Keycloak server is running on port 8443 and for authorization I have used JWT token that has all the Infos
The https port gives certificate error:
**System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://localhost:8443/auth/realms/Smf-Portal/.well-known/openid-configuration'.
---> System.IO.IOException: IDX20804: Unable to retrieve document from: 'https://localhost:8443/auth/realms/Smf-Portal/.well-known/openid-configuration'.
---> System.Net.Http.HttpRequestException:
The SSL connection could not be established, see inner exception.**
---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
for ex :
{
"exp": 1624451309,
"iat": 1624451009,
"jti": "6dea03d9-49d7-4d0e-a81f-91cbc38fe595",
"iss": "https://default-host:8443/auth/realms/Smf-Portal",
"sub": "2c2402ad-37c5-4039-b78f-07f9e47cdc35",
"typ": "Bearer",
"azp": "timesheet-microservice",
"session_state": "43e86783-38e1-42de-a4aa-ed229887504b",
"acr": "1",
"allowed-origins": [
"https://localhost:5004"
],
"realm_access": {
"roles": [
"app-user"
]
},
"resource_access": {
"timesheet-microservice": {
"roles": [
"user"
]
}
},
"scope": "profile email",
"email_verified": true,
"preferred_username": "employee1"
}
Related
We use LDAP as our access into Hashicorp Vault.
One of our users was deleted and recreated in AD... This use cannot log into the vault any longer, receiving a "Authentication failed: internal error" (rather than a "Authentication failed: ldap operation failed" that we see for a user that is not in AD or with an invalid password)
The only error we see is in the vault_audit.log (with passwords, and assessors munged, ip changed, and replaced with my name as example):
{
"time": "2022-09-12T19:03:55.457492415Z",
"type": "response",
"auth": {
"client_token": "hmac-sha256:xxxxxxx",
"accessor": "hmac-sha256:yyyyyyy",
"display_name": "ldap-ssiegler",
"token_policies": [
"default"
],
"metadata": {
"username": "ssiegler"
},
"entity_id": "aca5c682-b0c4-2f51-9681-b4244a23720b",
"token_type": "service"
},
"request": {
"id": "275b5b49-80ff-ee5f-a7f8-1e0c5a3dc645",
"operation": "update",
"namespace": {
"id": "root"
},
"path": "auth/ldap/login/ssiegler",
"data": {
"password": "hmac-sha256:zzzzzzz"
},
"remote_address": "192.168.205.23"
},
"response": {},
"error": "internal error"
}
"error": "internal error"
being the only information...
I have removed the entities that referenced this user, with no change, and created a new entity that was able to have this ad user as an alias, so AD sees him...
Ideas?
Need to understand why did the below query failed in GCP BigQuery. What are the possible reasons for failure?
The 3 DB cursors which failed for the script to ingest the data into Mongo:
All 3 were running on the same table, and they get authentication error:
{
"error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"errors": [
{
"message": "Login Required.",
"domain": "global",
"reason": "required",
"location": "Authorization",
"locationType": "header"
}
],
"status": "UNAUTHENTICATED"
}
}
As per Authentication and authorization for SPAs, I have created a new SPA with support for API authorization. You can view this on GitHub.
In order to support integration tests, I have added a new client (see appsettings.json) that is allowed the resource owner password grant type:
"SecureSpa.IntegrationTests": {
"Profile": "IdentityServerSPA",
"AllowedGrantTypes": [ "password" ],
"ClientSecrets": [ { "Value": "K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=" } ],
"AllowedScopes": [ "SecureSpaAPI", "openid", "profile" ]
}
Then within WeatherForecastControllerTests.cs, I attempt to request the token as follows:
var response = await client.RequestPasswordTokenAsync(new PasswordTokenRequest
{
Address = disco.TokenEndpoint,
ClientId = "SecureSpa.IntegrationTests",
ClientSecret = "secret",
Scope = "SecureSpaAPI openid profile",
UserName = "demouser#securespa",
Password = "Pass#word1"
});
When running the test, I've tried many different combinations, however the results are usually the same (unauthorized_client). This is the relevant log output from Identity Server:
IdentityServer4.Endpoints.TokenEndpoint: Debug: Start token request.
IdentityServer4.Validation.ClientSecretValidator: Debug: Start client validation
IdentityServer4.Validation.BasicAuthenticationSecretParser: Debug: Start parsing Basic Authentication secret
IdentityServer4.Validation.PostBodySecretParser: Debug: Start parsing for secret in post body
IdentityServer4.Validation.SecretParser: Debug: Parser found secret: PostBodySecretParser
IdentityServer4.Validation.SecretParser: Debug: Secret id found: SecureSpa.IntegrationTests
IdentityServer4.Stores.ValidatingClientStore: Debug: client configuration validation for client SecureSpa.IntegrationTests succeeded.
IdentityServer4.Validation.ClientSecretValidator: Debug: Public Client - skipping secret validation success
IdentityServer4.Validation.ClientSecretValidator: Debug: Client validation success
IdentityServer4.Events.DefaultEventService: Information: {
"Name": "Client Authentication Success",
"Category": "Authentication",
"EventType": "Success",
"Id": 1010,
"ClientId": "SecureSpa.IntegrationTests",
"AuthenticationMethod": "SharedSecret",
"ActivityId": "0HLPN4PPDDMCJ",
"TimeStamp": "2019-09-12T02:10:57Z",
"ProcessId": 28948,
"LocalIpAddress": "unknown",
"RemoteIpAddress": "unknown"
}
IdentityServer4.Validation.TokenRequestValidator: Debug: Start token request validation
IdentityServer4.Validation.TokenRequestValidator: Debug: Start resource owner password token request validation
IdentityServer4.Validation.TokenRequestValidator: Error: Client not authorized for resource owner flow, check the AllowedGrantTypes setting{ client_id = SecureSpa.IntegrationTests }, details: {
"ClientId": "SecureSpa.IntegrationTests",
"ClientName": "SecureSpa.IntegrationTests",
"GrantType": "password",
"Raw": {
"grant_type": "password",
"username": "demouser#securespa",
"password": "***REDACTED***",
"scope": "SecureSpaAPI",
"client_id": "SecureSpa.IntegrationTests",
"client_secret": "***REDACTED***"
}
}
IdentityServer4.Events.DefaultEventService: Information: {
"Name": "Token Issued Failure",
"Category": "Token",
"EventType": "Failure",
"Id": 2001,
"ClientId": "SecureSpa.IntegrationTests",
"ClientName": "SecureSpa.IntegrationTests",
"Endpoint": "Token",
"GrantType": "password",
"Error": "unauthorized_client",
"ActivityId": "0HLPN4PPDDMCJ",
"TimeStamp": "2019-09-12T02:10:57Z",
"ProcessId": 28948,
"LocalIpAddress": "unknown",
"RemoteIpAddress": "unknown"
}
Microsoft.AspNetCore.Hosting.Diagnostics: Information: Request finished in 212.96790000000001ms 400 application/json; charset=UTF-8
Is this approach supported? If not, is there an alternative approach that can be used to get the token in order to write integration tests? I'm planning to set up test users along with the test client so that I can test lots of different behaviours.
I continued working on this issue and found that the allowed grant type of password was not being added when the profile is set to IdentityServerSPA. I couldn't see a way to add a client without a profile via appsettings, so I removed the configuration from appsettings and created the clients using this approach:
services.AddIdentityServer()
//.AddApiAuthorization<ApplicationUser, ApplicationDbContext>();
.AddApiAuthorization<ApplicationUser, ApplicationDbContext>(options =>
{
options.Clients.AddIdentityServerSPA("SecureSpa", builder =>
{
builder.WithRedirectUri("https://localhost:44307/authentication/login-callback");
builder.WithLogoutRedirectUri("https://localhost:44307/authentication/logout-callback");
});
options.Clients.Add(new Client
{
ClientId = "SecureSpa.IntegrationTests",
AllowedGrantTypes = { GrantType.ResourceOwnerPassword },
ClientSecrets = { new Secret("secret".Sha256()) },
AllowedScopes = { "SecureSpaAPI", "openid", "profile" }
});
});
With that in place my tests now run. You can see the final solution here; https://github.com/JasonGT/SecureSpa/.
Everything works fine, however there seems to be a bug (or feature limitation) within DefaultClientRequestParametersProvider. See the 'GetClientParameters' method - if the specified client does not have an associated profile, an InvalidOperationException is thrown.
Let me know if you need more information.
Just for reference' sake: the code above did not work as-is on my end, it broke the SPA sign-in with a redirect_uri invalid exception.
I had to remove the base url, and then it worked:
builder.WithRedirectUri("/authentication/login-callback");
builder.WithLogoutRedirectUri("/authentication/logout-callback");
I am trying to reindex from a remote server to my local es index. remote is a https host, I am getting SSL handshake exception as following error, please advise, thank you
{
"source": {
"remote": {
"host": "https://otherhost:9200"
},
"index": "twitter",
"query": {
"match_all": {
}
}
},
"dest": {
"index": "new_twitter"
}
}
this is response:
{
"error": {
"root_cause": [
{
"type": "s_s_l_handshake_exception",
"reason": "General SSLEngine problem"
}
],
"type": "s_s_l_handshake_exception",
"reason": "General SSLEngine problem",
"caused_by": {
"type": "s_s_l_handshake_exception",
"reason": "General SSLEngine problem",
"caused_by": {
"type": "validator_exception",
"reason": "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",
"caused_by": {
"type": "sun_cert_path_builder_exception",
"reason": "unable to find valid certification path to requested target"
}
}
}
},
"status": 500
}
While testing a HTTP adapter procedure code generated by "Create Data object from service" using Worklight Application Framework editor,it generates the following error:
Unable to handle request without a valid action parameter. Please
supply a valid soap action.
This is the web service URL: http://wsf.cdyne.com/WeatherWS/Weather.asmx?WSDL
Invocation result of procedure:
{
"Envelope": {
"Body": {
"Fault": {
"Code": {
"Value": "soap:Sender"
},
"Detail": "",
"Reason": {
"Text": {
"CDATA": "Unable to handle request without a valid action parameter. Please supply a valid soap action.",
"lang": "en"
}
}
}
},
"soap": "http:\/\/www.w3.org\/2003\/05\/soap-envelope",
"xsd": "http:\/\/www.w3.org\/2001\/XMLSchema",
"xsi": "http:\/\/www.w3.org\/2001\/XMLSchema-instance"
},
"errors": [
],
"info": [
],
"isSuccessful": true,
"responseHeaders": {
"Cache-Control": "private",
"Content-Length": "500",
"Content-Type": "application\/soap+xml; charset=utf-8",
"Date": "Mon, 28 Apr 2014 07:56:34 GMT",
"Server": "Microsoft-IIS\/7.5",
"X-AspNet-Version": "2.0.50727",
"X-Powered-By": "ASP.NET"
},
"responseTime": 1476,
"statusCode": 500,
"statusReason": "Internal Server Error",
"totalTime": 1477,
"warnings": [
]
}
Support for SOAP actions in the HTTP header is being considered for a future release of Worklight.
If you wish to invoke the generated adapter in Worklight Studio v6.1 you will have to modify the generated SOAP adapter and manually add the action header.
For instance, for invoking a GetWeatherInformation operation you can open the generated adapter JS file and add the following lines:
headers = headers || {};
headers.SOAPAction = 'http://ws.cdyne.com/WeatherWS/GetWeatherInformation';
to the Weather_GetWeatherInformation function just before the call to invokeWebService at the end of this function.