I'm going to move sso server application (ASP.NET CORE DOTNET 6) from app service APS1 located in service plan AP1 to new app service APS2 located in different service plan APS2 (can't use Change service plan due to azure restriction on regions and resoruce groups). I cloned sso app from APS1 to APS2, added certificate and switch custom domain from APS1 to APS2. So after the change we have the same application, but located in another app service plan and another app service, under excatly the same domain. What I'm trying to understand is why cookie issued by app located in APS1 is not accpted by the same application, moved to APS2 under exactly the same domain which was switched from APS1. I tried to perform the same operation using sample app from https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-6.0 but with the same results - cookie is not being recognized after switching domain from APS1 to APS2.
What helped was to set the same application name with:
builder.Services.AddDataProtection().SetApplicationName("appName");
Related
I have deployed a staging server under a subdomain and serving it on IIS on a VPS. I published an ASP.NET Core 5 (RazorPages template) app and it is using default identity, requiring login before you can go to any other page. Obviously I want to realize the staging of different applications under this domain so on IIS, I have created a virtual directory under my staging website and pointed it to the physical location where I have deployed the demo app. Physically, the staging website and the demo app are next to each other, but on IIS there is a virtual directory application called /demo under the main iis website. "demo" is also an aspnet core mvc app.
When I type in the Url staging.mysite.com/demo it loads and working fine under its own application pool. What I want to achieve is to create a custom route in the main staging website that will be recognised as /demo (as if there was a demo controller or razor page dir) and redirect back to login if the user is not logged in. Right now it loads the demo app no matter the user is signed in or not. Is this even possible to secure child apps from a parent app? I have read so many articles and msdn documentation but obviously lack fundamental knowledge about IIS and the middlewares. I suspect IIS is not even forwarding the request to aspnet middleware/kestrel when it finds an IIS application on that URL. How should I approach this problem? Any leads will be greatly apppreciated.
Edit: I don't want the authentication on the main website to propagate into the child app. Just want to keep unauthorized access to the child app. Child apps have seperate logins and that is fine for now. Thanks.
I've got Azure ServiceFabric web-app (AspNetCore 3) hosted over reverse proxy (NGinx). The app use AzureAD (in company) authentication. I've Registered App for the AD and setup Redirect Urls mannually in manifest. After publishing the APP and configuring DNS and reverse proxy I tried to authorize to my app but failed with AADSTS500117: The reply uri specified in the request isn't using a secure scheme.
Is it possible to configure client to allow http redirects?
P.S. As I know Identity Server allows it by configuring DiscoveryPolicy.
P.P.S. You can find more information in my origianl question (see. How to change redirect_uri for Azure AD)
What happens?
when you deploy web apps with a reverse proxy, as is, for instance the case with App Services as Linux containers, your application will be called on an HTTP address, whereas its registered redirect URI in the app registration will be HTTPS.
This means that when a user browses to the web app, they will be redirected to login.microsoftonline.com as expected, but with redirect_uri=http://<your app service name>.azurewebsites.net/signin-oidc instead of redirect_uri=https://<your app service name>.azurewebsites.net/signin-oidc.
How to fix it?
In order to get the right result, the guidance from the ASP.NET Core team for working with proxies is in Configure ASP.NET Core to work with proxy servers and load balancers. You should address the issue centrally by using UseForwardedHeaders to fix the request fields, like scheme.
The container scenario should have been addressed by default in .NET Core 3.0. See Forwarded Headers Middleware Updates in .NET Core 3.0 preview 6. If there are issues with this for you, please contact the ASP .NET Core team https://github.com/dotnet/aspnetcore, as they will be the right team to assist with this.
I have a website that's using ASP.NET Core MVC. It's hosted as an App Service in Azure. Authentication happens against Azure AD.
The authentication cookie is a session cookie.
Is there a way to force all existing session cookies to be invalid? Back in the day of .NET Web Forms I would have recycled the app pool or changed the machine key.
I don't care if the cookies still exist, I just want them to no longer be accepted by my web application.
In or to invalidate the auth cookies in an ASP.NET Core application, you need to delete the encryption keys. I am hosting my site an Azure and the encryption keys are stored at %HOME%\ASP.NET\DataProtection-API. There will be one or more XML files stored in that directory, those are the keys. Delete the XML files and restart the web application (you must restart the web application as the keys are stored in-memory).
I ran into an issue where I had scaled out my web application and both web apps started simultaneously. This caused each app to create its own key and (more importantly) be unaware of the other app's key. To help prevent this from happening, I perform the following steps:
Scale down my app service to 1 isntance
Delete the XML files
Restart the web application
Request a page from the web application (ensure it has been restarted)
Scale my app service back up
In Server1 - (IIS hosted, Self Signed Certificate)
I hosted the IdentityServer3 named myDevIds3.com , the Url is exposed to internet, with SSL.
I hosted the ASP.Net MVC Client, which uses ids3 for login, works fine.
I hosted the Web API, which is called by the MVC Client, uses ids3 (in the same server), works fine.
In Development Server / Box.
I hosted MVC client (X), which uses client side js famework (https://github.com/IdentityModel/oidc-client-js) to connect to Server1 hosted ids3 (myDevIds3.com), works fine.
I hosted an Web API, which is called by MVC Client (X), while API uses myDevIds3.com for authorisation. [HERE is the problem]
When I try to access this Web API, I am getting an error in the Startup.cs - The remote certificate is invalid according to the validation procedure.
BUT I tried in other way.
I hosted another IdentityServer3, the MVC Client, the API also in development box, mapped to local identityserver3 with MVC client & apit, looks everything seems to be working with out any issue. If I put everything together in one box, everything seems to be working.
What is wrong in accessing the remote machine IdentityServer3 in Web API which is hosted in local development Box ? Why I am able to access from the browser, but not from development box IIS ?
Appreciate your time and inputs.
Because your ssl cert is probably home made and not trusted. Guessing Chrome also gives you warning about this (?).
CAUTION: This solution is not recommended for production, but this can be used for non production environments, where your data is not critical.
Add below code in Startup.cs (Web API)
ServicePointManager
.ServerCertificateValidationCallback +=
(sender, cert, chain, sslPolicyErrors) => true;
This can be refered in below link aswell.
C# Ignore certificate errors?
I found this solution helpful, since I want to have identityserver3 DEV hosted centralised and multiple developers need to access it. Hope it might help someone.
I currently have a Mobile Application that communicates through a WCF Service to access a Database. The Mobile App can access on the network as well as externally. It connects to the WCF Service which is hosted on one server inside the network. From there the WCF Service is pointing at another server which is hosting the Database that the Mobile Device is accessing.
With the above process how would you setup authentication using Active Directory which would confirm the user of the Mobile Application before it can access the WCF Service to confirm that the user is a member of AD and they can then login after authorization is complete. This would occur as the user opens up the Application. Would this be coded into the App to prompt for the information, then send the information to the WCF Service which would then allow access? If not this then are there any other ways or information/links that can be provided please?
Take a look at the BUILD 2013 videos. Visual Studio 2013 will create a webproject that will automagically do all that for you (I think). Just bare in mind, it uses the Microsoft.OWin.Security beta packages.
Also...you will need to install the AspNetWebTools2013 package first...
http://www.asp.net/visual-studio/overview/2013/creating-web-projects-in-visual-studio#orgauthoptions