Web API 2 authorized not working as expected - cookies

I'm experiencing the same issue as the one mentioned here, for which there was no conclusive answer: Asp.Net Owin authorized request works in Incognito mode but not "normal" Chrome
I am unable to comment on that question as I do not have the reputation to allow but was going to ask whether it is something to do with the fact that my project includes both Web Forms and Web API and there is a conflict going on with the authorization cookie.
Has anyone else come across this issue?
Thanks

For the benefit of anyone else with the same issue:
It was indeed due to forms authentication being enabled at the same time as OWIN bearer tokens.
If you are logged in via forms authentication, then try to call a web api end-point in the same browser, it uses the cookie information which gets recognized by Web Api authorization.
In incognito, there is no such cookie so behaves as expected.

Related

Tapkey Web API - Problem when Registering OAuth clients [Tapkey]

I am trying to register OAuth client, following the docs, but none of the links containing /developers in the path are working for me. I am either getting redirected to the https://my.tapkey.com/AdminUI/ and infinite load, until i refresh the page, or getting status code 502 Bad Gateway.
The ones I am having problems with are:
https://my.tapkey.com/AdminUI/developers/oauth-clients
https://my.tapkey.com/AdminUI/developers/identity-providers.
I tried on different OS's, using proxy, but nothing worked for me.
I am trying to register OAuth client, and explore more of the TapKey web api, but this one is a blocker for me.
You caught us here - we have changed the website a bit, and updated documentation is on its way but not yet published. We are working on it right now.
Developer section has moved to Tapkey Integrator Portal available on https://portal.tapkey.io .
Use the same login credentials you are using with Tapkey.

Unable to set cookie on Safari (Works on Chrome)

Hi I have been creating my first MERN stack web application and deployed frontend and backend on separate domains.
Frontend (netlify) : example.netlify.app
Backend (heroku) : example.herokuapp.com
Github (this is my repository, just in case) : https://github.com/dbwjd5864/YumPlan
So getting cookies from Backend and storing in order to request another api calls with cookies worked fine with Chrome (I haven't tried yet with Firefox but I believe it works as well)
However, when I tested it with Safari, I can see cookies on response but it was not stored for later request, so I couldn't get authorized. However, when I uncheck Prevent cross-site tracking under Safari preferences, I could get cookies for the later API calls.
I guess this is a cors issue which came from Safari property. I spent so much time to find a way to solve it but I couldn't. Is there any way to make it possible for Safari users to get login and set token on different domains?
Or Should I just use the same domain, for example, I deploy the frontend and backend on Heroku together to use the same domain?
I really appreciate any help you can provide.

How to authenticate with third party system using RestAssured

I'm trying to hit a web service using RestAssured. I'm struggling with authentication which is actually performed by a third party system. Details are given below:
My web service requires session ID & Cookie in the request header. Otherwise the service call will be failed.
For that I need to fetch Session Id & Cookie after the authentication.
Authentication is done by third party service and it takes the windows credentials for authentication.
When I launch my app URL on browser, say: 'XYZ.com/dim' it will be redirected to authentication service using a URL like:
http://hantweb.DOMAIN.com/authenticate/encdefault.asp?location=XYZ.com/dim
After the authentication it will again be redirected to actual application back.
I tried below code but it says: "401 - Unauthorized: Access is denied due to invalid credentials." even though my credentials are correct.
RestAssured.given().auth().basic("userID", "password").get("http://hantweb.DOMAIN.com/authenticate/encdefault.asp?location=XYZ.com/dim")
I'm confused no idea what I've missed here..
I did some trial and error and finally understood that I need to use .auth().ntlm(userId, password,"","") as the authentication. Here I'm using windows credentials as basic or any other auth type won't work in this case.
This answer can help someone in need.

Cannot retrieve image in browser when using OAuth token and Jira

I am building a frontend client for Jira and am running into some conflicting authentication methods I think.
I have setup the OAuth2 authentication method for logging in and hitting the Jira API. I have a button on a login page that redirects to Jira, you log in, hit "allow" and are redirected to my app. This step completes fine, I have a token and a secret and can make api calls just fine.
Next, I make an api call to get the user data, which returns fine. One of the pieces of data is a set of avatar urls. I put one of the urls into my site's markup. Here is where the problem begins.
If my browser session that I used to login is still active, I get an avatar. BUT if not, I get an "anonymous" avatar from Jira.
All the while, my OAuth token/api calls all seem to return fine.
This makes sense as Jira is using cookie based auth and I am not. So if that cookie dies in my browser, the call to the image will fail.
My ultimate question is how to handle this? Is this my responsibility to put an expiration on the token? What happens if they select "Stay logged in"? I don't think I get that knowledge on the OAuth side.
I kind of feel like I am missing something but I cannot figure out what. This seems like a problem that has been fixed or isn't even really a problem.
One solution would be just to switch to a cookie based authentication but OAuth seems more secure.
I've also tried directly hitting it from my server but that also yields an anon avatar. As does a curl with the access token. Maybe I didn't provide it in the correct way?
Any thoughts or ideas on this would be greatly appreciated. Thanks in advance.

Facebook auth setup

How can I setup PAW to work with Facebook locally for development? Or even at all for that matter?
I have a node.js backend that I'm setting up with Facebook Auth. Every one of my routes needs the user to be logged in. I have two endpoints related to FB Auth. localhost:3000/api/v1/loginFB and localhost:3000/api/v1/callbackFB. Both of these work great in a web browser.
loginFB simply returns this string... https://www.facebook.com/dialog/oauth?client_id=523534457345&redirect_uri=https://localhost:3000/api/v1/callbackFB&scope=email,public_profile,user_friends.
When I call that URI in a browser, it returns a code=blahblah which my callbackFB endpoint uses to fire off another request to get the access token. All good.
So now in PAW I'm confused by the difference between the request URI and the Authorization URL text field? Should I use the loginFB URI for my request URI? And then https://www.facebook.com/dialog/oauth in the Authorization URL textfield?
Basically what's happening is that when I click Get Access Token, it returns the code but my callbackFB endpoint 500's by saying "This authorization code has been used." The code that it's getting returned is definitely different each time I Get Access Token.
This is where I'm at with this thing (Client ID and Client Secret are actually my App ID and App Secret from fb's dev management site, and the Access Token URL is actually set to https://graph.facebook.com/v2.3/oauth/access_token which I'm 99% sure is the correct URI):
This is the error I get when I click Get Access Token button:
It would be awesome to get some advice from anyone with experience with this issue. Thanks.
Re: #MichaMazaheri
tl;dr Fixed in version 2.2.2
Sorry for the super late follow-up. We actually fix this exact issue in Paw 2.2.2, which is already released on our website, and pending review for the Mac App Store. (It was some JSON vs. Form URL-Encoded parsing issue). Thanks for reporting.