I had indetity server4 and I had to add session management. I upgrated the application version to duende identityserver 6.2. And created a database based on PersistedGrantDbContext and ConfigurationDbContext.
enter image description here
my database asp .NET core identity Users
enter image description here
my configurations
enter image description here
Now I get a token using connect/token
and the token is valid.
But now sessions are not saved to the ServerSideSessions and Devices table in the DeviceCodes table.
How do me added saving sissions and devices in my database?
To add management using interface ISessionManagementService?
Thanks in advance for the answers!
I advise you to implement your session management logic.
Step 1
Create a UserSessions table, then when the user gets an accessToken save the session to that table.
Step 2
When you need to delete a session, you give the records from the PersistedGrants table and delete the corresponding sessions.
But there is one drawback to this implementation:
A user's session will only die when their accessToken expires.
Related
I created an Azure Function to load data from Eudonet CRM to my Azure SQL Database. I have two databases :
named Datawarehouse
named Datawarehouse-Dev
Both databases are identical and are in the same server.
When I load data directly to "Datawarehouse" the copy works fine, but when I change the database name to "Datawarehouse-Dev", I receive the following errors :
Index #0 Message: Login failed for user 'AzureFunction'. LineNumber: 65536 Source: Core .Net SqlClient Data Provider Procedure: Error Code:18456
-- Sql server error. If error code <17: => check sql transac code (user error). Else: => software or hardware errors (check availability of database)
Login failed for user 'AzureFunction'.
If anyone has an idea on where the problem could come from I would be very grateful and I also don't understand why there is an authentification error since they're both in the same server and are accessed with the same user/password.
Thanks in advance
Though #adnane already resolved the issue after using the connection string directly into Function application setting instead of storing it into Vault. This approach might compromise the application security because using connection string directly might expose it to unauthorized person.
Azure Key Vault is a good place to keep our application credentials in a secured and centralized manner. Moving the secrets to Key Vault becomes even more important while our Azure solution is growing.
In case, if anyone still looking for the solution by storing the connection string in Azure Key Vault and then using it in the Function, please follow the below steps.
Firstly, open the Azure Key Vault service and from the Settings menu select Access policies. Then select + Add new access policy.
Then choose Select principal and search for the name of the Function App as shown in below example.
Once your principal is selected choose the Secret permissions menu. In this case, we’ll only need to get the secret from the Key Vault (concretely read our connection string). Therefore, check Get permission only and then select OK.
At the end, select Save to store the new functionapp-demo-mw access policy.
ADDING SECRET TO AZURE KEY VAULT
Adding a secret to Azure Key Vault is straightforward. From the Key Vault, Settings menu select Secrets and then select + Generate/Import secret.
For Key Vault secret two values are required – name and the value. In this case we’ve called our secret OrderManagementDbConnectionString and as a value we put our SQL Database connection string. Select Create to save the secret.
By default, the secret is Enabled so it’s ready to use. Once the secret is created, we’ll need to get its URI (a unique location identifying the secret). Go to the Settings menu and select Secrets. We’ll find here our recently added secret (OrderManagementDbConnectionString). Select the secret and we’ll see it’s the only version in the list.
Select the current version of secret and copy its secret identifier. The identifier is an URI with pattern : https://<url_of_the_key_value>/<secret_name>/<secret_version>.
GETTING SECRET FROM KEY VAULT IN AZURE FUNCTION APP
Go back to the Azure Function App (functionapp-demo-mw) and on the Overview tab, select Configuration in Configured featured section.
Well, Select + New application settings. Put a name that describes the new setting (we’ve put OrderManagementConnectionString). At the end of the last year, Microsoft has added an option of sourcing Key Vault secrets directly from App Settings. This simplifies a lot the way how the secrets were used before. So, set the value of the setting to a secret reference in the following format:
#Microsoft.KeyVault(SecretUri=**secret_uri_with_version**)
We just need to replace secret_uri_with_version with the value we’ve previously copied from the secret in Azure Key Vault.
In Azure Function, you’ll just retrieve the value from the application settings and work with it the same way as it was directly a connection string stored in application settings.
// get value from appliction settings
var connectionString = Environment.GetEnvironmentVariable("OrderManagementConnectionString");
// create connection
SqlConnection connection = new SqlConnection(connectionString);
I have a web application that read and write from/to database and I use with always encrypted.
When I tried my web application in my local device(where I developed the site) it's work perfect but when I created web site in the server it's can't read from the database because my application doesn't found the CEK(the public key cert).
In the server I created a new database and do the always encrypted, and add the applicationpoolidentity to my database with the following steps:
Add login account IIS APPPOOL\name applicationpoolidentity.
Add the login as user in the relevant database.
I search a lot for solution but nothing work.
For example:
Create new windows user connect to database with SQL Server in
Single-User Mode : I saw that solution will be problematic.
Add name application pool identity as login windows auth in the
SQL-Server but not working. Who can i connect with application pool
identity as login to SQL-Server?
I gave up, I need help :)
OK, after many searches for a soulotion I found one.
Untill now I created always with Current User Certificate Stores and because of that I can't use with the cert in all users.
So I generate new certificate in Local Machine Certificate Stores
and add the application pool identity to the cert permissions with the following steps:
run mmc.
Click Certificates -> right click on the specific cert -> all task -> manage private key -> click add -> enter the name application pool identity to the textbox -> click ok -> check v on read permission and click ok.
Now the always encrypted work perfect.
Scenario 1: Assume I have angular client with implicit grant type. I am also using asp.net identity to log in with database users. I log in as user Bob. I access my list of cars. For each car I have an option to edit my car. Each row has edit button and id of car.
Example of get url in each row: http://localhost:5000/cars/id/1
Let's say I enter randomly some id of car:
http://localhost:5000/cars/id/345 which is someone else's user car.
How does identity server protects other user data in this situation?
Scenario 2: let's have identity manager set up with identity server openid authentication. Which username and password are we authenticating to gain access identity manager to manage users ? If it is user from aspnet identity database then every user inside there can access identity manager...?
They don’t.
It’s not responsibility of Identity Server.
Identity server main responsibility is to take care of Authentication.
Scenario 1
Authorization is not part of identity server except for basic client/scope based authorization defined in OAuth. Identity server just handles the authentication part. Have a look here for implement authorization on an asp.net core app. https://learn.microsoft.com/en-us/aspnet/core/security/authorization/resourcebased
Basically, Identity server gives the user identity. So you can validate if that user has access to the given resource.
Scenario 2
You can define users with certain role claim(e.g. Role:IdentityManagerAdministrator) in your user store, and validate if the logged in user has that role in identityManager. see
Secure IdentityManager with IdentityServer3
I've installed WSO2 Identity Server 5.0 and have configured a secondary user store with Active Directory. It is able to pull in users as I can see them under Users and Roles. However when I click on a users' profile the Identity Server comes back with "Error while loading user profile metadata".
Any ideas?
Have you made any changes in the <IS_HOME>/repository/conf/claim-config.xml or the <IS_HOME>/repository/deployment/server/userstores/<userstore_domain_name>.xml ?
If so please double check if there are any invalid characters in it.
This is possible in the scenario where invalid characters are present.
I'm trying to find a tutorial or help for solve this scenario.
In my MVC 4 application I want to have a Database where I store login information (username, password, connection strings ).
When User Login success, I want to open database with connection string stored in User Table, and get the policy from specific database (this database also contains the application data).
This means that a user can access to multiple database, and have different policy on every database.
Administrator can create a new user on Login Database, associate user with databases, and set policies for every Database.
Someone can help me or know a tutorial for doing that.
Thanks