this web app
Plugins.Add(new AuthFeature(() => new AuthUserSession(),
new IAuthProvider[] {
new CustomCredentialsAuthProvider(),
}
));
If everything's configured correctly you'll then be able to Authenticate with any of the Service Clients, e.g:
var authResponse = client.Post(new Authenticate
{
provider = "credentials",
UserName = username,
Password = password,
RememberMe = true
});
If successful this will return a populated authResponse, the ss-id/ss-pid Session cookies will also be populated on the client instance which will then let you call AuthOnly Services that are protected with [Authenticate] attribute.
Don't implement Authenticate Service
You never want to implement your own Any(Authenticate request) which ServiceStack already implements. The way to plug into ServiceStack's Authentication is to use a custom provider shown above. You can instead choose to ignore ServiceStack's Authentication in which case you should implement your own Custom Authentication Service but you should not use the existing Authenticate DTO's or [Authenticate] attribute which are apart of ServiceStack's Authentication support and assume that you're calling a registered AuthProvider.
Request DTO's are never nullable
Although unrelated, you also never want to make your Request DTO's nullable, e.g. Any(Authenticate request = null). ServiceStack will always call your Services with a populated Request DTO, or an empty one if no parameters were passed, it will never call your Service without a Request DTO or with a null Request DTO.

Getting OAuth2 refresh token

I'm trying to use Google's Calendar API to demo out an OAuth2 integration that we'll need to do with another third party. I'm using the DotNetOpenAuth library, and I've been able to get the initial redirect to Google for the Allow / Deny prompt and get the authorization code back.
I now need to get the access token and refresh token, but I only seem to get an access token back, refresh token is null.
This is my controller action method where Google redirects back to after the user Accepts or Denies:
public ActionResult ProcessResponse(string state, string code, string error)
{
var oAuthClient =
new WebServerClient(
new AuthorizationServerDescription
{
TokenEndpoint = new Uri("https://accounts.google.com/o/oauth2/token"),
AuthorizationEndpoint = new Uri("https://accounts.google.com/o/oauth2/auth"),
ProtocolVersion = ProtocolVersion.V20
},
_applicationId,
_secret)
{
AuthorizationTracker = new TokenManager()
};
var authState = oAuthClient.ProcessUserAuthorization();
var accessToken = authState.AccessToken;
var refreshToken = authState.RefreshToken;
return View(new[] { accessToken, refreshToken });
}
Any ideas?
EDIT:
To get the authorization code, I setup the oAuthClient identically to what I did above, and use this method:
oAuthClient.RequestUserAuthorization(new[] { "https://www.googleapis.com/auth/calendar" }, returnUrl);

I had a similar problem, and solved mine by hand-coding the HttpRequest and HttpResponse handling. See code at: https://stackoverflow.com/a/11361759/29156