My friend and I have run into two different sets of issues while attempting to add licensing to an Office 365 Excel addin, and have so far not been able to resolve it through any docs or forums.
We followed the instructions here: https://dev.office.com/officestore/docs/add-license-checks-to-office-and-sharepoint-add-ins to the letter, and have created a node/express server to host the app, and are using the REST verification service to determine the token's authenticity.
We've been testing on 2 different machines, and the issues we've ran into are as follows:
1) We cannot get the test license to return isTest: true
2) (on the other machine) The token never gets appended to the initial get call, at all.
The closest we've come to finding a solution so far was this SO post: Nodejs - Office App License token verification service does not validate the token, who seems to have this issue, but whose question is unanswered. Or this one, Apps for Office: my task pane app doesn't get the licensing '?et=' license token, whose answer suggest appending a sample one to the xml file.
We've also replicated this issue on other tester's machines as well, but have not been able to find a solution for this anywhere.
Related
Edit respose to #cody salas
Following on from your sensible and detailed break down: -
Require Username:
Yes this seems well understood. The RP prompts for username/other-id and finds all credentials that are offered up in an array to the authenticator. Peachy!
Usernameless:
I need the "nuance" you refer to please. What (if any) filter(s) is applied to the returned credentials?
Global scope === Windows Hello User
Google login(s)
Other App logins
My Windows Hello Identity does NOT work with my Yubikey so I can't test :-(
Shared Accounts:
Ok, forget about the Beatles analogy, let's imagine one user (Our ex-PM :-) with multiple identities. ScoMo-Treasury, ScoMo-Health, ScoMo-Resources etc. What does a wildcard GET return?
End Edit 1
UA Credential Safe interogation.
Scenario:
Tri-Bank has 1 or more registered users from this device (My Windows Hello PC "Bad Boy").
There is no active session or ambient user to the RP (sub)domain. (Seeing local/session storage deprecated but all cookies also expired)
I simply cannot see a usernameless login interaction possibility
I will investigate that UPVA is deterministic on multi-user device but the spec is not only non-canonical, it seems to be off in fairy land :-(
WRT: -
Authentication WebAuthn-3 and Authentication WebAuthn-2
Please expand on point .2
The script asks the client for an Authentication Assertion, providing as much information as possible to narrow the choice of acceptable credentials for the user. This can be obtained from the data that was stored locally after registration, or by other means such as prompting the user for a username.
Which spec can we refer to (CTAP-10?) that will enlighten us to what is returned to a GET call with an empty "allowCredentials"?
How can the RP refine the user selection granularirty without a .GET that either identifies a single user or returns new Error("non-deterministic");
Does no one else see this as pivitol?
If we always have to ask for username please just say "We always have to identify username first!"
Otherwise could the user be prompted for we have Ringo, and Paul registered; which one do you want :-(
And yes, I know Paul can't login to Ringo's account without his thumb. I'm alluding to the unacceptable disclosure of Ringo's financial activity to Paul. Probably not a big deal unless it was John :-)
Please explain the FIDO2 versus OAUTH2.0 philisophical diversions pros/cons here!
OAUTH2.0 :- Would you like to continue as dicky#gmail.com? Done! no password, biometric, PIN, blah, blah, blah, pre-authenticated and trusted
FIDO2 :- I've got a UPVA that I'll probably have to test you on or a number Authentication methods for a number of users that I'll get you to pick from
Sounds about right???
Let's break this problem down into three different sections: Requiring a username, usernameless logins, and shared accounts
Requiring a username
Using an identifier is the only way to narrow down which authenticators are acceptable for an auth session. Note the use of identifier. The spec calls out username as it's extremely common, and familiar to users, but another mechanism can be used as an identifier if your environment/requirements allows for it.
Also keep in mind that this flow works well for users who are using an authenticator or ecosystem that does NOT support discoverable credentials.
I have some development guidance here if you wish to see some expanded code samples.
This won't entirely solve your problem if you are using a shared Windows Hello account. All John has to do is type the identifier "Paul", type in the PIN/Fingerprint, and have access. Overall you don't want to share authenticators, but I'll touch on that later in this comment.
Usernameless login
Remember this login flow will only work for users in an ecosystem that supports discoverable credentials. You've mentioned Windows Hello so you are in good hands. In this flow a relying party sends an empty allowCredentials list because it has no idea who is triggering the auth session. The relying party is essentially saying "send over a credential, and I'll attempt to validate it". There's more nuance to this statement, especially depending on the identity provider you are using, but that's the overall gist.
Usernameless can be broken down further depending on if you're using a security key, or platform authenticator. But during the GET() ceremony all credentials tied to your current origin will be shown depending on the authenticator that you activate. So if you fingerprint into Windows Hello, all the credentials for the current origin tied into the single Windows Hello account will be shown. If you activate your security key, all the credentials on the device for the current origin will be shown that exist on the device.
Shared accounts/workstations
So we'll continue with your Beatles example above. They can all share one computer, but this is where you need to question if they should be sharing the same Windows Hello account. If you register a credential using the Windows Hello authenticator, then anyone with the PIN/Fingerprint to that account will be able to leverage credentials on the account + device combo.
At the end of the day this will depend on how many accounts are tied to your workstation.
If you are adamant about the Beatles all sharing one Windows Hello account, on one workstation, then maybe they need separate personal authenticators, like a security key. That way no matter who is using the shared account, they still have independent credentials (unless Ringo decides to register Windows Hello, rather than his security key)
Otherwise, if each Beatle has their own Windows Hello account, they could log out/login in whenever one of the lads needs to check their bank account. In this case they will only be shown the credentials tied to their specific Windows Hello account
Hope this helps
Update 8/22
Glad my responses are helping so far - see below for answers to your additional follow-ups
Usernameless nuance
When I say nuance, I’m mostly referring to the not “one size fits all” of identity/auth providers. I can give you the code to my project using Cognito, but if you’re using Azure AD then there might be differences in the parameters that you pass to your RP. MOST of the code and logic will look the same, but it’s the small differences that might require more/less data.
For instance, let’s say that both Identity providers A and B support WebAuthn, and both will support discoverable credentials/usernamless login. But imagine that A requires that you call to its API noting the user's identifier, and B can derive the identifier from the get() response. They both accomplish the same task, but require slight modifications to the implementation
Shared accounts
I ran a test on my Windows machine (Windows 10, Windows Hello consumer). I created a Discoverable credential on account A using Windows Hello. I signed out, and logged in as account B using Windows Hello. I attempted to login to the same website, but I was unable to use the credential created by account A as account B.
So if your PM creates a credential as ScoMo-Trasury, they won’t be able to use the same credential as ScoMo-Health.
The wildcard get() method will only return the credentials for the account currently logged into Windows.
This question already has answers here:
Heroku and GitHub: "Items could not be retrieved, Internal server error"
(12 answers)
Closed 9 months ago.
When I try to add GitHub as my deployment method, it just pops up ands says one of these two things. Error1(image)
Error 2(image)
But the really odd part is that when I look on GitHub it shows Heroku as a OAuth application that is added but says it was never used. And then, in logs it says things like this:
Error logs
Does anyone know what's going on? I'm using Heroku to host a discord bot and ever since I logged out of GitHub on Heroku because it was acting up I cant get back in.
deploy from github is currently unavailable due to some hacker attack
reference: https://status.heroku.com/incidents/2413
We are dedicated to ensuring the security of our customers, and as
such, continue to pursue all potential leads as part of our
investigation. As part of that commitment, we want to let you know
about two additional findings that may impact a small number of our
customers.
As reported on status.heroku.com, on April 7, 2022, a threat actor
obtained access to a Heroku database and downloaded stored customer
GitHub integration OAuth tokens. On that same day, the threat actor
downloaded data from another database that stores pipeline-level
config vars for Review Apps and Heroku CI. Additionally, another small
subset of Heroku users had their Heroku tokens exposed in a config var
for a pipeline. This was identified on May 16, 2022, after further
forensic investigation. We have no evidence of any unauthorized access
to Heroku systems since April 14, 2022.
Any users affected by these issues were notified directly and provided
with additional guidance. If you did not receive an email directly
from us, we have no evidence that you were impacted by either of these
recently identified issues. If you received an email from Salesforce
(techcomms#mail.salesforce.com) and have identified suspicious
activity, please contact security#salesforce.com.
For an update on our current progress with regards to the GitHub
integration, please see this blog post.
so you can deploy manually through heroku CLI
as #MarcoWriteCode has mentioned the basis of the error that you are facing.
I would suggest that you go through the Heroku CLI documentation and continue your deployment from here. https://devcenter.heroku.com/articles/getting-started-with-nodejs
Use heroku CLI for a bit, then switch back to github deploys
I am working with a research group that needs to collect Facebook post data for a group of participants over the course of a few months. The goal is let the participants authorize us to collect this information via facebook, and when they post to Facebook, send that information to a secured server.
After reading the Facebook documentation, I'm mostly just confused about how to provide a mechanism for the user to agree to the terms of collecting his/her data. I'm planning on using webhooks to collect the data, which is independent of the client platform, but do I really need to build separate apps for web, iOS and Android just for the approval process?
I'm planning on using webhooks to collect the data, which is independent of the client platform, but do I really need to build separate apps for web, iOS and Android just for the approval process?
You most likely won't get this approved in review anyway.
Permissions must, for the most part, be used to provide a direct benefit to the in-app user experience; collecting data for analytical measures only is explicitly mentioned as a not allowed use case. Whether the users would agree is not relevant here.
For example, user_posts permission, has "non-visible use of this data such as sentiment analysis or guarding against spam bots" marked with a red "X" for nope.
So the only way of getting your app to request the necessary permission(s) from users, would be to add them as testers to the app via app dashboard/API. Anyone with a role in the app which can be asked for any permission, reviewed or not. Those users would however have to have their accounts verified (mobile/text, credit card) and sign up as a "developer" on the FB platform, before your app could send them requests to become testers.
You'd be flying under the radar with that, so to speak. Facebook offers this "loophole" mainly for the purpose of letting developers test and develop their apps properly, before review. It is also explicitly mentioned in the app development FAQ as a way around the need for review, for specific use cases such as wanting to get your blog posts published to your own FB page automatically. It would not cover what you are trying to do so, but it will likely "work" as long as none of your test users specifically raises a complaint with Facebook ...
Not sure if there is any published limit on the number of test users that can be added to an app, people have asked about that in the past, but AFAIK none is documented or otherwise published by Facebook. If there is one, and it is not completely stopping this approach dead in it's tracks (say, a few hundred per app rather than, five), you could use multiple app ids, if you don't need to relate data between user accounts too much - because the app-scoped user ids will be different per app id, so that could making connections between friends that are in different "app-id test groups" etc. difficult. Or you might have to refer to other, less reliable measures of uniquely identifying them, such as email or profile name.
I am trying to implement session kill feature for my application.
I need to show user all the devices from which he has logged in.
But I am not able to get the users machine name from http request.
I have tried this:
Another similar question in stack overflow
But it gives user's machine name only if it is explicitly specified in hosts file and is the first entry there.
Google has implemented the similar feature
google's implementation to review devices/sessions
It shows the user's machine name
My machine name CITRUSPN135 is shown here.
How can I implement the similar feature for my application?
I am open for implementations both at front end or server side.
server side code is there
String browserType = request.getHeader("User-Agent");
it contains all the information
I have seen google apps script's tutorial to migrate from oAuthConfig to oauth1 here
But what if I have the access tokens with me already?
I checked the oauth1 library code here and could not find a way to include access token here.
Is there any alternative way?
Also note that I have 4 things with me: Consumer Key, Consumer Secret, Token and Token secret.(Note: I have 2 things in access token, not only a single token).
As mentioned here(read the Warning on that link), OAuth1 was shut down on April 20 this year. So I am assuming/hoping that you're using OAuth2 instead. If not, I would suggest you to migrate soon as possible.
When working with access tokens, it is important to remember that they have limited lifetimes. Hence, always remember to add them "programmatically". Depending on the API you're trying to access, access tokens are appended to the request as the value of the access_token query parameter of your request. Here are a couple of examples:
Plus API:
GET https://www.googleapis.com/plus/v1/people/userId?access_token=1/fFBGRNJru1FQd44AzqT3Zg
Youtube API:
https://www.googleapis.com/youtube/v3/channels?part=id&mine=true&access_token=ACCESS_TOKEN
So look up the Google Developers documentation for the particular API you're using for help on what the exact request will be like. Here are a few samples for using OAuth2 with Google App Script. Hope this helps.
EDIT:
A little correction. For OAuth1, the access token is passed using oauth_token. For clarity of how the process flows, refer to the subheadings 6.1 to 6.3.2 in this link and the former one for how it is done on Google's end.
Also, quoting this link:
"April 20, 2015: OAuth 1.0 is shut down. A static error page will be displayed on all requests. Make sure you have migrated well before this date."
If that hasn't already happened, it might happen anytime as currently OAuth1 is "officially" shut down.