I making .Net MVC application that use DropBox as file storage.
I successfuly made uploading files to DropBox from my application but I get short time life token that expires evry 4 hour. I need some code examples how to refresh token.
OAuth2Response CodeResponse = await DropboxOAuth2Helper.ProcessCodeFlowAsync(result.Data.Code, AppKey, AppSecret, RedirectUri);
Settings.AccessToken = CodeResponse.AccessToken;
Settings.RefreshToken = CodeResponse.RefreshToken;
Apps can get long-term access by requesting "offline" access, in which case the app receives a "refresh token" that can be used to retrieve new short-lived access tokens as needed, without further manual user intervention. You can find more information in the OAuth Guide and authorization documentation. There's a basic outline of processing this flow in this blog post which may serve as a useful example.
If you're using .NET, we recommend using the official Dropbox API v2 .NET SDK. When you use the official Dropbox API v2 .NET SDK, you do not need to implement all of the code for the OAuth flow yourself. The SDK will do most of the work for you. You can find examples of using this here.
Related
I have an older webapp that has implict flow I need to continue to support. I tried to use Microsoft.Identity.Web 1.9.0.0 but it does not allow me to use id_token it requires only access token in the authorization header I get the error message below :
[10:09:31.861 -04:00] [ERR] [] [] An unhandled exception has occurred
while executing the request. System.UnauthorizedAccessException:
IDW10201: Neither scope or roles claim was found in the bearer token.
at
Microsoft.Identity.Web.MicrosoftIdentityWebApiAuthenticationBuilderExtensions.<>c__DisplayClass3_1.<b__1>d.MoveNext()
Is there a setting to allow it? I couldn't see one in JwtBearerOptions or MicrosoftIdentityOptions.
It does work when I use Microsoft.AspNetCore.Authentication 3.1.0.0 library, but I wanted to have newest library possible. Any recommendations would be great.
Edit: More details
Our company is under major tech shift. he have built alot of stuff in .net core and web components (Polymer) for front end but . We decided to switch to Azure AD B2C. We have no problems switching our .net core and existing polyymer UI's to authorization code flow.
We have alot of assets in .net web forms. Those Web Forms are large projects that are using forms Authentication membership. We don't have the resources to switch all the UI's to Web Components and .net core at one shot. The plan is switch the identity to Azure AD B2C and release it to production. When there is a change request or new feature request we would build the new pages only in HTML and Web Components (Polymer) and have a .net core api to handle those api requests. The problem is that the Web Coponents doesn't have access to the access token.
The solution I found was when the Web Forms gets a responds from B2C I conect OpenIdConnectAuthenticationNotifications to SecurityTokenReceived which reads the IdToken and I put it in a cookie with an expiry in (30 seconds) and return it to the browser. I have javascript code that reads to see if the cookie exists and takes it and stores it in the Session Storage and deletes the cookie. Also on load the browser checks if the user is signed in if not it deletes the Session Stored id_token.
This works as expected, but the problem is it is using the id_token and not using the authorization code flow. So When accessing any other api I can't request a token from B2C for the other API. Also I can't get a refresh token (plan is to set it to 8hrs to expire which is good enough). I have looked at if it's possible to make it work with code flow. i have looked at how it works in MVC but it I haven't made it work,
This is the project I used to switch to B2C https://github.com/AzureADQuickStarts/B2C-WebApp-OpenIdConnect-DotNet
After deciding to give up on this. Working on a different project I had to run a cross this issue. Decided to do another search and found this post
https://github.com/AzureAD/microsoft-identity-web/wiki/web-apis#to-support-acl-based-authorization
through this Stack overflow Q/A
IDW10201: Neither scope or roles claim was found in the bearer token
this is what is needed to use the latest Microsoft.Identity.Web Package. To sum it up in the you need to set the Azure options variable AllowWebApiToBeAuthorizedByACL = true
The error message expects scope or roles in the bearer token. Please follow this document for implicit flow versus authorization code flow concept.
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow
I've seen a million different answers and none of them work.
Can someone please give me a link that works for:
I have a web api, I've registered it on Azure. I have Azure Active Directory configured.
I have a tenantId, a clientId, a client Secret, and every other variable I should need.
I can log a user into my system through AD via an MVC controller, how can I do the same with web api?
I basically need to generate the AD token so I can continue to use the API outside of my MVC controllers.
It must be the same token, because I need to access microsoft graph from the client side of the API.
HELP!
It’s up to the client to get a token and pass it to your API. You don’t specify what the client is (I.e. web, iOS, Android) but since you’re using Azure AD you could just use the appropriate ADAL library provided by Microsoft to do this.
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-libraries
I can log a user into my system through AD via an MVC controller, how
can I do the same with web api?
If you are interested in server-to-server interactions without direct interaction from the user side, you may have a look at OAuth 2.0 Client Credentials Grant Flow for AZAD.
The attached article contains simple examples of implementation. I think for your case, example with a daemon/console app (just replace it w/ Web API) is what you need. Download the example, replace configurations (Instance, TenantId, ClientId, and ClientSecret) in appsettings.json w/ yours, and try to play around with it.
I have a .NET Core API (.NET Core 1.0.0 with EF 1.0) that I use in a serverless manner by having it as Lambda in Amazon AWS.
That API is fully functional, but I'd like to implement an authentication on it. Mainly for my Xamarin mobile app that will use that restful API.
Amazon has something called Amazon Cognito where you can use 'Cognito Federated Identities' so signing in via Facebook, Google, etc.
I have no clue as to where to start. I've scavenged the internet and could find bits and pieces of code and articles here and there, but I can't figure out how to put it all together.
If I implement a AWS Cognito Authentication on my API, is an API key still necessary? Or should I use both? API key to authenticate my mobile phone as a valid user to the system and AWS Cognito for authenticating my user?
I'm assuming that the AWS authentication happens from an AWS SDK of some sorts, can I still benefit from Facebook authentication? For example can I get the user pictures/albums/likes/etc.
Or do I have to use a Facebook SDK for this, if so do I use the Facebook SDK on the API level or Mobile app (Xamarin) level?
It would be great if someone ever implemented something like this (or similar) could present me with some sample code? Or at least something to push me in the right direction, cause I'm a bit lost. Thank you!
I haven't had the time to implement it yet, but when I do I'll also post the code here.
Too bad I lost 50 rep for the bounty :(
If I implement a AWS Cognito Authentication on my api, is a API key still necessary? Or should I use both? API key to authenticate my mobile phone as a valid user to the system and AWS Cognito for authenticating my user?
Or do I receive some sort of token?
Using Cognito Federated Identities will generate IAM Credentials(Access Key, Secret Key, Session Token) that are tied to an IAM Role, so this means that you will have to use IAM Auth on API Gateway.
You cannot use more than one Auth type on the same API Method.
I'm assuming that the AWS authentication happens from AWS SDK, can I still benefit from facebook authentication? For example can I get the user's pictures/albums/likes/etc. Or do I have to use a Facebook SDK for this, if so do I use facebook SDK on API level or Mobile app (xamarin) level
Yes you can still benefit from Facebook authentication. You will have to use the Facebook SDK. The AWS SDK and Cognito are just using Facebook as a way to a verify that the user is correct. As for where you will use the Facebook SDK this will depend on your own architecture of your application. Though generally in my experience I see it being used on the client(mobile) level more.
For actually using and coding Cognito, first you need to create an Identity Pool. While you are creating the pool, depending on your use case, you can leave "Enable access to unauthenticated identities" unchecked.
This is only if you want guest users in your app to be able to use your APIs. But if you just want users who have logged in through Facebook then this should be unchecked.
Then under "Authentication providers" add in your Facebook app id under the Facebook tab. Here is the documentation to how to create a pool for addition information:
http://docs.aws.amazon.com/cognito/latest/developerguide/getting-started-with-identity-pools.html#create-identity-pool
Then for coding this in your app, these two pieces of documentation are used together.
1) You first need to set the credentials object, and then once you login through Facebook and get the token you make a addLogin to add the token to Cognito.
2) Then you use the credentials object to pass the credentials to API Gateway.
http://docs.aws.amazon.com/cognito/latest/developerguide/getting-credentials.html#getting-credentials-1.xamarin
http://docs.aws.amazon.com/cognito/latest/developerguide/facebook.html
In order to use IAM Auth with API Gateway you will need to do something known as SigV4 signing.
Since API Gateway does not have a generated SDK for dotNet/C#, you will have to do this manually.
This documentation goes over signing requests examples. The examples are in Python, unfortunately we do not have any examples in C#, but it gives you the logic that you need to complete this.
http://docs.aws.amazon.com/general/latest/gr/sigv4-signed-request-examples.html
Does anyone know a way to get a google oAuth2 access token and then use this in a WWW (or just a web request) to retrieve data from a private spreadsheet.
I have managed to do (what i believe is getting) an access code using the way described in the google sheets v3 examples and this opens google page opening to accept authorisation and copy the access code out. However when i use this code in the web call google provides it fails (it asks me for an api key which the oAuth should replace but still fails with a valid api key)
i was looking at the references on the documentation namely https://developers.google.com/identity/protocols/OAuth2WebServer#callinganapi for putting my access_token in so it would look like the code segement below and from my understanding should then work. I'm guessing my access code is wrong but not 100% sure if this is the case
WWW a = new WWW("https://sheets.googleapis.com/v4/spreadsheets/1MNqof6SVUFUhyPxca-bSSfhlcHNOG80o29GPHaJYZXU/values/A1:D4?" + "access_token=" + accessToken);
yield return a;
Debug.Log(a.text);
I have looked through the examples on how to read and write as well from here developers.google.com/identity/protocols/OAuth2WebServer#callinganapi using requests but I need to authorise these and grant permission.
Looking through the other examples they show using a download that is .net 4 and with unity only supporting .net 3.5 i need to go about this a different way such as a WWW request to get a access token if expired and then use that access token in the actually request for the data.
You may check this documentation. OAuth 2.0 is the authorization protocol used by Google APIs. You should get familiar with the protocol by reading these links: The OAuth 2.0 Authorization Protocol and
Using OAuth 2.0 to Access Google APIs. To begin, obtain OAuth 2.0 client credentials from the Google API Console. Then your client application requests an access token from the Google Authorization Server, extracts a token from the response, and sends the token to the Google API that you want to access. For an interactive demonstration of using OAuth 2.0 with Google (including the option to use your own client credentials), experiment with the OAuth 2.0 Playground.
My app used to be able to log into Tumblr, but late last year they changed their api to use OAuth. I am having a hell of a time trying to log in to Tumblr programmatically from a client-side app. I am using this app as a guide. Everything seems all right, but I keep getting Missing or invalid request token from Tumblr.
My question is this: is there an actual working example of logging in to Tumblr via OAuth in C#?
Temboo simplifies the OAuth process for Tumblr by breaking it down into two calls:
InitializeOAuth - returns a Tumblr authorization URL that you can show to your users and have them grant your application access to their Tumblr account.
FinalizeOAuth - returns the access tokens your app needs for authenticated access to Tumblr accounts.
You can experiment with Temboo's Tumblr OAuth support in your browser from the link below, and then generate the source code you need to use this behavior in your app with the Temboo SDK. If your language isn't supported (Temboo does not currently have a C# SDK), you can generate REST API cURL commands.
https://www.temboo.com/library/Library/Tumblr/OAuth/
(Full disclosure: I work at Temboo, so let me know if you have any questions!)