Monday, October 2, 2017

Angular sending access token to Asp.net Web API not working if the email address has a '+' in it

Leave a Comment

I have security working fine in an application, except when a user tries to login with a '+' in their email.

The access token looks fine (when the email contains a + it looks like this):

Bearer 8BGpt_KkEp-_6U5tUdKqK1xLCQBaWzHcxDT9RRKkbzoF2fHCUNhRL3U-fpLdQIuSXm8RcTOH4ZY3a0UZH6-6IgXxx_ojgyL26179JovRm5xQSZD7ANxLvvdU3ubfcpzSr4tw-sza37UaJh7xDFB8eH0NA9Djt7Ik8Ebxdin7u-n76InCulRAV6xMWgXfF9bwoU8MsV3lrh_zhnxYGnx3O7QUNQ740NUJLHJYH12rBth16CA1AXSF86rA5rUB7vJ7yK09k_FJTifyuldTeFHJHsyscnEIQxGozbf3x1cmZowkiK4Q1r8W0M8uz25m8j_tuMrWawTqYJNZiTuI9afW38WWQ4BRLkQF7TwoMOgZQ-f1K_3W8Zy3x-OsKdQS4i9CapvKe1utCscZVroByvyD9SvpILGiZGTjGD_zCAm8KerMPT5GNOb07kPGV_167PHEXm0TGaJbCelb5gLgXbMXv3GxBQLnYIfPUXCBaKx4UFkY8kFMPs9MxFcGY81p67rfnjeswBZ3PW6fDFTf9U_I8g 

However, when I try to send a secure request with this access token, I get the response:

status: 401 "{"Message":"Authorization has been denied for this request."}" 

As said above, it works without any issue if I remove the plus. This seems to be a Wep API issue rather than an Angular issue.

I found that the methods encodeUrl and decodeUrl to not stop the space from being change to a plus. I have tried the following in the c# code to switch the space to a plus:

var registerEmail = model.email.Replace(' ', '+'); 

This is used in both the login and register actions.

Perhaps it is not possible to use a + in an email in OAuth in Web API 2?

1 Answers

Answers 1

It seems to be a bug in asp.net roles. I am not sure of a clear solution. However, for the time being, encoding the username as follows before storing it on register and when logging in:

public static class UsernameEncodingService {     public static string returnEncodedUsername(string email)     {         var emailAsLower = email.ToLowerInvariant();         var encodedEmail = Base64Encode(emailAsLower);         var encodedEmailWithoutEquals = encodedEmail.Replace("=", "213");         var encodedEmailWithoutPlus = encodedEmailWithoutEquals.Replace("+", "214");         return encodedEmailWithoutEquals;     }      private static string Base64Encode(string plainText)     {         var plainTextBytes = System.Text.Encoding.UTF8.GetBytes(plainText);         return System.Convert.ToBase64String(plainTextBytes);     } } 
If You Enjoyed This, Take 5 Seconds To Share It

0 comments:

Post a Comment