Duende IdentityServer 6.20 .Net6.0 "AuthenticationScheme: idsrv was not authenticated" - identityserver4

I have a fully functioning Duende IS6 solution, servicing an Angular client. However the Seq log output contains a lot of these entries with each request:
{
"#t": "2023-01-08T19:14:58.3783602Z",
"#mt": "AuthenticationScheme: {AuthenticationScheme} was not authenticated.",
"#m": "AuthenticationScheme: idsrv was not authenticated.",
"#i": "19c670d5",
"#l": "Debug",
"AuthenticationScheme": "idsrv",
"EventId": {
"Id": 9,
"Name": "AuthenticationSchemeNotAuthenticated"
},
"SourceContext": "Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler",
"RequestId": "0HMNHLIGV47GF:00000002",
"RequestPath": "/.well-known/openid-configuration/jwks",
"ConnectionId": "0HMNHLIGV47GF",
"application": "dev.identity"
}
Does anyone know what the issue is here? To be clear, my app functions and authenticates just fine so whatever it is doesn't appear to be causing an issue, just filling up my logs.
(apols for earlier version tag but could not tag identityserver6 as not enough rep)

The error is because ASP.NET Core did not find any cookie that it could convert into a ClaimsPrincipal user.
As you mention, requests to "/.well-known/openid-configuration/jwks" is never made by the browser, instead its made by the client and apis on the backend to retrieve the signing keys. And in these requests, there is no cookie to authenticate.

Related

401 How to configure the simultaneous operation of the site by domain name and IP address in blazor wasm + identityserver?

We launch the site, go to the ip address, log in and everything works. If you then go to this site using the domain name, the authorization works, but an error occurs when sending get / post requests to the server: "Failed to load resource: the server responded with a status of 401 (unauthorized)"
Please note that authorization in both cases is successful. The error occurs when the HttpClient sends a request.
The same problem occurs if the server has several network interfaces with different networks (for example, local and work). The site will work correctly only for one network.
The project was created based on a standard template: Blazor WebAssembly App (Core hosted) and Identity server.
Configuring Kestrel in a file appsettings.json
{
...
"IdentityServer": {
"Clients": {
"BlazorAppCore5.Client": {
"Profile": "IdentityServerSPA"
}
},
"Key": {
"Type": "Development"
}
},
"Kestrel": {
"Endpoints": {
"Http": {
"Url": "https://*:5001"
}
}
},
"AllowedHosts": "*"
}
We publish the project and run.
We go to the site by computer name and log in: "https://desktop-9thm5hg:5001/"
Works!
And now we go to 127.0.0.1 or localhost: "https://127.0.0.1:5001/"
Authorization works, pages "Home" and "Counter" are working. They don't use the HttpClient.
Now go to page fetchdata.
Attention! If you restart the site and go to "https://127.0.0.1:5001/" for the first time, it will not work on "https://desktop-9thm5hg:5001/".
Checked on ASP.NET Core version 3.1, 5.0
You should aim to have one domain name for your identityServer that is used by all clients and API's. Also its best practice to use HTTPS everywhere and for HTTPS you need certificates and a domain.
The issuer is also part of the tokens and the token validation will be problematic when the name of the issuer (Ip or domain changes)

How to use ADFS Webfinger Endpoint?

I'm very new to ADFS and the Web Application Proxy. That said, I've recently setup an ADFS server and a WAP server and have all of the configuration setup to successfully handle SAML SSO to my custom application.
I am now attempting to use the Webfinger endpoint. By default, that endpoint is enabled (and proxy enabled). Unfortunately, I have not been able to get any meaningful response from this endpoint and am unsure even how to set it up. Searching for "ADFS Webfinger" documentation has been fruitless. Honestly, I can't find anything other than discussions of an Event Viewer error and other useless information.
I have attempted various combinations of URLs.
https://my-adfs-server/.well-known/webfinger?resource=https%3A%2F%2Fmy-adfs-server%2Fadfs%2F/ls&rel=http://schemas.microsoft.com/rel/trusted-realm
This gives me back a JSON:
{
"subject": "https://my-adfs-server",
"links": [
{
"rel": "http://schemas.microsoft.com/rel/trusted-realm",
"href": "https://my-adfs-server"
}
]
}
but it is the only URL I have found that returns anything.
https://my-adfs-server/.well-known/webfinger?resource=acct:<myemail>
This gives me a 404 with a valid email (acct).
What am I missing? Even if that last URL was working, how do I resolve it to specify information that should be returned in the JRD document for this particular account? Do I need IIS installed (I don't have it installed currently) and custom code?
Thanks for any help/insight.
Pink

Logic apps ARM deployment fails for API connections using OAuth that already exist and are connected

Recently I'm gettings errors when deploying logic apps using ARM templates. I get the errors for certain API connections that are used by the logic apps. The error I receive is:
Input parameters are invalid. See details for more information. Details:errorCode: ParameterNotDefined. Message: Parameter '$connectionCreator' is not allowed on the connection since it was not defined as a connection parameter when the API was registered.
I only get these errors for existing and authenticated connections of type dynamicscrmonline and azureeventgrid. As long as the connection doesn't exist or isn't yet authenticated, the deployment succeeds. It appears to be happening only with API connections that use OAuth. This used to work in the past and I'm not sure what changed.
This is an example of a connection that gives me the error:
{
"type": "MICROSOFT.WEB/CONNECTIONS",
"apiVersion": "2016-06-01",
"name": "[parameters('dynamicscrmonline_1_Connection_Name')]",
"location": "westeurope",
"properties": {
"api": {
"id": "[concat(subscription().id, '/providers/Microsoft.Web/locations/', 'westeurope', '/managedApis/', 'dynamicscrmonline')]"
},
"displayName": "[parameters('dynamicscrmonline_1_Connection_DisplayName')]"
}
},
I had the same error with Azure AD API and send grid.
Try to delete the existing connections API associated to your existing Logic App and then redeploy.
It works for me.

App Engine Admin API Error - The "appengine.applications.create" permission is required

We would like to automatically create a project ID and install our ULAPPH Cloud Desktop application using the App Engine Admin API (REST) and Golang.
https://cloud.google.com/appengine/docs/admin-api/?hl=en_US&_ga=1.265860687.1935695756.1490699302
https://ulapph-public-1.appspot.com/articles?TYPE=ARTICLE&DOC_ID=3&SID=TDSARTL-3
We were able to get a token but when we tried to create a project ID, we get the error below.
[Response OK] Successful connection to Appengine Admin API.
[Token] { "access_token" : "TOKEN_HERE", "expires_in" : 3599, "token_type" : "Bearer" }
[Response Code] 403
[Response Body] { "error": { "code": 403, "message": "Operation not allowed", "status": "PERMISSION_DENIED", "details": [ { "#type": "type.googleapis.com/google.rpc.ResourceInfo", "resourceType": "gae.api", "description": "The \"appengine.applications.create\" permission is required." } ] } }
We are just using the REST API calls. Request for token was successful as you can see above and the scope is ok as well. Now, when we posted the request to create application, we are having the error that says "appengine.application.create" permission required.
How do we specify the permission?
What are the possible reasons why we are getting that error? Do we missed to send a field in JSON or in query?
As per below link, we just need to pass the json containing the id and location. We also just need to pass the token in the Authorization header. The same logic I have used successfully in accessing Youtube, Drive APIs etc so not sure what needs to be done since I have followed the docs available.
I have also posted the same issue in Google Groups and now waiting for their reply.
It seems you've given no details about how you set up the account you're using to authorize the request. You'll need to make sure the appengine.applications.create permission is given to the account you're using, as mentioned in the error text. You can use the Google Identity and Access Management (IAM) API for this.
(by the way, I'd given this answer in the original thread, although you didn't reply or seem to take action on it. check it out! this is likely the solution you need!)

"Access not configured" when accessing google cloud endpoints from web app

I wrote a webapp with angularjs frontend, google app engine for storing data, and google cloud endpoints for api access from the frontend client. I tested everything fine locally, but after deploying, accessing the api from the frontend javascript client gives me the following error:
[
{
"error": {
"code": 403,
"message": "Access Not Configured",
"data": [
{
"domain": "usageLimits",
"reason": "accessNotConfigured",
"message": "Access Not Configured"
}
]
},
"id": "gapiRpc"
}
]
I've checked the production api explorer after deployment and it works fine. Also, I tried directly accessing the api by URL which also works fine. Just the frontend client does not work. Any ideas?
Turns out I set the API key in the client with gapi.client.setApiKey(API_KEY); where the API Key is the browser key from the cloud console. I removed this and it works fine. I have no idea what the API key is for.
I'm looking at the problem now on one of my projects. Might be that the ipv6 address must be registered for the project. Take a look at this post Google API returning Access Not Configured
The usual reason for this is that the API, which is being queried is not yet enabled in Google Console by the time of the request. Once it is turned on - error goes away.

Resources