Big relief: https is NOT required for OAuth 2.0 redirect_uri which use 'localhost' as the hostname (at least with Xeros Authentication Server anyway ... it is possibly a requirement of the spec).
A good thing too, or else presenting a clean certificate for 'localhost' to the user's browser (kind of super-important when getting the user to trust your app to access their resources) would require presentation a self-signed cert that's trusted by the host. Which would require generating and adding adding it to the trust store at some point in time prior to the moment it is used. Which would require privilege-elevation prior to the moment it is used. Which we are trying to avoid with ClickOnce.
My program is going through each word in a story looking for names. I am using the following function to check against a string full of names (aaron, adam, ...) to see if the word is a name, but it is returning true for partial word matches such as "the" in "Theodore". What am I doing wrong?
I would like to submit my reasoning for validation/sympathty. If your head is not already full of OAuth 2.0 the language here might not make sense.
Some context is required:
* The Resource Server is Xero
* The Authorization Server is Xero
* The Authorization Server permits registration of Clients which use either the 'Authentication Code Flow' or the 'Authentication Code + PKCE Flow'
* The Authorization Server correctly requires Client registrations to supply a 'redirect_uri'
* The Authorization Server incorrectly requires Client registrations to supply a 'redirect_uri' only with an https:// prefix
* The Client is my .NET desktop ClickOnce app
* The User Agent (browser) runs on the same machine as the Client, in the same desktop session
* the User making the OAuth 2.0 delegation does not otherwise need admin rights to the machine
... and the Dev (not really the subject of an OAuth spec, thank heaven!) just wants to get on and write his business logic.
Right, so back to work:
To get an access token, we first of all need an authorization code. We get that from the Authorization Server through the 'front channel' ... the User's User Agent (ie. a browser) is given an HTTP redirect to the 'redirect_uri' with the information we need in an HTTP request.
And here we run into 'hassle'.
IF our Client were an Android, iOS or UWP(?) app, we could have registered for a 'Claimed Https Scheme URI Redirection' ... when the User Agent (browser) visits https://example.com/, it will activate the app and send the URL to us! (so long as we can convince the respective app store WE own example.com ... it's all in the app manifest).
But ... that's not us. We're a 'legacy' app on Windows. Well, we could use a 'Custom URI Scheme' and register 'com.example.myapp:/foo' with Windows, which would (after a browser prompt) activate our app and hand the URI over to it (maybe ... it isn't clear if we can do this for ClickOnce apps that are 'installed' in each user's roaming profile). We get the same effect as with the Claimed HTTPS URL approach.
But ... that's not us. Xero won't let us use a Custom URI as the 'redirect_uri' anyway
That leaves us with ... running a quick webserver on the loopback/localhost address. Our 'redirect_uri' becomes 'https://localhost:1234/myapp'
Now we have to nominate a port to bind to, that is 'guaranteed' to be available at runtime! Fortunately, we can do bit of a scattergun and nominate *multiple* redirect_uri (https://localhost:5678, https://localhost:6789, etc) when registering our Client with the Xero Authentication Server (or we'd be sunk, basically, if another long-lived app decided to bind to the port we'd chosen).
Great, so we find an available port. Now to bind an HttpListener to the port and wait for the User Agent to hand control back to us.
So we either need:
* admin privileges to bind the port without a 'urlacl' reservation; or
* to have previously done something like "netsh http add urlacl url=https://+:1234" (for at least the redirect_uri variants we have chosen to use at runtime) ... which requires either that we set this up when we had elevated privileges when we installed our app (or not ...since we are ClickOnce), or that we obtain such privileges NOW to do the "netsh http add urlacl" work.
In either case, we now need to refactor a part of our app out to a separate process and arrange for it to run as admin ... which we never intended for our user to have to do ... so that they can delegate the right for our app to access their Xero accounts. Thankfully they only have to do this INFREQUENTLY, but they'll need someone with local admin rights standing over their shoulder when they do
Hello folks, my first post after years of lurking. The burden of the out-of-date articles on the Internet around .NET technologies is getting really heavy, and I can't quite locate reliable info, and I'm blocked on this.
I basically would like to force the UAC prompt to do some stuff as admin. I understand I will need a new process and must arrange IPC between the unprivileged-parent and the privileged-child (sounds familiar ).
is the go, or if there is a Better Way Today. There are articles here and there about using the app.manifest which I can't seem to apply in VS 2019 - they feel defunct. (.NET Framework itself is starting to feel defunct, actually).
Either the runas verb or an application manifest should work.
I'm not sure whether you'll be able to use IPC from the unelevated app to the elevated app. And if you can, you need to be extremely careful to secure it, so that it can't be used by malicious code as an elevation of privilege attack vector.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
To pass the result of (new AnonymousPipeServerStream(/*etc*/)).GetClientHandleAsString() to the privileged-child, I will pass it as a command-line argument.
I suppose a malicious application could create its own named-pipe, invoke MY privileged-child app to fool the user into approving the UAC prompt (abusing my good name) and then control the privileged-child process from their malicious app. Fortunately I only really need the pipe for signalling the privileged-child to stop ... not to direct the action of the privileged-child.
Since I'll be working with ProcessStartInfo anyhow, adding a 'runas' verb is 'within easy reach'.
It then becomes a question of whether anything is gained by going declarative. Yes, if I needed the 'verb' for a different purpose, I guess. Or if I wanted the privileged-child code to be useful to an audience wider than my app. No, if I am happy for my privileged-child to fail unless properly invoked by MY code (heck, I could even take steps to make it a lot harder for said malicious actor!), or if I don't wish to draw the attention of malicious parties by marking it 'hey, I run as admin!'.
I previously had the entity as in the 2nd case, unfortunately I removed it, and now when I am trying to create with same name again, whether EF has cached it I don't know, but EF is not recognizing it, can somebody please help me in this, does EF cache the already created Entities with same names, how can we clean it?
Its not allowing me to create the same Entity again even after deleting the Entity and trying regenerate again.
Or at least can I rename already existing Entity and its columns, how can I do it any help please?
Change your username, or be kicked off the site.
That is unacceptable in a professional environment.
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony
"Common sense is so rare these days, it should be classified as a super power" - Random T-shirt
AntiTwitter: @DalekDave is now a follower!
I am building desktop application with VB.NET. Have following query
1. Settings Form contains 2 sections
2. first section contains text boxes to enter data
3. Have button, popup window will open on clicking the same. User enter some data in popup window and click save. Want to display popup window data in settings form - datagridview. Please note still data is not saved to database.
4. Once user clicks 'Save' button of Settings window then all data of text boxes and datagridview is stored in database.
However, when user reopens this Settings form, I want data should be populated from database to text boxes and datagridview. Post this, want to display popup window data if user adds any new data.
We are working on a project, where there are 2 different web applications are used by the same user. Hence we need Single Signon (SSO), so that when a user is logged in one application opens the second application, it should not ask for relogin, if the user have permissions.
Our web application is on .net core 3.1
We had implemented SSO using identity 4. we had refereed a sample application (.net core 2.0 and identity 4 server 2.0) and implemented the same.
1. Even if a user have permissions for both the applications and logged in to 1 application, when he tries to open the 2nd application, it asks to signin again(ie, it is not authorized)
2. For admin user, which have all the permission, it fails to open the application due to cookie memory issue.
We have tried to upgrade the identity 4 server to the latest (4.1), but it through run time error.
I am building desktop application using .net framework. Front end will be deployed in client PC and database will be kept in LAN server. In this case which is best database to be used.
Since I am new to client-server implementation how to make sure connection string while installing front end in client PC and is there any instance of database needs to installed before establishing connectivity. I don't want to too much dependencies while installation since client is startup company and not able to invest on licence databases.
You could use SQL Server Express, or google for free\open source database solutions, but using SQL Express would make it easier to go to proper SQL Server when they can afford it. However I would strongly question any company, start-up or not, that can't afford to properly license software and I'd also be wary working for such a company.