Hans Karlsen (talk | contribs) No edit summary |
Hans Karlsen (talk | contribs) No edit summary |
||
| Line 40: | Line 40: | ||
If your user is "Bearer" (case insensitive) - we assume that the pwd is a bearer token and we send "Authentication" header with "Bearer token" (Bearer case as you gave since services might be picky about this). | If your user is "Bearer" (case insensitive) - we assume that the pwd is a bearer token and we send "Authentication" header with "Bearer token" (Bearer case as you gave since services might be picky about this). | ||
If your user is "Thumbprint" (case insensitive) we assume the password is a thumbprint of a client certificate you have made available as described here | |||
Revision as of 21:11, 17 October 2019
Turnkey use MVC for the login form. This form make use of the __RequestVerificationToken that helps MVC avoid attacks where an old posted form is used again.
You will need to supply a valid RequestVerificationToken when logging in from code.
The easiest way to get a valid RequestVerificationToken is to screen scrape it from the login page.
The code below download the Login page, finds the RequestVerificationToken.
Then the code make a post with the needed parameters for login including the screen scraped __RequestVerificationToken
private void Button_Click_1(object sender, RoutedEventArgs e)
{
var client = new HttpClient();
var loginform = client.GetAsync("https://raptor3ny/TurnkeyWebAppGeneric/Account/Login").Result;
var loginformcontent = loginform.Content.ReadAsStringAsync().Result;
var part1=loginformcontent.Substring(loginformcontent.IndexOf("<input name=\"__RequestVerificationToken\""), 1000);
part1 = part1.Substring(part1.IndexOf("value="));
part1 = part1.Substring(part1.IndexOf('"') + 1);
part1 = part1.Substring(0,part1.IndexOf('"'));
var content = new MultipartFormDataContent();
content.Add(new StringContent("hans@karlsen.se"), "EMail");
content.Add(new StringContent("123456"), "Password");
content.Add(new StringContent("false"), "RememberMe");
content.Add(new StringContent(part1), "__RequestVerificationToken");
var result = client.PostAsync("https://raptor3ny/TurnkeyWebAppGeneric/Account/Login", content).Result;
if (result.StatusCode == System.Net.HttpStatusCode.OK)
{
// Login successfull
}
}
Rest authentication
Turnkey is Rest service host
When we expose Rest Services we now check for the common basic authentication in the "Authentication" header of the request. The standard says that you can send "basic user:pwd" where user user:pwd is base64 coded - if we find this we unpack and resolve against SysUser.
You send to Rest service via selfVM.RestGet
When you use the selfVM.RestGet etc methods you can supply a user and pwd and if set we will add these as a basic auth header for simplicity. This makes it very easy to communicate securely between turnkey apps - but also with most other available rest-implementations.
If your user is "Bearer" (case insensitive) - we assume that the pwd is a bearer token and we send "Authentication" header with "Bearer token" (Bearer case as you gave since services might be picky about this).
If your user is "Thumbprint" (case insensitive) we assume the password is a thumbprint of a client certificate you have made available as described here