search

xamarin / Xamarin.Auth

Xamarin.Auth
Apache License 2.0
542 stars 350 forks source link

Oauth2 with Authorization Code Grant not working #261

Open antosubash opened 6 years ago

antosubash commented 6 years ago

OAuth2 Authorization Code Grant flow not working

With parameters:

is not working as expected. after the authorization is successful redirectUrl is triggered instead of the accesstokenUrl.

Version

Steps to reproduce

  1. Update Xamarin.Forms, Xamarin.auth to the versions above
  2. create an Auth client
OAuth2Authenticator authenticator = new OAuth2Authenticator(
         clientId,
         clientSecret,
         Scope,
         new Uri(AuthorizeUrl),
         new Uri(redirectUri),
         new Uri(AccessTokenUrl),
         null,
         isUsingNativeUI);

authenticator.Completed += OnAuthCompleted;
authenticator.Error += OnAuthError;

var presenter = new OAuthLoginPresenter();
presenter.Login(authenticator);
  1. After Authorize, access token URL is not trigged. instead, redirect URL is triggered

Expected behaviour

https://oauth2.thephpleague.com/authorization-server/auth-code-grant/

Actual behaviour

screenshot_1516621895

VS bug #733076, VS bug #946864

moljac commented 6 years ago

Are you using NativeUI?

If yes, what is redirect_url?

antosubash commented 6 years ago

Yes, I'm using Native UI.redirect_urlis https://landsense.eu/birdlifeapp which is a custom URL for getting back to the app.

moljac commented 6 years ago

Yes, I'm using Native UI.redirect_urlis https://landsense.eu/birdlifeapp which is a custom URL for getting back to the app.

With http or https scheme you will never be able to return to the app. System Browser will always handle those schemes.

yasmanillanes commented 6 years ago

This is because in the OAuth2Authenticator class we are calling Uri.AbsoluteUri to set the "redirect_uri" parameter for the access token HTTP request. This adds a trailing slash to the redirect URI that many providers reject because it doesn't exactly match the redirect URI passed in the authorize HTTP request step of the process. We should be using Uri.OrginalString instead.

pme442 commented 6 years ago

I'm think I am having the same issue. After days of research, I keep coming back to this post.
I am trying to implement authentication via Microsoft in a Xamarin Forms PCL app. Using NativeUI. The redirecturl is {clientid}//:oauth2redirect. I'm trying to get this working for UWP. In the UWP app.xaml.cs code, in the OnActivated() function, I am calling AuthenticationState.Authenticator.OnPageLoading(new Uri(Uri.AbsoluteUri)); where the Uri.AbsoluteUri happens to be the redirecturl with the authorization code.
What is happening is that I immediately get an "invalid_client" error. I am not sure if this error is because I am calling OnPageLoading() and I shouldn't be. But if I don't do it, I can't redirect back to my app (so the screen just goes blank). (In my experience, I have implemented the oauth functionality in other non-Xamarin apps by using a webview where I get the auth code, then use it to request the access token.) I guess I don't understand exactly when the call to request the access token happens. Does Xamarin.Auth do that for me? Or do I need to call it manually?

antosubash commented 6 years ago

I guess I don't understand exactly when the call to request the access token happens. Does Xamarin.Auth do that for me? Or do I need to call it manually?

I have the same question. I made it work by creating the request for access token manually in the IntentFilter.

pme442 commented 6 years ago

I figured out my problem.
First of all, I found that Xamarin.Auth does take care of requesting the access token so I don't have to do it manually. I got past the "invalid_client" error by adding a "/" to the end of my redirecturl. (Note: I did this in two places: (1) the app settings in Azure AD, and (2) where I define the redirecturl string in the app code.) Then, I started getting an "invalid_resource" error. I found that this is because the OAuth2Authenticator.RequestAccessTokenAsync() method is not adding the "resource" parameter (which should be set to the clientid) when making the call to request the access token. My workaround: Since RequestAccessTokenAsync() cannot be overridden directly, I created a new class to inherit OAuth2Authenticator. In there, I did two things:
(1) created a new method called CustomRequestAccessTokenAsync(), which is just a copy of the original RequestAccessTokenAsync(), and modified to add the resource parameter. (2) override OnRedirectPageLoaded() and modified to call my CustomRequestAccessTokenAsync(). Now, I am able to authenticate successfully.

jonasrembratt commented 6 years ago

@yasmanillanes: Thanks for the heads-up (on why the redirect_uri is being trailed with a '/'). Any release plan for a fix?

newky2k commented 6 years ago

@pme442 can you please try this with the latest version.

pme442 commented 6 years ago

I tried it with the latest version and it won't launch the presenter, I get the "invalid authenticator" error because of my subclassed OAuth2Authenticator (#280).
If I remove my subclass and use the OAuth2Authenticator directly, it's not even hitting the UWP OnActivated() function.

newky2k commented 6 years ago

@pme442 thanks for coming back to me, i'll assign it to @moljac

pme442 commented 5 years ago

Update: I got past the problem of it not hitting the UWP OnActivated() function -- I didn't realize that I had an 2 instances of the app installed on my pc (one must have been corrupted or something). I uninstalled both and rebuilt/re-deployed and now it is hitting it and working as expected. So, the result is that I am back to the "invalid_resource" error. Which means that I DO need my custom authenticator (what I mentioned above, on 2/19/18) -- but by using it, I run into the "invalid authenticator" error.

moljac commented 5 years ago

This is not custom scheme, so adding implementation for this will not be trivial

triaging it as "Low Priority"

In order to speed up the bugfixing, add link to the repo with minimal sample (with removed sensitve data)

dendle commented 5 years ago

I think a potential cause for some people is that the client is not authenticating itself to the token endpoint when exchanging the code for a token. It's meant to use HTTP Basic auth with the clientID as the username, and the clientSecret as the password (If a client secret is specified) As of the lastest version , Xamarin.Auth does not do this.

Specifically, here: https://github.com/xamarin/Xamarin.Auth/blob/c75c312bd9a7eb7099a315fd76e6c2b6b1d668fc/source/Core/Xamarin.Auth.Common.LinkSource/OAuth2Authenticator.cs#L845

We are only passing the client ID in the URL, but the client also needs to authenticate itself, using HTTP Basic auth, in the subsequently called "RequestAccessTokenAsync".

I'll see if I can get this working and create a PR if it does.

Jignesh1805 commented 2 years ago

Hi everyone, I have implement microsoft login.When i have enter id and password the redirect our application.In OpenUrl() method call then i have call OnPageLoading() method but i have convert NSUrl to Uri the adding slash in url. Snippet code. public override bool OpenUrl(UIApplication app, NSUrl url, NSDictionary options) { Uri uri; if (url.AbsoluteString.Contains("msauth")) { uri = new Uri(url. AbsoluteString); } else { uri = new Uri(url.AbsoluteString); } ViewController.Auth?.OnPageLoading(uri); return true; }

Note NSUrl is : msauth://com.trigger.transformation/auth?code=fb5381b71a4912159b484e3d421bf23ec0929c18f0cc4dfc11e4c6701153ff90&scope=TriggerApi%20offline_access&state=tsprivmocacmhahd

after that i convert Uri the

uri = msauth://com.trigger.transformation/auth/?code=fb5381b71a4912159b484e3d421bf23ec0929c18f0cc4dfc11e4c6701153ff90&scope=TriggerApi%20offline_access&state=tsprivmocacmhahd

added slash after auth.

So how to solved this problem? Any one help me.?