bearer token only works when browsing site without "www." - asp.net-core

I have an ASP.NET Core 3.0, Angular, IdentityServer4 application deployed to IIS. Which is using a server certificate exported to .pfx for token signing. (This same certificate is used for the SSL certificate but from the certificate store).
The application loads fine both as https://www.example.com and htts://example.com (no SSL errors).
However when browsing on https://www.example.com and trying to access data on any endpoints requiring authorisation, it doesn't work. The following error is observed in the response header:
www-authenticate: Bearer error="invalid_token", error_description="The issuer 'https://www.example.com' is invalid"
I'm not sure where to start looking... will this be an IdentityServer4 configuration issue?
FYI, this project was developed from the template project created by dotnet new angular -o <output_directory_name> -au Individual.

The token issuer (which is the origin of the site that issued the token) is a part of the contract between an OIDC provider and the clients and APIs that rely on it.
identityserver4 by default will use the incoming request details to determine what the value of iss should be in any tokens it issues.
As such you should usually only use a single host name for your OIDC provider - e.g. identity.example.com or something along those lines.
Another option may be to force it to use a pre-defined host name rather than determining it based on the request.

Related

Setup Kestrel with RequireCertificate for single controller/endpoints

Am i out of luck or is there an option to specify that only a single path/endpoint should require client certificate ?
The scenario:
IdentityServer4 gives our users the option to sign in multiple ways (Username/Password, Azure AD or ClientCertificate)
The first two are working as intended, but the certificate paths does not prompt the user for his/her certificate, i know its possible with IIS but we want to run this using Kestrel.
If i setup the projects kestrel setting to require cert all endpoints requires it, this ruins the user experience when signing in with username/password og azure ad.
Are there any options for setting only out localhost/certificate path to require certificate and then in turn prompt the user to provide their cert when being redirected to that paths endpoints if there is no cert present in the request?
Resolved it by setting up two hosts, and capturing the request in the certificate challange endpoint and checking the connection, if there's no certificate present AND the connection is using the non-requirecert connection i redirected the context to the right connection and was then prompted to supply the cert and login works as intended.

Authentication error from kube-rbac-proxy, api server not able to authenticate

I have an admission controller to validate a request. I have tested the admission controller separately and it is working fine. Now I have implemented kube-rbac-proxy as a sidecar container. The sidecar container is https and it is expecting either a ca cert or a bearer token. The curl request with ca is working fine. When I am trying using kubectl command, it is giving me tls: bad certificate error. I have logged the request and I could not find any ca cert included in the request.
Admission controller(https server) alone is working fine. The curl request with corresponding ca cert is able to call the admission controller via kube-rbac-proxy. Implemented this to support tls.
Searching through the docs I think it's possible to make kubectl pass a certificate in it's requests.
Client certificate authentication is enabled by passing the
--client-ca-file=SOMEFILE option to API server. The referenced file must contain one or more certificate authorities to use to validate
client certificates presented to the API server.
Edit: realized I have made a mistake in my initial answer, it's corrected now.

Simulate Client Certificate based authentication through postman

i am trying to simulate client certificate based authentication for my APIs in postman.
https://www.getpostman.com/docs/postman/sending_api_requests/certificates
I have followed this document and was able to send the certificate (as shown in postman console).
In server side i look for ssl_client_cert header name to check if it is a certificate based authentication (as i have other modes of authentication too).
But it seems the header is not being sent by postman.
Is there anything else i need to activate in postman. What is hitting me is that i have kept the authorization mode in postman as no auth. I don't find any cert auth mode to select. Am i missing anything.
best Regards,
Saurav

IIS Client Certificate Mapping Authentication - mapping not working

I am trying to setup IIS Client Certificate Mapping Authentication and so far I have been unsuccessful.
I have a valid client authentication certificate
I disabled all authentication methods in the Authentication feature of IIS for the target website
Using the configuration editor I setup iisClientCertificateMappingAuthentication as documented in various sources. In this series of screen we map a domain account to a certificate. This is done by exporting the certificate to a text file, removing the first and last line and making sure all is in one line.
The problem is as follows:
When I try browsing to a test page, browser correctly prompts for selection of a certificate. I select the correct certificate. I then get presented with
HTTP Error 401.2 - Unauthorized
You are not authorized to view this page due to invalid authentication headers.
If I enable Anonymous Authentication then it works, but the user is not the one in the mapping it is the user running the browser. I know this because the test page contains the following:
response.write (request.servervariables("LOGON_USER"))
response.write (request.servervariables("AUTH_USER"))
So the questions are:
For IIS Client Certificate Mapping Authentication, is this the only authentication feature that needs to be enabled?
Do we need to use the Authorisation feature to limit the users to the one provided in the mapping?
What I am trying to achieve is that only clients that have the certificate will be able to access the service.
What am I missing?
Cheers
Jose

.Net web api, SSL + basic auth

I have multiple sets of sensor networks that are sending data to a .net web api. Somehow, I need to secure some of the endpoints of the API (so that I can be certain that the information sent to the API really is from the sensors). Basic auth and SSL seems to be one way to go. The problem is that I'm having trouble understanding the SSL part.
As of now I have created a client certificate that is stored on the sensors, information of the certificate can be retrieved in the API by the Request.GetClientCertificate() method. Is this overkill when I just want to secure my Api with basic auth? That is, is the communication secure by just sending data over https without providing a certificate?
I do not need to use the certificate for authentication (since this is done by basic auth).
Basic authentication is about sending the user name and password in the HTTP authorization header as plain text (base64 encoded but not encrypted). For this reason, you need to use HTTPS with basic authn so that folks in the middle do not get to see the user name and password that a client sends.
When it comes to HTTPS, there is a server certificate and a client certificate. Server sends the server certificate to the client so that client can determine it is the right server it is connecting to. Similarly, a client can send a client certificate to the server so that a server can determine if an authentic client is talking to it.
The client certificate part is optional in HTTPS. So, you can use basic authentication without using the client certificate. If you use client certificate, it is already a credential and you need not use basic authentication, unless you want to use a two-factor authentication. TFA is an overkill or not - it is for you to decide.