This is part of a desktop application.
Based on https://learn.microsoft.com/en-us/bingwebmaster/oauth2
The following code to exchange the authorization code for the access and refresh tokens was working as of a few months ago...
try
{
HttpWebRequest req = WebRequest.CreateHttp("https://www.bing.com/webmasters/oauth/token");
req.Method = WebRequestMethods.Http.Post;
req.ContentType = "application/x-www-form-urlencoded";
StringBuilder content = new StringBuilder();
content.AppendFormat("code={0}&", Uri.EscapeDataString(code));
content.AppendFormat("client_id={0}&", Uri.EscapeDataString(clientId));
content.AppendFormat("client_secret={0}&", Uri.EscapeDataString(clientSecret));
content.AppendFormat("redirect_uri={0}&", Uri.EscapeDataString(redirectUri));
content.AppendFormat("grant_type={0}", Uri.EscapeDataString("authorization_code"));
var data = Encoding.ASCII.GetBytes(content.ToString());
using (var stream = await req.GetRequestStreamAsync())
{
await stream.WriteAsync(data, 0, data.Length);
}
string json;
using (var res = await req.GetResponseAsync())
{
using (var stream = res.GetResponseStream())
using (var sr = new StreamReader(stream))
{
json = await sr.ReadToEndAsync();
}
}
if (!string.IsNullOrWhiteSpace(json))
{
tokenResponse = JsonConvert.DeserializeObject<TokenResponse>(json);
}
}
catch (WebException wex)
{
using (var stream = wex.Response.GetResponseStream())
using (var sr = new StreamReader(stream))
{
var t = await sr.ReadToEndAsync();
}
}
catch (Exception ex)
{
}
However, await req.GetResponseAsync() now returns
400 Bad Request, Origin and Referer request headers are both absent/empty
I tried adding req.Referer = redirectUri; and then it returns
400 Bad Request, Could not extract expected anti-forgery token
I've tried passing a random state parameter to the authorization endpoint, and received the same in the callback. I've both included it in, and excluded it from, the token exchange with no change in the above results.
I'm not an OAuth expert, but I've done a few integrations and I haven't seen this before.
The user grants authorization via a Window with a WebView2 control, which returns the code. This part still works well. I did some quick poking around in the response to see if anything related to anti-forgery/CSRF was being returned from the server, but I didn't notice anything. And anyway, the documentation hasn't change regarding what is needed to request the tokens so everything is basically trial and error at this point.
So my question is, if you have seen this referer/anti-forgery problem in any OAuth implementation how did you fix it or work around it? Or if you're using a Bing Webmaster Tools API solution (custom or otherwise) is it still working?
Beyond that, I'm open to ideas and I appreciate your time.