I am trying to validate using this parameters:
"openid.mode=check_authentication"<br>
+ "&openid.assoc_handle=" + txtAssocHandle.Text<br>
+ "&openid.response_nonce=" + HttpUtility.UrlEncode(txtNonce.Text)<br>
+ "&openid.op_endpoint=" + txtEndpoint.Text<br>
+ "&openid.sig=" + txtSignature.Text<br>
+ "&openid.signed=mode,identity,return_to";
and it returns
is_valid:false
ns:http://specs.openid.net/auth/2.0
what am I doing wrong here?
the txt fields are being filled with login response values
Your openid.signed argument needs to be exactly what the OP sent to your RP rather than this incomplete hard-coded list of 3 parameters, for one thing. All your arguments should be URL encoded as well, not just your nonce.
There is a lot more to validating an OpenID token than just sending it back to the OP using "dumb mode". What are you trying to do?
Have you considered using an OpenID library? Seriously, getting OpenID right (meaning secure, and interoperable) is a big job. Way bigger than assembling just the right query string. :)
Related
I have a client that Connects to Asp.net Webapi2,Using Identity & OAuth2 for Authentication.
In Authentication Process , whenever Password Field Contains '+' character.The Server Just Ignore this Character!!!(And Most Other Sign Chars Mentioned In Test below)
string data = "grant_type=password&username=" + username + "&password=" + password;
byte[] bytes = System.Text.Encoding.UTF8.GetBytes(data);
data.PostToUrl();//This Is just pseudoCode
In Server Debug:
Sent Data : password=test+1
Received Data : password=test 1
test2
Sent Data : "+_)(&^%$##!~"
Received Data :" _)("
Thanks.
What is the issue? With HTTP URL a + is equivalent to a space. In fact %20 can also be used.
When sending data in a query always use UrlEncode; as in
var q = string.Format("grant_type=password&username={0}&password={1}",
HttpUtility.UrlEncode(username),
HttpUtility.UrlEncode(password));
HttpServerUtility.UrlEncode
this will help solve the problem with special characters such as + anad #
To use it you'll need to add a reference to System.Web (Project Explorer > References > Add reference > System.Web)
Once you've done that you can use it to encode any items you wish
Does anyone know if there is a way to capture the search phrase used to get to your site? Do the search engines forward that information in any header values?
I have looked through all of the Request.ServerVariables and have not been able to find anything to do with the origin of the user (other than HTTP_REFERER).
I can see some anonymous information in Google Analytics but I am wanting to bind this information to user records upon account creation.
Any help is appreciated.
Yes - UrlReferrer is where you would have to look. But as google search (by default) runs via https it will not send any Url Referrer. So you are out of luck here - sorry (or maybe good for the users ;-) ).
If you get visited by http you could try some fancy approach like:
http://www.codeproject.com/Tips/127681/Get-search-key-word-from-the-referrer-url
If the page before loading your page was the search engine, you can use UrlReferrer to get it and then maybe parse it to get the values
Uri MyUrl = Request.UrlReferrer;
Response.Write("Referrer URL Port: " + Server.HtmlEncode(MyUrl.Port.ToString()) + "<br>");
Response.Write("Referrer URL Protocol: " + Server.HtmlEncode(MyUrl.Scheme) + "<br>");
Hope it helps
I'm making a call to facebook's api to get an oauth token. The process seems to work but the call back url is returned like this
http://localhost:52574/FacebookApi/AuthorizeCallback#access_token=CODE&expires_in=6953
I would expect the #access_token parameter to be returned as a standard query string parameter not a hash. Can anyone see what I'm doing wrong? Here is the code I'm using to generate the call back uri.
public static Uri GetAuthorizationUri(string appId, string appSecret, string callBackUrl)
{
return new Uri("https://www.facebook.com/dialog/oauth?" +
"client_id=" + appId +
"&redirect_uri=" + callBackUrl +
"&scope=publish_actions,publish_stream,create_event" +
"&response_type=token" );
}
I'm pretty sure that in that login flow it's expected to be a fragment to prevent leaking the access token to third party sites - it's also documented as such in the documentation for the response_type parameter:
token. Response data is included as a URL fragment and contains an access token. Desktop apps must use this setting for response_type. This is most useful when the client will be handling the token.
Changing &response_type=code correctly returns a code that can then be exchanged for a token.
I am making a launcher for Minecraft. 1.6.2 changed a lot, so the way you login is different. If any of you have any knowledge of logging into minecraft using C#, I would appreciate it.
wClient.DownloadString("http://login.minecraft.net/?user=" + strUsername + "&password=" + strPassword + "&version=13");
I believe this used to be a valid way of doing it, but I am not quite sure anymore. Help is appreciated, thanks.
In reply to TheUnrealMegashark's comments to Rhys Towey's Answer. I have been working really hard to get it to launch, but. Its throwing me off a bit. The very next update will include a 1.6 fix. Just got to figure it out.
The proper answer to your question is that the web link that fetches the Session is still currently in use. Nothing new there.
Beware! You must know that your
"http://login.minecraft.net/?user=" + strUsername + "&password=" +
strPassword + "&version=13"
Is unsafe. It sends the password of the user through the internet in plain text. it can be subject to "Man in the Middle" attacks.
One of the proper ways to encrypt the connection is to use HTTPS with POST. Using POST, I avoid sending all of the data in the request URL and send the data through POST. Using HTTPS, I encrypt any data sent after the request URL returns. HTTPS makes POST encrypted, thus removing "Man in the Middle" attacks.
You can use GET with HTTPS and it still be secure (from what i have read). But, it is considered an unsafe practice. Although it is safe in all accounts between your computer and the connected device, anywhere else it might be seen and be subject to "Man behind you Attack". What I mean is that when you send this URL, it is possible for your computer to record the URL in some sort of history, or, display it in an address bar in plain text. Although, sense your not making a web browser and the URL is not displayed, this could possibly all be forgotten.
But, If it were me, I would still play it safe and just use the safer strategy.
To use HTTPS with POST.
Here is a sample of code i use in my "AtomLauncher." This code will send the POST data to the URL and return a string. Goto http://www.minecraftwiki.net/wiki/Minecraft.net to get more info on the string that is returned.
string mcURLData = "Error";
using (WebClient client = new WebClient()) // Get Data from Minecraft with username and password
{
// This a Text control for my Program, ignore this commented line if you wish.
// this.Invoke(new MethodInvoker(delegate { homeLabelTop.Text = "Connecting to Minecraft.net..."; }));
try
{
System.Collections.Specialized.NameValueCollection urlData = new System.Collections.Specialized.NameValueCollection();
urlData.Add("user", "UserName");
urlData.Add("password", "MYPa22w0rd");
urlData.Add("version", "13");
byte[] responsebytes = client.UploadValues("https://login.minecraft.net", "POST", urlData);
mcURLData = Encoding.UTF8.GetString(responsebytes);
}
catch
{
if (!System.Net.NetworkInformation.NetworkInterface.GetIsNetworkAvailable())
{
mcURLData = "Internet Disconnected.";
}
else
{
mcURLData = "Can't connect to login.minecraft.net.";
}
}
}
To use HTTPS with GET
just simply change the
http
in your code to
https
In other news.
I have fixed my code. Feel free (when its uploaded) to use it.
For your information, you need to know that when 1.6.X launches it creates a natives folder of which it starts using immediately. What I have done to fix this was to run 1.6.2 and copy the natives folder it created and removed the number.
Created "version/1.6.2/1.6.2-natives-###"
Copied it to "version/1.6.2/1.6.2.natives"
Point my program to "natives" folder I created.
What I'll end up doing in the future is automatically checking for the natives folder and if it doesn't exist, I'll have it download natives from the internet.
(I would love to know where minecraft is getting its current natives so i can essentially do the same thing. Unless, what it does is download it from the internet every time it launches. If true, that's kind of ugly. Seeing as I have bandwidth usage limits.)
I have searched everywhere and I cannot find out how to pass my API key in with my request. I am setup to run from a specific IP address. I keep hitting my limit though. I think I am also hitting my time limits. I will introduce a sleep in my code. Otherwise, is there anything else I can check?? I am using the distance matrix with json output. I have turned on Google Maps API V3. I have a key and have a project. It seems like the service is still treating me like a free customer.
string url = "http://maps.googleapis.com/maps/api/distancematrix/json?origins=" +
origin + "&destinations=" + sDestination + "&mode=driving&language=en-EN&sensor=false&units=imperial";
I have also tried two more approaches with my key and I get a denied request from both of them.
string url = "http://maps.googleapis.com/maps/api/distancematrix/json?origins=" +
origin + "&destinations=" + sDestination + "&key=mykey&mode=driving&language=en-EN&sensor=false&units=imperial";
and
string url = "http://maps.googleapis.com/maps/api/distancematrix/json?origins=" +
origin + "&destinations=" + sDestination + "&key={mykey}&mode=driving&language=en-EN&sensor=false&units=imperial";
I was not sure if the curly braces were required or not. Both of the later lines of code result in request denials.
Looks to me like you just pass the key right in the URL, at least for the regular maps API. Take a look at the "Hello World" example in the documentation. It might work the same for the distance matrix. Have you tried it that way?