Incorrect claim Type - c#

I am currently working on an API. The tokens are returned from an IdentityServer4.
I am trying to get back the sub id which is the id of the currently authorized user from the token claim. I can see it in the Claim here.
{
"nbf": 1512632838,
"exp": 1512636438,
"iss": "http://localhost:5000",
"aud": [
"http://localhost:5000/resources",
"testapi"
],
"client_id": "ServiceAccountAccess",
"sub": "21248582",
"auth_time": 1512632823,
"idp": "local",
"name": "TestUser",
"resource_id": "21260601",
"xena_fiscal_id": "21875",
"fiscal_name": "My company",
"picture_url": "/Content/images/avatar-company-xena.jpg",
"application_id": "16140911",
"scope": [
"openid",
"profile",
"testapi"
],
"amr": [
"password"
]
}
My API call is quite simple
[Authorize]
public async Task<ActionResult> ChangeFiscal([FromBody] long fiscalId)
{
var name = User.Claims.Where(c => c.Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier")
.Select(c => c.Value).SingleOrDefault();
}
What i cant understand is why sub or subject is being turned into
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
I can see from the api that its done it to quite a few of the claims
{
"nbf": 1512653706,
"exp": 1512657306,
"iss": "http://localhost:5000",
"aud": [
"http://localhost:5000/resources",
"testapi"
],
"client_id": "ServiceAccountAccess",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "21248582",
"auth_time": 1512652100,
"http://schemas.microsoft.com/identity/claims/identityprovider": "local",
"name": "TestUser",
"supporter": "21248582",
"http://schemas.microsoft.com/claims/authnmethodsreferences": "password",
"resource_id": "21527443",
"xena_fiscal_id": "21876",
"fiscal_name": "this",
"picture_url": "/Content/images/avatar-company-xena.jpg",
"scope": [
"openid",
"profile",
"testapi"
]
}


Its taken an hour to figure out that the Microsoft JWT handler turns these standard claims into Microsoft proprietary ones.
By adding the following line to the startup Configure method i was able to turn off this annoying "feature"
JwtSecurityTokenHandler.InboundClaimTypeMap.Clear()

Related

What do I need to do to make a Teams bot callable

I'm trying to create a Microsoft Teams bot that can be called. Especially, we plan to use it as a destination for incoming calls on a Call Queue.
It seems that the call buttons
we usually get with contacts are nowhere to be seen on this bot:
So far, I have managed to create a bot according to the samples.
In https://dev.botframework.com/, the bot appears and I have the Enable Calling flag set (which - interestingly, seems to get disabled almost every time I run the project in Visual Studio).
My permissions.json looks like this:
[
{
"resource": "Microsoft Graph",
"delegated": [
"User.Read"
],
"application": [
"Calls.Initiate.All",
"Calls.InitiateGroupCall.All",
"Calls.JoinGroupCall.All",
"Calls.AccessMedia.All"
]
}
]
My manifest.template.json looks like this:
{
"$schema": "https://developer.microsoft.com/en-us/json-schemas/teams/v1.13/MicrosoftTeams.schema.json",
"manifestVersion": "1.13",
"version": "1.0.0",
"id": "{{state.fx-resource-appstudio.teamsAppId}}",
"packageName": "com.microsoft.teams.extension",
"developer": {
"name": "Teams App, Inc.",
"websiteUrl": "{{state.fx-resource-frontend-hosting.endpoint}}",
"privacyUrl": "{{state.fx-resource-frontend-hosting.endpoint}}{{state.fx-resource-frontend-hosting.indexPath}}/privacy",
"termsOfUseUrl": "{{state.fx-resource-frontend-hosting.endpoint}}{{state.fx-resource-frontend-hosting.indexPath}}/termsofuse"
},
"icons": {
"color": "resources/color.png",
"outline": "resources/outline.png"
},
"name": {
"short": "{{config.manifest.appName.short}}",
"full": "{{config.manifest.appName.full}}"
},
"description": {
"short": "Short description of {{config.manifest.appName.short}}",
"full": "Full description of {{config.manifest.appName.short}}"
},
"accentColor": "#FFFFFF",
"bots": [
{
"botId": "{{state.fx-resource-bot.botId}}",
"scopes": [
"personal",
"team",
"groupchat"
],
"supportsFiles": false,
"supportsCalling": true,
"supportsVideo": true,
"isNotificationOnly": false
}
],
"composeExtensions": [],
"configurableTabs": [],
"staticTabs": [],
"permissions": [
"identity",
"messageTeamMembers"
],
"validDomains": [],
"webApplicationInfo": {
"id": "{{state.fx-resource-aad-app-for-teams.clientId}}",
"resource": "{{state.fx-resource-aad-app-for-teams.applicationIdUris}}"
}
}
I also believe to have configured the correct permissions on the App Registration in Azure:
Any idea where to look next? What do I need to do to make the bot directly callable as I would be able to with any other user?

INVALID_USERID when calling Docusign API from live environment

I am getting below error when calling Docusign API from a C# web api. Able to get the access token but when creating the envelope this error is being received.
Is there any issue with clientUserId because it worked without any hiccups in sandbox. What value do I need to pass in it ? From all the sources, I gather it just indicates that this request is an embedded one. If we have to pass a specific userId in this field how to get it when passing it for envelope creation.
Response:
{
"errorCode": "INVALID_USERID",
"message": "Invalid UserId."
}
Below is the request which we are passing
{
"documents": [
{
"documentId": "1",
"fileExtension": "pdf",
"name": "Trial - OL.pdf"
}
],
"emailSubject": "Docusign Digital Signature",
"recipients": {
"signers": [
{
"clientUserId": "1001",
"email": "XXXX",
"name": "XXXX",
"recipientId": "1",
"routingOrder": "1",
"tabs": {
"signHereTabs": [
{
"anchorIgnoreIfNotPresent": "false",
"anchorString": "XXXX",
"anchorUnits": "inches",
"anchorXOffset": "0",
"anchorYOffset": "-0.25"
}
]
}
}
]
},
"status": "sent"
}
There is no error while retreiving access token

The error is not about clientUser but about the userId of the user.
After you finished Go-Live, the account is different, the user is different, and the URLs for the environments are all different when you migrate from the developer sandbox to the production environment.
If you got a token using JWT, remember that one of the things you used was the userId of the impersonated users.
You cannot use the token generator tokens in production.
Production environment doesn't have a single URL like demo.docusign.net. It can be many different URLs and you have to first figure out what it is before making API calls.

IdentityServer4.Stores.ValidatingClientStore Invalid client configuration for ... client no allowed grant type specified

Hi I am getting the error...
"IdentityServer4.Stores.ValidatingClientStore Invalid client configuration for ... client no allowed grant type specified"
when using a sql database context initially seeded from static data.
If I use the same static data on an AddInMemoryClients context no errors occurs and everything works fine.
Client definition...
new Client
{
ClientId = "GameMvc",
ClientName = "MGame web client",
ClientSecrets = { new Secret("058dddb593be4e149c19e23fd336e2ed".Sha256()) },
AllowRememberConsent = false,
AllowOfflineAccess = true,
UpdateAccessTokenClaimsOnRefresh = true,
AccessTokenLifetime = 180,
AllowedGrantTypes = GrantTypes.Hybrid,
RedirectUris = { "https://localhost:44330/signin-oidc" },
PostLogoutRedirectUris = { "https://localhost:44330/signout-callback-oidc" },
AllowedScopes =
{
"openid",
"profile",
"email",
"address",
"offline_access",
"role",
}
}
Identity server debug output
fail: IdentityServer4.Stores.ValidatingClientStore[0]
Invalid client configuration for client GameMvc: no allowed grant type specified
info: IdentityServer4.Events.DefaultEventService[0]
{
"Name": "Invalid Client Configuration",
"Category": "Error",
"EventType": "Error",
"Id": 3001,
"ClientId": "GameMvc",
"ClientName": "MGame web client",
"Message": "no allowed grant type specified",
"ActivityId": "0HLUGMDSRD0QH:00000007",
"TimeStamp": "2020-03-25T11:56:22Z",
"ProcessId": 22768,
"LocalIpAddress": "::1:44320",
"RemoteIpAddress": "::1"
}
fail: IdentityServer4.Validation.AuthorizeRequestValidator[0]
Unknown client or not enabled: GameMvc
{
"SubjectId": "anonymous",
"RequestedScopes": "",
"Raw": {
"client_id": "GameMvc",
"redirect_uri": "https://localhost:44330/signin-oidc",
"response_type": "code id_token",
"scope": "openid profile email offline_access role experience subscription_level GameApi",
"response_mode": "form_post",
"nonce": "637207341781609343.NzJmYjQ1ZjgtNDI1Yy00ZWY4LWE2YTItOTE0MWUwNTYwNDIwNzQ0NWJjOWEtN2FhNS00M2NlLTlhMmMtMTlkODBhMTliYjdm",
"state": "CfDJ8H3n8sVeRBlPopiMUAsqux6eF3ZksNANFCae20YtpBRAXjP-7HUxq1--kcY8uMuiT1moapzqik0ifGaLVmBiQw2QcRcNLlJCpN50yy2uHy52-ydsbCEGigE81skOlEalX2fMbjOuVRSC5jT4FaE2DFM-wPj8ndbf_VGYQ-FG5avBp9vsSKMW_CdUaUtrbs4nsEmAn1NTZoXIPTXnzBcCKOPwSpCOalpK1i4SbpKFbvN3PAKCNw1zPi-lFM5_W3icVvD_gazWnP3X1jxp_3XzCSoKIf3bKSL6TKuix28SPJZ_-KnKJtWOAUkkTFu20Qr0DQ",
"x-client-SKU": "ID_NETSTANDARD2_0",
"x-client-ver": "5.5.0.0"
}
}
fail: IdentityServer4.Endpoints.AuthorizeEndpoint[0]
Request validation failed
info: IdentityServer4.Endpoints.AuthorizeEndpoint[0]
{
"SubjectId": "anonymous",
"RequestedScopes": "",
"Raw": {
"client_id": "GameMvc",
"redirect_uri": "https://localhost:44330/signin-oidc",
"response_type": "code id_token",
"scope": "openid profile email offline_access role experience subscription_level GameApi",
"response_mode": "form_post",
"nonce": "637207341781609343.NzJmYjQ1ZjgtNDI1Yy00ZWY4LWE2YTItOTE0MWUwNTYwNDIwNzQ0NWJjOWEtN2FhNS00M2NlLTlhMmMtMTlkODBhMTliYjdm",
"state": "CfDJ8H3n8sVeRBlPopiMUAsqux6eF3ZksNANFCae20YtpBRAXjP-7HUxq1--kcY8uMuiT1moapzqik0ifGaLVmBiQw2QcRcNLlJCpN50yy2uHy52-ydsbCEGigE81skOlEalX2fMbjOuVRSC5jT4FaE2DFM-wPj8ndbf_VGYQ-FG5avBp9vsSKMW_CdUaUtrbs4nsEmAn1NTZoXIPTXnzBcCKOPwSpCOalpK1i4SbpKFbvN3PAKCNw1zPi-lFM5_W3icVvD_gazWnP3X1jxp_3XzCSoKIf3bKSL6TKuix28SPJZ_-KnKJtWOAUkkTFu20Qr0DQ",
"x-client-SKU": "ID_NETSTANDARD2_0",
"x-client-ver": "5.5.0.0"
}
}
however using the same client on in memory scenario with AddInMemoryClients it works... see the debug output below..
dbug: IdentityServer4.Validation.AuthorizeRequestValidator[0]
Calling into custom validator: IdentityServer4.Validation.DefaultCustomAuthorizeRequestValidator
dbug: IdentityServer4.Endpoints.AuthorizeEndpoint[0]
ValidatedAuthorizeRequest
{
"ClientId": "GameMvc",
"ClientName": "MGame web client",
"RedirectUri": "https://localhost:44330/signin-oidc",
"AllowedRedirectUris": [
"https://localhost:44330/signin-oidc"
],
"SubjectId": "anonymous",
"ResponseType": "code id_token",
"ResponseMode": "form_post",
"GrantType": "hybrid",
"RequestedScopes": "openid profile email offline_access role experience subscription_level GameApi",
"State": "CfDJ8H3n8sVeRBlPopiMUAsqux7YiGRgIGQOeT0aF9aYMv-a40lLmjS_uEZw_jMeQAgkq7wFGq8mMMekKNm8U6uFL_kruFOX_gYjhJjzRZUKG1aHE0vpcJ0i0zYqd9aTh6elus8MxkP6NaGWszjf0wXSwVNboUdq_7NAvR_b4Pyt0sMkD5LTysTQ4VePtKi-FjDarp5xlRPvQUfiYpZfcyOGi7eqSlHuiVzD83uByMBhJ3cIA6h5n5zDzzotNpwxw_QLQk4A8zN06tgTHhUYTWV-5kxYiX3N84f__eyB3K_TCY94Kbm562BZX4TtfLzJHqJAdg",
"Nonce": "637207668423193165.NjAzZDAwM2UtMjc0Yi00ZTNiLTgyOWYtN2JhYTI5ZTkxNDBlZGJiN2FiZGEtN2ZmYy00OGFkLWE5MGItMzAzNmY3OGM1MGIx",
"SessionId": "",
"Raw": {
"client_id": "GameMvc",
"redirect_uri": "https://localhost:44330/signin-oidc",
"response_type": "code id_token",
"scope": "openid profile email offline_access role experience subscription_level GameApi",
"response_mode": "form_post",
"nonce": "637207668423193165.NjAzZDAwM2UtMjc0Yi00ZTNiLTgyOWYtN2JhYTI5ZTkxNDBlZGJiN2FiZGEtN2ZmYy00OGFkLWE5MGItMzAzNmY3OGM1MGIx",
"state": "CfDJ8H3n8sVeRBlPopiMUAsqux7YiGRgIGQOeT0aF9aYMv-a40lLmjS_uEZw_jMeQAgkq7wFGq8mMMekKNm8U6uFL_kruFOX_gYjhJjzRZUKG1aHE0vpcJ0i0zYqd9aTh6elus8MxkP6NaGWszjf0wXSwVNboUdq_7NAvR_b4Pyt0sMkD5LTysTQ4VePtKi-FjDarp5xlRPvQUfiYpZfcyOGi7eqSlHuiVzD83uByMBhJ3cIA6h5n5zDzzotNpwxw_QLQk4A8zN06tgTHhUYTWV-5kxYiX3N84f__eyB3K_TCY94Kbm562BZX4TtfLzJHqJAdg",
"x-client-SKU": "ID_NETSTANDARD2_0",
"x-client-ver": "5.5.0.0"
}
}
I could check that the data is indeed persisted on the database..
Here below the /.well-known/openid-configuration
/ https://localhost:44320/.well-known/openid-configuration
{
"issuer": "https://localhost:44320",
"jwks_uri": "https://localhost:44320/.well-known/openid-configuration/jwks",
"authorization_endpoint": "https://localhost:44320/connect/authorize",
"token_endpoint": "https://localhost:44320/connect/token",
"userinfo_endpoint": "https://localhost:44320/connect/userinfo",
"end_session_endpoint": "https://localhost:44320/connect/endsession",
"check_session_iframe": "https://localhost:44320/connect/checksession",
"revocation_endpoint": "https://localhost:44320/connect/revocation",
"introspection_endpoint": "https://localhost:44320/connect/introspect",
"device_authorization_endpoint": "https://localhost:44320/connect/deviceauthorization",
"frontchannel_logout_supported": true,
"frontchannel_logout_session_supported": true,
"backchannel_logout_supported": true,
"backchannel_logout_session_supported": true,
"scopes_supported": [
"subscription_level",
"experience",
"role",
"address",
"phone",
"email",
"profile",
"openid",
"GameApiFullAccess",
"GameApiReadWrite",
"GameApiReadOnly",
"GameApi",
"offline_access"
],
"claims_supported": [
"subscription_level",
"experience",
"role",
"address",
"phone_number",
"phone_number_verified",
"email",
"email_verified",
"family_name",
"given_name",
"middle_name",
"nickname",
"preferred_username",
"profile",
"picture",
"website",
"gender",
"name",
"birthdate",
"locale",
"updated_at",
"zoneinfo",
"sub"
],
"grant_types_supported": [
"authorization_code",
"client_credentials",
"refresh_token",
"implicit",
"password",
"urn:ietf:params:oauth:grant-type:device_code"
],
"response_types_supported": [
"code",
"token",
"id_token",
"id_token token",
"code id_token",
"code token",
"code id_token token"
],
"response_modes_supported": [
"form_post",
"query",
"fragment"
],
"token_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"subject_types_supported": [
"public"
],
"code_challenge_methods_supported": [
"plain",
"S256"
],
"request_parameter_supported": true
}

Finally I had cached the error
The error is produced if...
builder.UseQueryTrackingBehavior(QueryTrackingBehavior.NoTracking) for ConfigurationDbContext
So the desired option for Identity Server dbContext is QueryTrackingBehavior.TrackAll
BR

For me, I had created a new client and there was a missing configuration in
configuration.ClientGrantTypes table.
So I inserted a new ClientGrantType:
INSERT INTO configuration.ClientGrantTypes (GrantType, ClientId) VALUES ('authorization_code', YOURCLIENTID)

How to get access token for google analytics pageviews access our website

I am getting google analytics "pageviews" our website but I have faced a small issue. Access token has expired. How can I generate a new access token for google analytics pageviews?
This is my API URL.
{
"kind": "analytics#gaData",
"id": "https://www.googleapis.com/analytics/v3/data/ga?ids=ga:xxxxx&metrics=ga:pageviews&start-date=2018-02-01&end-date=2018-02-01",
"query": {
"start-date": "2018-02-01",
"end-date": "2018-02-01",
"ids": "ga:xxxxx",
"metrics": [
"ga:pageviews"
],
"start-index": 1,
"max-results": 1000
},
"itemsPerPage": 1000,
"totalResults": 1,
"selfLink": "https://www.googleapis.com/analytics/v3/data/ga?ids=ga:xxxxx&metrics=ga:pageviews&start-date=2018-02-01&end-date=2018-02-01",
"profileInfo": {
"profileId": "123456789",
"accountId": "123457854",
"webPropertyId": "Tracking id",
"internalWebPropertyId": "168908645",
"profileName": "All Web Site Data",
"tableId": "ga:xxxxx"
},
"containsSampledData": false,
"columnHeaders": [
{
"name": "ga:pageviews",
"columnType": "METRIC",
"dataType": "INTEGER"
}
],
"totalsForAllResults": {
"ga:pageviews": "18"
},
"rows": [
[
"18"
]
]
}

-Using this API URL and Redirect URL is required.Go to Google API credential.
https://accounts.google.com/o/oauth2/v2/auth?scope=https://www.googleapis.com/auth/analytics.readonly&include_granted_scopes=true&redirect_uri=http://localhost:52616/home&response_type=token&client_id=xxxxxxxx-dsnsdngngdllsdglmlsdmg.apps.googleusercontent.com

Create an access token using VSTS service endpoint by passing Username and Password as input

I am trying to generate access token via VSTS service endpoint by passing username and password as parameters.
The token is being generated via Azure AD.
I have written an c# method to create the token and the token is being generated successfully,whereas i am not sure how to call the c# method(dll) from the vsts extension file(vss-extension.json) so the token gets generated when i enter my username and password in the custom service endpoint connection.
Here is the vss-extension.json and the VSTS custom endpoint picture for creating custom service endpoint.
I dont know where exactly and what exactly to add here which will call my C#(.dll) file .
Is there any other approach for creating a token if possible kindly suggest.
"authenticationSchemes": [
{
"type": "ms.vss-endpoint.endpoint-auth-scheme-token",
"headers": [{
"name": "Authorization",
"value": "{{ endpoint.apitoken }}"
}],
"inputDescriptors": [{
"id": "apitoken",
"name": "API Key",
"description": "API key for connection",
"inputMode": "textbox",
"isConfidential": false,
"validation": {
"isRequired": true,
"dataType": "string"
}
}]
},
{
"type": "ms.vss-endpoint.endpoint-auth-scheme-basic",
"inputDescriptors": [
{
"id": "username",
"name": "Username",
"description": "Username",
"inputMode": "textbox",
"validation": {
"isRequired": false,
"dataType": "string"
}
},
{
"id": "password",
"name": "Password",
"description": "Password",
"inputMode": "passwordbox",
"isConfidential": true,
"validation": {
"isRequired": false,
"dataType": "string"
}
}
]
}
],

Categories

Resources