We launch the site, go to the ip address, log in and everything works. If you then go to this site using the domain name, the authorization works, but an error occurs when sending get / post requests to the server: "Failed to load resource: the server responded with a status of 401 (unauthorized)"
Please note that authorization in both cases is successful. The error occurs when the HttpClient sends a request.
The same problem occurs if the server has several network interfaces with different networks (for example, local and work). The site will work correctly only for one network.
The project was created based on a standard template: Blazor WebAssembly App (Core hosted) and Identity server.
Configuring Kestrel in a file appsettings.json
{
...
"IdentityServer": {
"Clients": {
"BlazorAppCore5.Client": {
"Profile": "IdentityServerSPA"
}
},
"Key": {
"Type": "Development"
}
},
"Kestrel": {
"Endpoints": {
"Http": {
"Url": "https://*:5001"
}
}
},
"AllowedHosts": "*"
}
We publish the project and run.
We go to the site by computer name and log in: "https://desktop-9thm5hg:5001/"
Works!
And now we go to 127.0.0.1 or localhost: "https://127.0.0.1:5001/"
Authorization works, pages "Home" and "Counter" are working. They don't use the HttpClient.
Now go to page fetchdata.
Attention! If you restart the site and go to "https://127.0.0.1:5001/" for the first time, it will not work on "https://desktop-9thm5hg:5001/".
Checked on ASP.NET Core version 3.1, 5.0
You should aim to have one domain name for your identityServer that is used by all clients and API's. Also its best practice to use HTTPS everywhere and for HTTPS you need certificates and a domain.
The issuer is also part of the tokens and the token validation will be problematic when the name of the issuer (Ip or domain changes)
Related
I have a fully functioning Duende IS6 solution, servicing an Angular client. However the Seq log output contains a lot of these entries with each request:
{
"#t": "2023-01-08T19:14:58.3783602Z",
"#mt": "AuthenticationScheme: {AuthenticationScheme} was not authenticated.",
"#m": "AuthenticationScheme: idsrv was not authenticated.",
"#i": "19c670d5",
"#l": "Debug",
"AuthenticationScheme": "idsrv",
"EventId": {
"Id": 9,
"Name": "AuthenticationSchemeNotAuthenticated"
},
"SourceContext": "Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler",
"RequestId": "0HMNHLIGV47GF:00000002",
"RequestPath": "/.well-known/openid-configuration/jwks",
"ConnectionId": "0HMNHLIGV47GF",
"application": "dev.identity"
}
Does anyone know what the issue is here? To be clear, my app functions and authenticates just fine so whatever it is doesn't appear to be causing an issue, just filling up my logs.
(apols for earlier version tag but could not tag identityserver6 as not enough rep)
The error is because ASP.NET Core did not find any cookie that it could convert into a ClaimsPrincipal user.
As you mention, requests to "/.well-known/openid-configuration/jwks" is never made by the browser, instead its made by the client and apis on the backend to retrieve the signing keys. And in these requests, there is no cookie to authenticate.
I'm working on a project which is using PassportJS Google OAuth 2.0. When I test on my local machine (with a React client on localhost:3000 and a Express server on localhost:4000), the flow works fine. I am able to send requests to the server and deserialize the user on each request. However, when I host the client on Google Firebase Hosting and the server on Heroku, the user no longer get deserialized on each request.
Here are some specifics of the things I've done / tried / worked locally along with extra information:
The client and server and hosted on different domains.
I am using axios to send the request to the server. In the request, I make sure to set the "withCredentials" property in the options to true to make sure the cookies connected to that domain are sent on each request.
On the server I have CORS enabled for the domain the client is hosted on (as it is currently being hosted on a different domain) and I have "credentials" set to true to allow the credentials to be sent and received.
Please let me know if I've forgotten to include something in the post or if any extra information would be helpful. Thank you in advance.
I don't know if you fix this, but I got the exact same problem, in my case I added sameSite: "none" in my express session setting, it worked.
cookie: {
sameSite: "none", //add this line
...
},
I have strictly followed the Application Registration for AIP Scanner detailed on the following link.
https://learn.microsoft.com/en-us/azure/information-protection/rms-client/client-admin-guide-powershell#how-to-label-files-non-interactively-for-azure-information-protection
But every time i ran the following command I get an Authentication Error.
Set-AIPAuthentication -WebAppId "xxxxxx-xxxx-xxxx-xxxx-xxxxxx" -WebAppKey "xxxxx/xxx/xxxx" -NativeAppId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx"
Set-AIPAuthentication : Unable to authenticate and setup Microsoft Azure Information Protection
At line:1 char:1
+ Set-AIPAuthentication -WebAppId "eb10438f-d9bb-4cb1-946a-007223bcaaf4 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : AuthenticationError: (:) [Set-AIPAuthentication], PowershellException
+ FullyQualifiedErrorId : Microsoft.InformationProtection.Powershell.AIP.Commandlets.SetAIPAuthenticationCmdLet
On Fiddler I can see the following response when Authenticating against Azure AD
{
"error": "invalid_client",
"error_description": "AADSTS7000218: The request body must contain the following parameter: client_assertion or client_secret.\r\nTrace ID: 9859831a-e097-41df-933e-ead751464601\r\nCorrelation ID: 671215c0-0656-44bb-a4a9-fd1f4353fd37\r\nTimestamp: 2020-11-10 14:35:53Z",
"error_codes": [
7000218
],
"timestamp": "2020-11-10 14:35:53Z",
"trace_id": "9859831a-e097-41df-933e-ead751464601",
"correlation_id": "671215c0-0656-44bb-a4a9-fd1f4353fd37",
"error_uri": "https://login.microsoftonline.com/error?code=7000218",
"claims": "{\"access_token\":{\"capolids\":{\"essential\":true,\"values\":[\"2016b1b4-bae5-44f2-abea-01dd12217771\"]}}}"
}
Which step on this guide I missed? and how do I troubleshoot it on Azure side? I can guarantee after 100 tests that WebAppID, WebAppKey and NativeAppId are ok. As far I can see it, I am not able to go further the first step on this OAUTH On-behalf flow.
This is because your AIPClient Azure AD app is not Public client app.
Public client applications are applications which run on devices (phones for instance) or desktop machines. They are not trusted to safely keep application secrets, and therefore access Web APIs in the name of the user only (they only support public client flows). Public clients are unable to hold configuration time secrets, and as a result have no client secret.
Please see the 22th step here:
On the Register an application pane, specify the following settings,
and then select Register:
Name: AIPClient
Supported account types: Accounts in this organizational directory only
Redirect URI (optional): Public client (mobile & desktop) and http://localhost
Make sure that you select "Public client (mobile & desktop)" for Redirect URI.
And you can go to the manifest file of the Azure AD app, in the manifest editor, set the allowPublicClient property to true.
I'm very new to ADFS and the Web Application Proxy. That said, I've recently setup an ADFS server and a WAP server and have all of the configuration setup to successfully handle SAML SSO to my custom application.
I am now attempting to use the Webfinger endpoint. By default, that endpoint is enabled (and proxy enabled). Unfortunately, I have not been able to get any meaningful response from this endpoint and am unsure even how to set it up. Searching for "ADFS Webfinger" documentation has been fruitless. Honestly, I can't find anything other than discussions of an Event Viewer error and other useless information.
I have attempted various combinations of URLs.
https://my-adfs-server/.well-known/webfinger?resource=https%3A%2F%2Fmy-adfs-server%2Fadfs%2F/ls&rel=http://schemas.microsoft.com/rel/trusted-realm
This gives me back a JSON:
{
"subject": "https://my-adfs-server",
"links": [
{
"rel": "http://schemas.microsoft.com/rel/trusted-realm",
"href": "https://my-adfs-server"
}
]
}
but it is the only URL I have found that returns anything.
https://my-adfs-server/.well-known/webfinger?resource=acct:<myemail>
This gives me a 404 with a valid email (acct).
What am I missing? Even if that last URL was working, how do I resolve it to specify information that should be returned in the JRD document for this particular account? Do I need IIS installed (I don't have it installed currently) and custom code?
Thanks for any help/insight.
Pink
I am currently working on making my REST Api Server (NodeJS + Express + Mongoose) secure, so nobody, except my client application (AngularJS 1.6) and my admin application (based on AngularJS 1.6), can access the routes and fetch or put data into my database. Everything is running on https with a valid SSL certificate.
I mainly thought about two approaches:
Shared secret keys where specific routes needs an "access key"
Client certificate authentication
I went with no. 2, because in my thoughts this is the most secure (please correct if I am wrong :))
So I set up my API Server to run on https and request a valid client certificate:
var options = {
ca: fs.readFileSync(__dirname + "/cert/server.ca"),
key: fs.readFileSync(__dirname + "/cert/server.key"),
cert: fs.readFileSync(__dirname + "/cert/server.crt"),
requestCert: true,
rejectUnauthorized: false
};
https.createServer(options, app)
.listen(PORT, () => {
console.log(`up and running #: ${os.hostname()} on port: ${PORT}`);
console.log(`enviroment: ${process.env.NODE_ENV}`);
});
I handle the rejection of unathorized users directly in the app via:
if (!req.client.authorized) {
var cert = req.socket.getPeerCertificate();
console.log("unauthorized: ", cert);
return res.status(401).send('Not authorized!');
}
And here the problems begin :). On every request my client application does I receive an error:
401 - not authorized
I thought that the client application is sending the SSL certificate with every request (or if requested by nodejs) via "requestCert" and everything is working just fine. But it seems to be a bit more complicated.
In my server.ca file I currently have the certificate chain which I received from the CA.
In console.log the transmitted certificate in the request, but its always empty.
What am I doing wrong? Do I have to configure Angular to send it along with every request? Any suggestions?