I have a web service (currently localhost:100) which uses Windows Authentication, is served through IIS and is set up with Access Control Allow Origin properties in the web.config:
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="http://localhost:81" />
<add name="Access-Control-Allow-Credentials" value="true" />
</customHeaders>
</httpProtocol>
I'm trying to access them from an angularJS app served from static files (html, css & js) which is running from a different server which I'm running on IIS (port 81 currently):
var productSearch = $resource("http://localhost:100/api/ProductSearch/:id");
but I'm getting 401 (Unathorised).
I've set the requesting site to use Windows authentication but with no server side I've no way of knowing if that's working or not. It's not sending any user credentials through to the web service.
So I was being a bit stupid. the line of code I was looking for was:
$http.defaults.withCredentials = true;
This makes it work from anywhere - include the Node dev server.
Related
I have an application which I am trying to migrate to the App services. The authentication was windows auth before migration so I moved it to Azure SSO.
Background -
The application is registered within Azure to leverage single sign on
and we have a reply URL configured within the application and
redirect URI configured in Azure SSO for URL -
https://abc.customdomain.com
The app is hosted within App services and the Azure endpoint URL of
the app services is https://abc.azurewebsites.net
We have also setup a TXT record created within the custom Domain and
added this to App service to verify the ownership of the DNS.
The custom DNS https://abc.customdomain.com is configured and
pointing to the application gateway.
The application gateway is configured to point to the App service.
Issue
When I try testing the application the SSO works as expected but the moment it tries redirecting to the application after Sign on it breaks because of the incorrect redirect URL as the app services has the URL – https://abc.azurewebsites.net
After setting up a CNAME and pointing it to the App services the hosted site works, but we want to have the traffic flow from the Application gateway.
I am having a bit of a problem here.
I have Keycloak where I have enabled CORS (value '*') and I can call endpoint:
/auth/realms/master/protocol/openid-connect/token
from Postman, where I get response with access token and other stuff, but when I try to call that endpoint from my React application, I get CORS error:
I don't get why, since I have set '*' value for Web Origins in that client.
Is this a Keycloak bug, or am I missing something trivial?
Do you have the address 'http://localhost:3000/*' added on the Valid Redirect URIs keycloak config?
I have fixed this issue by creating Web API project in .NET Core (this could be done in any other technology). I have setted CORS policy in my project to allow any domains and then I make direct calls to Keycloak endpoints from .NET Core project. Besides fixing this issue (since .NET Core Web API project is not a browser application, this is working like a charm), this adds another security layer to the Keycloak by hidding client information that is only accessible from .NET Core application. Information like client_id and client_secret are not visible from browser application and no one can do any damage to my clients in Keycloak.
I am using Microsoft.AspNetCore.Authentication.AzureAD.UI package.
And simple authentication in Startup.cs:
services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
.AddAzureAD(options => Configuration.Bind("AzureAd", options));
Everything works fine if I publish application to Azure Web App. But my application is inside Docker container and is located in AKS. External LoadBalancer working fine, but doesn't have SSL option. That's why I have tried to configure Front Door or Application Gateway. With no luck.
When I am using Gateway and setting reply URL to https://xxx.xxx.xxx.xxx/signin-oidc I am receiving
AADSTS50011: The reply url specified in the request does not match the
reply urls configured for the application
When to http://xxx.xxx.xxx.xxx/signin-oidc
AADSTS500117: The reply uri specified in the request isn't using a
secure scheme.
Similar story with Front Door and if to remove app.UseHsts() and app.UseHttpsRedirection()
Finally after all my troubles with Microsoft.AspNetCore.Authentication.AzureAD.UI + Kubernetes I have decided to use OpenID Connect
I'm making a mobile app using web api 2 as a back end with an angularjs/html5 front end. As a result, razor is out.
I've found a bunch of third party log in solutions but nothing specific for windows authentication. I wound up restarting my web api project to "individual user Accounts" instead of "windows authentication" since that seems to automatically put in oWin and oAuth. But I'm unsure of where to go from there.
I feel like this is something simple that I'm missing. Can anyone point me in the right direction?
You should configure your WebAPI and IIS to support Windows Authentication.
I assume that you had included
<authentication mode="windows">
in Web.Config of WebAPI. Hope IIS is also configured appropriately.
And when you call your WebAPI from HTML (say $.ajax or equivalent) make sure you include
xhrFields: { withCredentials: true }
in that call.
We have a project (contains a web backend and a mobile api backend) hosted using google app engine (we also using cloud endpoints).
We use spring framework for the web application, mvc & security.
The problem now is that once I enable <csrf/> in our security.xml, the cloud endpoints project will also require a token because of this setting.
<http auto-config="true">
<intercept-url pattern="/" access="ROLE_USER" />
<form-login
login-page="/login"
default-target-url="/welcome"
authentication-failure-url="/login?error"
username-parameter="email"
password-parameter="password" />
<logout logout-success-url="/login?logout" />
<!-- enable csrf protection -->
<!-- <csrf/> -->
</http>
Is that possible to config only certain folder or certain controller require this <csrf/> protection? Because I just want this csrf setting to protect my web backend.
Have a separate URI structure for mobile apis like for example "api/mob/getPostsByUserId" and create a new http tag in spring-security config file as
<http auto-config="false" pattern="/mob/**">
//.. your other settings
</http>