I have an ASP.NET Core MVC app and I want to use Azure B2C authentication.
The redirect_url that's being generated has http instead of https like so:
&redirect_uri=**http**%3A%2F%2Fmyapp.com%2Fsignin-oidc
This should be https, and it's causing this error:
AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: '9dbe40e0-7555-4ddf-9c17-b5218ed6ca89'.
My appsettings.json looks like this:
"AzureAdB2C": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "xxx",
"ClientId": "xxxx",
"TenantId": "xxxx",
"ClientSecret": "xxxx",
"CallbackPath": "/signin-oidc",
"SignedOutCallbackPath ": "/"
}
and my code in Startup.cs is like so:
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(Configuration, "AzureAdB2C");
For some reason this works fine on my dev machine with localhost (redirect_url=https) but on the server it's always http.
Any ideas? This has been driving me crazy all day
EDIT: RESOLVED! Turns out the issue was that I didn't have a HTTPS binding in IIS, only a HTTP binding... strange, since I was accessing the site via https://... - I guess somehow the IIS gave a certificate and allowed HTTPS even though I didn't have a binding for it
Thanks for the help guys!
Turns out that this was caused because I didn't have a HTTPS binding in IIS.
I was accessing the site via HTTPS, so not sure how IIS allowed that, but adding a HTTPS binding fixed the redirect_uri problem
Related
Problem starts by getting many errors like this in my logs:
{
"#mt": "Your license for Duende IdentityServer only permits {issuerLimit} number of issuers.
You have processed requests for {issuerCount}. The issuers used were: {issuers}.",
"#l": "Error",
"issuerLimit": 1,
"issuerCount": 2,
"issuers": [
"https://www.example.org",
"https://example.org"
],
"SourceContext": "Duende.IdentityServer",
"RequestPath": "/connect/checksession"
},
I am using default MS template for Hosted Blazor WebAssembly with Individual accounts. I did not set any issuer explicitly because I have test.mydomain.org and it seemed convenient.
I have DNS CNAME www.example.org to example.org, and in IIS I have one site example.org with 4 bindings: http and https for www and non www versions.
When everything work normally, no matter how I try to open my site using www or non www version, in incognito mode, logged in or logged out, no matter what I try I cannot intentionally get this error in log.
But then it starts to appear and it is noticed by user who can log in normally, but trying to access any API endpoint requiring authorization returns Bearer error="invalid_token", error_description="The issuer 'https://example.com' is invalid" (How to debug only occasional Bearer error="invalid_token").
I wonder how is it even possible to receive request from www.mydomain.org to IdentityServer if I cant do it by manually requesting www version? Where does the IdentityServer get these issuers from? And, does Identity server starts throwing these error on purpose after some time?
I have made a web app using Blazor and now i want to host in my server with a free .ml domain. But service-worker.js not running without a secure connection. It is a free domain so i don't want to pay for a certificate.
Use SSL option in the project property is unchecked in all projects.
I couldn't find any information about this online.
Can i force to use http ?
Thanks
SSL Error
As far as I know, Service worker requires https except the localhost to work. Both the third-party certificate and the self-signed certificate is ok as long as we established the certificate trust relationship between the client-side and the server-side properly(for exchanging the public key of certificate).
https://developers.google.com/web/fundamentals/primers/service-workers/
For free SSL certificate,
https://geekflare.com/free-ssl-tls-certificate/
For self-signed certificate,
https://learn.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps
Here is an example of using a self-signed certificate.
Can you use a service worker with a self-signed certificate?
Feel free to let me know if there is anything I can help with.
To use HTTP in a Blazor app, in Program.cs remove UseHsts() and
UseHttpsRedirection() if present:
if (!app.Environment.IsDevelopment())
{
app.UseExceptionHandler("/Error");
// The default HSTS value is 30 days. You may want to change this for
production scenarios, see https://aka.ms/aspnetcore-hsts.
// app.UseHsts();
}
//app.UseHttpsRedirection();
In launchSettings.json make sure there is only an HTTP URL:
"profiles": {
"Dashboard": {
"commandName": "Project",
"dotnetRunMessages": true,
"launchBrowser": true,
"applicationUrl": "http://10.72.11.110:5238",
"environmentVariables": {
"ASPNETCORE_ENVIRONMENT": "Development"
}
},
I have set up a lambda and attached an API Gateway deployment to it. The tests in the gateway console all work fine. I created an AWS certificate for *.hazeapp.net. I created a custom domain in the API gateway and attached that certificate. In the Route 53 zone, I created the alias record and used the target that came up under API gateway (the only one available). I named the alias rest.hazeapp.net. My client gets the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error. Curl indicates that the TLS server handshake failed, which agrees with the SSL error. Curl indicates that the certificate CA checks out.
Am I doing something wrong?
I had this problem when my DNS entry pointed directly to the API gateway deployment rather than that backing the custom domain name.
To find the domain name to point to:
aws apigateway get-domain-name --domain-name "<YOUR DOMAIN>"
The response contains the domain name to use. In my case I had a Regional deployment so the result was:
{
"domainName": "<DOMAIN_NAME>",
"certificateUploadDate": 1553011117,
"regionalDomainName": "<API_GATEWAY_ID>.execute-api.eu-west-1.amazonaws.com",
"regionalHostedZoneId": "...",
"regionalCertificateArn": "arn:aws:acm:eu-west-1:<ACCOUNT>:certificate/<CERT_ID>",
"endpointConfiguration": {
"types": [
"REGIONAL"
]
}
}
I want to be able to develop locally using a custom domain and ssl rather than localhost.
How can I setup a custom domain + ssl in VS Solution instead of localhost?
Simple Setup - Using Server URLs
If you want to associate your server to use all the IP addresses assigned to the server/web host then you can do this:
var host = new WebHostBuilder()
.UseUrls("http://*:80", "http://localhost")
.UseKestrel()
.UseIISIntegration()
.Build();
Note: If you don't want all IP addresses, then you can change from http://* to a specific IP address such as http://111.111.111.111. Also, the port is not a requirement, but I have used it for completeness of the answer. It's also important to note that SSL won't work with UseUrls
There is a great amount of additional detail that you can find over at the official Microsoft Docs about Server URLs here.
Binding SSL Certifications (Kestrel Only) -- Endpoint Configuration
Please note that hosting over a public endpoint via Kestrel (even with SSL) is not recommended and you should use a reverse proxy like Nginx or IIS. You can read more about it from the official Microsoft Docs here.
You didn't mention if you were using Kestrel or not, but I will assume you are... In which case, you can configure an SSL certificate easily by binding sockets using the options.
Here is an example of using TCP sockets using the Listen method:
public static void Main(string[] args)
{
BuildWebHost(args).Run();
}
public static IWebHost BuildWebHost(string[] args) =>
WebHost.CreateDefaultBuilder(args)
.UseStartup<Startup>()
.UseKestrel(options =>
{
options.Listen(IPAddress.Loopback, 5000);
options.Listen(IPAddress.Loopback, 5001, listenOptions =>
{
listenOptions.UseHttps("testCert.pfx", "testPassword");
});
})
.UseIISIntegration() // <-- don't forget you will need this for IIS!
.Build();
Note: That if you use both the Listen method and UseUrls, the Listen endpoints override the UseUrls endpoints.
You can find more info here at the official Microsoft Docs.
Configuring IISExpress
Using the GUI
You can right-click the project and click [Properties].
Using launchSettings.json.
You have to configure this using the launchSettings.json which you can find here:
"iisSettings": {
"windowsAuthentication": false,
"anonymousAuthentication": true,
"iisExpress": {
"applicationUrl": "http://localhost:61471/",
"sslPort": 44360
}
},
"profiles": {
"IIS Express": {
"commandName": "IISExpress",
"launchBrowser": true,
"launchUrl": "https://localhost:44360",
"environmentVariables": {
"ASPNETCORE_ENVIRONMENT": "Development"
}
}
Configuring IIS Endpoints
If you use IIS, the URL bindings for IIS override any bindings that you set by calling either Listen or UseUrls. For more information, see Introduction to ASP.NET Core Module.
For .net core, to setup a custom domain:
Add domain to the hosts file, something like www.yourapp.local
find the solution /.vs/applicationhost.config
Add binding e.g.:
In the web project properties > Debug add the App Url to "http://www.yourapp.local:51791/"
(replace port number as required)
For SSL, I assume you can set the above bindings and settings to https and in the web app properties > Debug tick the "Enable SSL" checkbox.
also see this answer: How to enable SSL for IIS Express in VS2015
If you're fine with the certificate validation error in your browser (or whatever client you use), you can put an entry in your hosts file:
www.yourcustomdomain.com 127.0.0.1 (or ::1 if you're on IPv6)
and then use the custom domain to reach your web site locally.
In Windows the hosts file is usually located at C:\Windows\System32\drivers\etc.
First, add an entry in the client's C:\Windows\System32\drivers\etc\hosts text file. Follow instructions in the hosts file itself.
By "develop locally" do you mean on the local machine or local network? If the latter, you must complete the following tasks (in any order).
Generate as described here and configure as described here a certificate on the server, and install it on the client.
Configure the firewall to allow access to your web API as described here.
Bind your web API to a non-localhost URL as described here and here.
I'm not sure off hand, but to get it working with IIS Express you might also need to run netsh http add urlacl as described here and here.
Some of the above links are specific to IIS Express since that's what you asked about. If using Kestrel, then vary the above tasks as follows.
To configure your certificate on the server, add this to appsettings.json:
"Kestrel": {
"Certificates": {
"Default": {
"Subject": "api.mycustomdomain.com",
"Store": "My",
"AllowInvalid": true
}
}
}
To bind your web API to a non-localhost URL, in launchSettings.json's Kestrel profile, replace the localhost part of applicationUrl's value with 0.0.0.0.
I've created simple WinForms app that uses free webservice http://www.webservicemart.com/uszip.asmx. But this app fails to use service operation with error:
The remote server returned an unexpected response: (407) Proxy Authentication Required (The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied)
Code that creates proxy and triggers service operation:
ChannelFactory<ServiceReference1.USZipSoap> proxy = new ChannelFactory<ServiceReference1.USZipSoap>("USZipSoap");
ServiceReference1.USZipSoap client = proxy.CreateChannel();
string str = client.ValidateZip("12345");
MessageBox.Show(str);
Is this problem with a network of my company or this is a proxy on the side of webservicemart.com?
I've googled a lot of information on changing configuration files, creating a custom binding, etc. But I feel the lack of more basic understanding... If this error is about ISA server of our corporate network then what configuration should I make to ISA Server to not restrict me from using external webservices?
In your binding configuration make sure that useDefaultWebProxy is set to true - it will use configuration you have found in IE. In your configuration file add following snippet to ensure default your credentials are used for authentication on the proxy server:
<system.net>
<defaultProxy useDefaultCredentials="true" />
</system.net>
This worked for me... replacing 10.1.0.50 and the port number with your proxy server's IP
<system.net>
<defaultProxy useDefaultCredentials="true">
<proxy usesystemdefault="False" proxyaddress="http://10.1.0.50:8080" bypassonlocal="True" />
</defaultProxy>
</system.net>
Seems like all the traffic in your company is being redirected through a proxy. Can you browse to the web service from your IE and see its wsdl and invoke the test page to see some results. If that is the case then try adding the below section into your web.config:
<system.net>
<defaultProxy>
<proxy proxyaddress="<your proxy address>" bypassonlocal="true" />
</defaultProxy>
</system.net>
You can find the proxy address from the settings of your IE.
NOTE: When you move to different environments then you need to make sure that its the same case else you need to remove the above configuration.
You can set the web.config of the service to allow to use the proxy settings as defined in Internet Explorer.
Sometime in the future.
WebRequest.DefaultWebProxy.Credentials = CredentialCache.DefaultNetworkCredentials;