I am trying to implement FIDO2 on Android. I have the assetlinks.json hosted on my domain (Sorry I don't want and not sure if I'm allowed to reveal the whole url yet).
I have the assets_statements string defined and added it to my Manifest and I also implemented the whole get register challenge logic where I am creating a pending intent from PublicKeyCredentialCreateOptions.
After I launch the intent I see a white screen which shows up and closes really fast without any descriptive error or anything and I have no idea how to debug this issue. The log shows:
ActivityTaskManager: Displayed com.google.android.gms/.fido.fido2.ui.Fido2FullScreenActivity
E/Fido: [DigitalAssetsAssociationChecker] JSON Object doesn't have linked key
E/Fido: [Fido2RequestController] The incoming request cannot be validated
E/Fido: [Fido2RequestController] The incoming request cannot be validated
On https://developers.google.com/digital-asset-links/tools/generator it says that my domain grants app deeplinking to my package name.
I am using com.google.android.gms:play-services-fido:18.1.0
The errors in the log are not helpful in any way and I'm not sure if I am still missing something here, any help would be appreciated.
OK, I figured it out by playing with the example app https://github.com/googlecodelabs/fido2-codelab and changing things around, so I'm going to answer my own question.
When requesting a registration challenge the RP.id field needs to be the same as your domain name.
On the sample the Rp.id value is "webauthn-codelab.glitch.me", I changed it to "webauthn.glitch.me" just to try out what would happen. Guess what, I'm getting the same errors as before:
E/Fido: [DigitalAssetsAssociationChecker] JSON Object doesn't have linked key
E/Fido: [Fido2RequestController] The incoming request cannot be validated
E/Fido: [Fido2RequestController] The incoming request cannot be validated
To conclude, be sure that the RP.id that get's returned from backend matches the domain url.
Also here is a link explaining RP id: https://www.w3.org/TR/webauthn-2/#relying-party-identifier
Got the same error JSON Object doesn't have linked key on Fido2ApiClient.getSignPendingIntent() call.
The solution for my case was to set real user key (aka id) in allowList.
Related
I'm making a simple HTTP POST request using Tasker app, it's working fine but somehow it's not sending my arguments. HTTP GET is working fine. What am I doing wrong?
The only thing the server does is JSON stringify all received parameters and return them like: Text: { parameters }
HTTP GET is working:
HTTP POST works, it returns the response "text: {}" but doesn't return any parameter:
Now sometimes it shows "Bad Request Error 400"
I've tested it with another server and this issue persists...
Here's a fiddle to send get and post requests to the same server and both work.
I've exported my task as xml for you to test: You can download it here
Thanks in advance guys!
I have done a little testing with what you have supplied. It appears that your post parameters are making it to the server but %HTTPR is not getting populated. The Tasker documentation says that this variable will be populated if the response is "text-based", but this does not seem to be the case. I may not know what Tasker considers to be "text-based", but I have tried "text/plain" and "text/html" with no luck.
The work-around that I have come up with is to put the response into a file using the "Output File" field of the post task. (Leave "Content Type" blank or this won't work.) You can then read the file into a variable and do what you need to.
This is either a defect in Tasker, incorrect documentation, or just a misunderstanding of what it takes to make it work. This work-around, however, will get you what you need.
Here is a link to a GitHub repository with the updated task export. You may need to change the output file name/location to work with your device.
Update:
Since I posted the above solution, I have run across a Tasker plugin called "RESTask for Tasker". Evidently, Tasker has enough issues with HTML requests that a separate plugin was needed. I have tested this plugin with POST and it does work, so this is another way to go. The plugin is available on the Google Play store.
Currently I'm developing android application that needs to connect itself to REST API. It is crucial for my app to access API whenever connection is possible (mobile data/wifi).
But when testing my app something extremely weird happened. Application works as expected almost all the time, but when on VipMobile operator (Austria telekom group) I cannot connect to API.
At first I didn't get it, error was too unreadable. It says
j u fehler6 the requested item could not be loaded & wrong mime type
There are a lot of unprintable chars in that message too. When i figured out that it is operator fault i tried to copy link to my API and got this.
What could that possibly be? Can anyone point me in any direction, I cannot publish application as long as there are those ridickulous errors.
This happens when the user is on 3g connection. Some mobile operators intercept clients request and if the Content-Type is not good, or not defined they display page like this. This happens also to vipmobile operator in Serbia.
Try to add right content-type to response headers on your server side.
Try to put for example Content-Type:text/plain;charset=utf-8 to headers
I am confronting myself with a problem that I do not know how to interpret. I am doing a project using Android and Google App Engine. When I am trying to save information in Google App Engine's Big Table, directly from the servlet (hardcoded) - the save is performed with no problem. But when I am trying to save data from my Android device, the save is not performed and the log indicates Apache-HttpClient/UNAVAILABLE error. To be more specific:
405 55ms 0kb Apache-HttpClient/UNAVAILABLE (java 1.4)
82.155.246.249 - - [10/Jun/2013:05:20:59 -0700] "POST /servletnamehere HTTP/1.1" 405 306 - "Apache-HttpClient/UNAVAILABLE (java 1.4)" "appnamehere.appspot.com" ms=56 cpu_ms=21 cpm_usd=0.000034 app_engine_release=1.8.0 instance=00c61b117cede3f754aa1ece730dc88287a20199
I have seen that 405 HTTP error appears in the context of a POST method ( "405 errors often arise with the POST method. You may be trying to introduce some kind of input form on the Web site, but not all ISPs allow the POST method necessary to process the form." ) => indeed, I am trying to perform add (the object is a JPA Entity) in the database using a POST method. The data I am receiving from my Android device is serialized, through an input stream (in my case, working with JSON is not an option, these are the specifications).
Also, 306 HTTP error reffers to switch proxy. While the porevious error might be a bit intuitive, this one is beyond my student knowledge.
I have followed the instructions of this tutorial (http://trumpy.cs.elon.edu/joel/sigcse2011/), which is indeed what I need, but I really cannot figure out what I did wrong. I took again the procedure, stept by step, but I don't see the flaw.
Any help will be indeed appreciated. If I should post some code, I'll gladly do it.
Best wishes,
Cropcircles
LATER EDIT:
Now I get 417 HTTP error expectation failed. I have seen that I am supposed to set a certain parameter on false, but this workaround was available only for .NET. Is there anyone who knows what's the correspondent of the following, in Java? I am really really confused.
<system.net>
<settings>
<servicePointManager expect100Continue="false" />
</settings>
</system.net>
This is not an answer, but is too long for a comment and may be helpful, so here goes...
First, it's hard to tell what's going on here because there is limited info. Try to post more of the logging either on the client or on the server. Go to the server console and get more info, for instance, or add debugging in the client. I'd start by trying to make the POST from a debug/testing tool like hurl.it: http://www.hurl.it/ (hurl is a nice web front end to a command line HTTP client named curl, see curl itself if you want a more advanced peek). That way you can test and poke around and make SURE your server side works as you expect with a generic client. Then build other clients (like Android).
Second, "Apache-HttpClient/UNAVAILABLE" is not an error, it's just the user-agent String -- so ignore that part. (UNAVAILABLE is where the version typically is, but some impls don't have access to the version sometimes, it seems.)
Third, the 405 response code IS an error, it means POST is not allowed at the server you are trying to POST to. That can either be because POST is not allowed at all on said server, or you're violating some security policy (such as same origin).
If it's AppEngine, first check the APP you are using and make sure it supports POST (look for info on how to do POST at AppEngine to solve, for instance: google app engine: 405 method not allowed). When you say you can do it directly from a "servlet," do you mean that a POST from a different client works? (Servlet is a server side technology, so that's a little confusing.) If so then make sure your Android app is doing the client part the same way to the same host (multipart vs urlencoded, etc).
For a little more on the security stuff, which could be involved, see this post: Google App Engine + jQuery Ajax = 405 Method Not Allowed.
I've had the same trouble and in my case It was an error due to no write permission on server side area.
I was following an android test to write on a file a value transmitted in async way via POST method.
Apache received the POST request but was not able to write the data on the file due to security permission on it.
Is there a reliable way of getting access token errors from the facebook platform?
Our iOS/Android App needs to save the users Facebook session. This is fine except that authentication errors we get from Facebook seem to be inconsistent.
Essentially, if we get an error from facebook, we want to know if this requires the user to reauthenticate or if it's due to an intermittent error (i.e. they are being rate limited for some reason).
Most facebook graph errors seem to include an error code in the body of the error message text.
Some do not.
e.g
{"error":{"message":"Error validating access token: The session is invalid because the user logged out.","type":"OAuthException"}}
Does not contain an error code, so the only way to check against this error is to do a string comparison on "message". That seems a remarkably unreliable way of checking for errors.
It seems ~almost~ possible to check to see if the "type" variable in the json string indicates an "OAuthException", except that if the user is rate limited, then that will throw an OAuthException as well but it doesn't require the user to log back in, it only requires them to wait a little while and stop posting so much.
I have seen the How-To listed here: https://developers.facebook.com/blog/post/500 but that will still have the problem that my games will require users to log back into facebook if they happen to be over-enthusiastic about posting to their wall.
So, is there a reliable way of getting errors from the facebook platform?
Right now the best solution I can find is to parse the message string for error codes, and if I don't find any then reparse the string looking for specific messages (such as "Error validating access token") and then finally if I can't determine what the error is, just panic and log the user out.
Unfortunately I haven't found a great way of handling this. The best solution I've found so far is to look to see if the error is an OAuthException, compare the error message against a white list of "acceptable failures" that do not require reauthentication, but if the error does not match any error on this white list, I assume that the user has to reauthenticate with Facebook.
For reference, the only error I've found that can be whitelisted is the "user is rate limited" error. To detect this, I check to see if the error message contains the substring "(#341)", which is the error code of this error (not that this error is one of the few errors that contains an error code in the error message body).
I'm trying to make an app that accesses a user's Google Calendar using OAuth. I have the code in place that gets all of the proper tokens and they are saved into some preferences. I used the tutorial here to do this all, by the way. I have successfully changed the scope and request URL's so that I'm getting the needed tokens. The problem comes when I actually try to USE the token. Instead of calendar info, I get back some HTML that says "Unknown authorization header Error 401". The request URL I am using is:
https://www.google.com/calendar/feeds/default/allcalendars/full
and the scope is:
http://www.google.com/calendar/feeds/
I have tried replacing 'default' with my email address (which is also the one that I used for the OAuth) to no avail. Am I using the wrong URL? if not, what else could cause this error? I have been looking for a few days now to find someone who has accessed the Calendar using OAuth, but everything I have found is people giving up because it's too difficult or doesn't work.
EDIT:
I believe my header is correct, here is an example of it:
OAuth oauth_token="************-********-**********-****",
oauth_consumer_key="anonymous",
oauth_version="1.0",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="1303161387",
oauth_nonce="*******************",
oauth_signature="*******************"
That is pulled directly from my app, and from what I could find it looks right to me, but I'm still getting the error above (Unknown Authorization Header Error 401).
The Authorization header needs to be "Authorization: OAuth oauth_nonce="deadbeefdeadbeef" oauth_version="1.0" ....
See http://code.google.com/apis/accounts/docs/OAuth_ref.html#RequestToken. You can, supposedly, also but the authorization parameters in the querystring or in the body of a POST, but I have not attempted that.
As noted in the comments below, Google is now, at least with the Calendar feed, appending a 'gsessionid=' querystring and redirecting; and so a redirect handler must create a new nonce and timestamp, and make a new signature making sure to add the gsessionid to the base signature string in the correct lexicographical order (preceding any of the oauth_ variables).