Integrating Web Chat using React getting 403 Authorization error

Hi Below is the code I have adapted from https://github.com/microsoft/BotFramework-WebChat/tree/master/samples/03.a.host-with-react

<!DOCTYPE html> <html lang="en-US">   <head>     <title>Web Chat: Integrate with React</title>     <meta name="viewport" content="width=device-width, initial-scale=1.0">     <!--       For simplicity and code clarity, we are using Babel and React from unpkg.com.     -->     <script src="https://unpkg.com/babel-standalone@6/babel.min.js"></script>     <script src="https://unpkg.com/react@16.5.0/umd/react.development.js"></script>     <script src="https://unpkg.com/react-dom@16.5.0/umd/react-dom.development.js"></script>     <!--       For demonstration purposes, we are using the development branch of Web Chat at "/master/webchat.js".       When you are using Web Chat for production, you should use the latest stable release at "/latest/webchat.js",       or lock down on a specific version with the following format: "/4.1.0/webchat.js".     -->     <script src="https://cdn.botframework.com/botframework-webchat/master/webchat.js"></script>     <style>       html, body { height: 100% }       body { margin: 0 }        #webchat {         height: 100%;         width: 100%;       }     </style>   </head>   <body>     <div id="webchat" role="main"></div>     <script type="text/babel">         (async function () {         // In this demo, we are using Direct Line token from MockBot.         // To talk to your bot, you should use the token exchanged using your Direct Line secret.         // You should never put the Direct Line secret in the browser or client app.          const headers = {"Authorization", "Bearer <'secret key'>"}         const res = await fetch('https://directline.botframework.com/v3/directline/tokens/generate', { method: 'POST' }, {Headers:headers} );          const { token } = await res.json();         const { ReactWebChat } = window.WebChat;          window.ReactDOM.render(         <ReactWebChat directLine={ window.WebChat.createDirectLine({ token }) } />,         document.getElementById('webchat')         );          document.querySelector('#webchat > *').focus();         })().catch(err => console.error(err));     </script>   </body> </html> 

Below is the Error I am getting enter image description here

Exploitability of allowed wildcard (*) CORS Origins with Bearer Token Authorization

I’m looking at the following setup. A web application uses a REST API to communicate with the server. All API responses include Origin: *. For authorization Authorization: Bearer <token> is used. Access-Control-Allow-Headers: Authorization is also included for appropriate preflight requests.

As Origin: * is configured, modern browsers will not send authorization data, such as the bearer token.

This makes it impossible to use API requests across domains, which require authorization (https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Requests_with_credentials).

I’m struggling to justify, why this should be considered a vulnerability. It is bad practice to allow any origin. It could lead to data leakage, but not in this scenario.

Could this be exploited in another way, I’m not seeing right now, or is this in fact just bad practice and does not pose an actual threat?

¿Como resolver la cabecera de solicitud: Access-Control-Request-Headers: authorization de Angular 6 o de Laravel?

El backend devuelve el siguiente error: Código de estado: 403

El frontend (Hecho con Angular) solicita este recurso a backend (Hecho con Laravel APIREST) se trata de una una peticion/respuesta entre subdominios:

frontend.empresa.com solicita a backend.empresa.com/api/v1/schedule/mychapters

Por cuestiones de seguridad no anotaré las urls respectivas

Tengo entendido el asunto de CORS; pues el Frontend antes de solicitar un recurso 1ero envia una solicitud con el metodo OPTIONS con las Cabeceras:

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: es-BO Accept-Encoding: gzip, deflate Access-Control-Request-Method: GET Access-Control-Request-Headers: authorization Referer: frontend.empresa.com/ Origin: frontend.empresa.com DNT: 1 Connection: keep-alive Cache-Control: max-age=0 

Pues la cabecera de Respuesta del backend es la siguiente:

HTTP/1.1 403 Forbidden Date: Fri, 31 May 2019 04:49:49 GMT Server: Apache Cache-Control: no-cache, private Upgrade: h2,h2c Connection: Upgrade, Keep-Alive Content-Length: 18 Keep-Alive: timeout=5, max=75 Content-Type: text/html; charset=UTF-8 

Sobre CORS ya lo solucionamos mediante un middleware. El archivo route/api.php ya contiene el framento para resolver el CORS con el metodo OPTIONS

Lo que me parece raro es la cabecera de solicitud del frontend Access-Control-Request-Headers: authorization, cuando en realidad creo que debe contener Content-Type o X-Requested-With incluido el Authorization: Bearer [token]

He colocado en el CORS del Backend todos los Access-Control-Allow-Headers con Accept, Authorization, Content-Type, Origin, X-Auth-Token, X-Requested-With

Pero aun asi no nos retorna el recurso correspondiente

Is it recommended to send an authentication request to the Resource Owner (by the Authorization Server) if it already has an active session?

In OAuth 2.0 Authorization Code Flow (Grant Type), is it recommended (or is it maybe even a best practice) to send an authentication request (e.g. a login-request form) to the Resource Owner (by the Authorization Server), even if the Resource Owner has already an active session on the Authorization Server, when obtaining an Authorization Code for the first time for a certain Client?

In other words, is it recommended to kill/destroy a currently active session first, if there’s one? Or is it not important at all?

Oauth2/OIDC: I know the address of a resource server, is there a standard for querying which authorization servers it accepts?

I have a bunch of what are essentially IOT devices that will authenticate connections using oauth 2 tokens and/or openid connect (depending on use-case). Each IOT device is individually configurable with one or more authorization servers (ie. each has a client-id/client-secret with one or more auth servers).

My problem is that, given the URI/address of the IOT device, is there an RFC or standard for determining the address(es) of authorization servers that IOT device trusts?

I am going to build a console-like application that will need to be able to connect to many (thousands) of these devices. I control the code on the IOT device and can build something proprietary in, but I’m trying to follow relevant RFCs, where applicable. I have thus far found no specification for querying a resource server to determine the configured authorization servers.

Authorization using Entity Framework in ASP.NET MVC


1. Backstory

I recently starting programming and I found out that Entity Framework works perfect for my small-sized applications due its simplicity.

I’ve made my custom authorize attribute for MVC controllers and controller methods to check if the current user has a certain role (which is an enum type in my case).

The following code represents my authorize attribute:

public class HasRoleAttribute : ActionFilterAttribute {     private Role _role;      public HasRoleAttribute(Role role)     {         this._role = role;     }      public override void OnActionExecuting(ActionExecutingContext filterContext)     {         var context = new FactoryManagementContext();          var userName = filterContext.HttpContext.User.Identity.Name;         var user = context.Users.FirstOrDefault(item => item.UserName == userName);                var hasRole = user.Role == _role;          if (user == null || !hasRole)         {             // If this user does not have the             // required permission then redirect to login page             var url = new UrlHelper(filterContext.RequestContext);             var loginUrl = url.Content("/Account/Login");             filterContext.HttpContext.Response.Redirect(loginUrl, true);         }     } }  public enum Role  {     Engineer,     Manager,     Admin } 

2. Question

It works as a charm, but I have only one question: is it necessary to initialize the database context every single time when authorizing a user?

Am I abusing my authorization token handler?

Background

I have an authorization handler of the form:

Auth(AllowedGroups, Token) -> [Allow/Deny] 

Where the Token consist of the following tuple and its MAC tag.

TbsToken := (userid, usergroup, expiration) Token    := (TbsToken, MAC) 

The MAC key resides on the servers’ sides, and along with the authorization handler, is used for automatic authentication with server B once user is logged onto server A.

A while ago

Now server B gets the new function of serving objects to invitees that appear anonymous to the server. To determine which object to serve, 120-bit (padding-free in base32) random ID of the object is passed to the access point.

Along with the ID, is the said token with “userid” removed (because anonymous) and “usergroup” replaced with the object ID. And the authorization handler is reused and called as:

Auth(ID, ((anon, ID, future), MAC)) 

It raises an alarm in me because the “AllowedGroups” is now controlled by the client, but I cannot see obvious ways this leads to vulnerability.

Is the authorization handler call 1) useful but may need tweaking? 2) useless as ID is already random, or 3) a security concern that must be removed?

What prevents an identity provider from falsifying authorization in a SAML 2.0 flow?

I’m confused about something in the SAML 2.0 flow. When the initial access to the service provider is made, the service provider must first validate that the user indeed has access and so the service provider will query the identity provider. Based on this link — https://developers.onelogin.com/saml , the service provider identifies the identity provider based on “application subdomain, user IP address, or similar.” My question is, what prevents the identity provider from acting maliciously and saying, “Sure, this user has access. Let them in!” I mean, I could just set up my own identity provider and if I’m identified by IP address, couldn’t I just pretend that this user has access?