china-live / qqconnect Goto Github PK

配置了微信登录，但出现state过长的错误，请问是怎么回事？谢谢

微信登陆没问题，qq登陆卡在了ExternalLoginCallback里面的
var info = await _signInManager.GetExternalLoginInfoAsync();这一行，没闹明白怎么回事儿

你好，
PC端二维码登录OK，但微信客户端（微信内置浏览器中打开）提示：此公众号并没有这些scope的权限,错误码:10005

什么原因？

我用https://github.com/aspnet-contrib/AspNet.Security.OAuth.Providers 官方的Provider也是一样的问题，请问怎么解决呢？

是否要在开放平台后台中申请 一个移动应用？目前申请的都是网站应用。

是否持续更新移植到ORCHARD CORE
以及增加百度、新浪等

Summary

QQConnect is vulnerable to Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) that may lead to the elevation of privileges and per-user denial of service (DoS).

Product

QQConnect

Tested Version

Master branch.

Details

Issue 1: XSS (CVE-2018-0784)

The application doesn't have the fix for CVE-2018-0784 that was found in ASP.NET Core templates. It is vulnerable to XSS if the logged-in user is tricked into clicking a malicious link like https://localhost:44315/manage/EnableAuthenticator?AuthenticatorUri=%22%3E%3C/div%3E%00%00%00%00%00%00%00%3Cscript%3Ealert(%22XSS%22)%3C/script%3E and enters an invalid verification code. Mode details are available in the blog post.

Impact

This issue may lead to the elevation of privileges.

Remediation

Modify the code according to the instructions from the advisory.

Issue 2: CSRF (CVE-2018-0785)

The application doesn't have the fix for CVE-2018-0785 that was found in ASP.NET Core templates. It is vulnerable to CSRF. A logged-in user with enabled Second Factor Authentication (2FA) may lose their recovery codes if they are tricked into clicking a link like https://localhost:44315/manage/GenerateRecoveryCodes or visit a malicious site that makes the request without the user's consent. As a result the user may be permanently locked out of their account after loosing access to their 2FA device, as the initial recovery codes would no longer be valid.

Impact

This issue may lead to the per-user DoS.

Remediation

Modify the code according to the instructions from the advisory.

小程序登录实现起来有点麻烦呀。
1.wx.login()获取accessCode，传入ids4调用微信jscode2session拿到openid和session_key（可能有unionId）。
2.wx.getuserinfo()获取到加密数据和加密向量，再调用某个接口传入ids4，用上一步获取到的session_key对加密数据进行解密，解密完成就能拿到用户信息了。

今天自己在搞QQ登录，反编译了Microsoft.AspNetCore.Authentication.Google这个组件，来看看怎么写的，准备在github寻找其他实现qq登录组件中的AuthorizationEndpoint ，TokenEndpoint 等信息，发现了这个项目很不错，可以不用自己去造轮子了，赞一个。

1. 回传 CallbackPath = new PathString("/signin-*"); 我并没有看到Controller公司此Action，请问一下这个是TwoFactory约定好的Url吗?
2. 微信小程序的授权过程是否能用TwoFactory的接口做支持？目前感觉不通的就是微信小程序授权过程中没 Token的概念，不确定HandleRemoteAuthenticateAsync过程是否能执行下去

Hi, how could I report a potential security vulnerability in the project?

报这个错误了
An unhandled exception occurred while processing the request.
ArgumentException: The 'ClientId' option must be provided.
Parameter name: ClientId
Microsoft.AspNetCore.Authentication.OAuth.OAuthOptions.Validate()

Stack Query Cookies Headers
ArgumentException: The 'ClientId' option must be provided.
Parameter name: ClientId
Microsoft.AspNetCore.Authentication.OAuth.OAuthOptions.Validate()
Microsoft.AspNetCore.Authentication.AuthenticationHandler+d__42.MoveNext()
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
Microsoft.AspNetCore.Authentication.AuthenticationHandlerProvider+d__5.MoveNext()
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
IdentityServer4.Hosting.FederatedSignOut.FederatedSignoutAuthenticationHandlerProvider+d__3.MoveNext() in FederatedSignoutAuthenticationHandlerProvider.cs
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
System.Runtime.CompilerServices.TaskAwaiter.GetResult()
Microsoft.AspNetCore.Authentication.AuthenticationMiddleware+d__6.MoveNext()
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
Microsoft.AspNetCore.Cors.Infrastructure.CorsMiddleware+d__7.MoveNext()
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
IdentityServer4.Hosting.BaseUrlMiddleware+d__3.MoveNext() in BaseUrlMiddleware.cs
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore.MigrationsEndPointMiddleware+d__4.MoveNext()
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore.DatabaseErrorPageMiddleware+d__6.MoveNext()
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore.DatabaseErrorPageMiddleware+d__6.MoveNext()
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware+d__7.MoveNext()

Show raw exception details

按照demo一猫一样写的，id4一起动就报错，把addwechat段删掉就没事了。

An unhandled exception occurred while processing the request.
MissingMethodException: Method not found: 'Void Microsoft.AspNetCore.Authentication.ClaimActionCollectionMapExtensions.MapCustomJson(Microsoft.AspNetCore.Authentication.OAuth.Claims.ClaimActionCollection, System.String, System.Func`2<Newtonsoft.Json.Linq.JObject,System.String>)'.
Microsoft.AspNetCore.Authentication.WeChat.WeChatOptions..ctor()

请问一下，微信授权成功后，也获取到了用户的userinfo，
但是页面不会跳转到ExternalLoginCallback，用户一直无法登录，