I created the template Angular / ASP.NET Core with authorisation support using this command:
dotnet new angular --auth Individual
This is an:
ASP.NET Core 3.0 App with
ASP.NET Core Identity for authenticating and storing users,
IdentityServer4 for implementing Open ID Connect,
Angular SPA,
All pre-configured to work together.
Before I deploy my app based on this template, I'm trying to first deploy this template app to IIS.
I've deployed the app to IIS and have a database setup and the app connected to it just fine, but I'm stuck. I am not sure how to create and configure the production certificate to use for signing tokens.
At this point in the Microsoft docs it briefly mentions "A production certificate to use for signing tokens." and gives and example for deployment to Azure.
How do I create the key in IIS? do you do something here?
Then how do I then add the correct settings to appsettings.json?
"IdentityServer": {
"Key": {
"Type": "Store",
"StoreName": "My",
"StoreLocation": "CurrentUser",
"Name": "CN=MyApplication"
}
}
I'm struggling to find any guides or examples on the net, any help or point in the right direction would be appreciated.
I also found that the documentation is not comperhensive enough. I managed to deploy the an angular app to azure. Im not sure if it similar to the deployment to IIS. But may be this could help you to find the solution for your problem.
Deployment to Azure:
First you have to upload the (self signed) certificate (.pfx) to azure app service. I used this guide to create self signed certificate.
upload certificate image
You also have to make the certificate available by adding the thumbprint into the application setting. see image.
Dont forget to update your appsettings.json so your app can access the certificate from the previous step.
"IdentityServer": {
"Key": {
"Type": "Store",
"StoreName": "My",
"StoreLocation": "CurrentUser",
"Name": "CN=yourApp-domain.com"
}
}
If you encounter problem. Change the environtment variable in appservice to "Development" to see detail information of the error. like this.
change environment variable
For now I have worked around this problem by exporting the certificate to a file. Under Server Certificates in IIS you can right-click a certificate and export it.
Then you can configure the key parameters in appsettings.json to reference a file like so:
"Key": {
"Type": "File",
"FilePath": "..\\test.pfx",
"Password": "Test"
}
I would still like to reference a store certificate.
So this should fairly straightforward to configure for development purposes. In IIS you can issue yourself a self-signed certificate which will naturally only be valid on your local machine.
Give it some name and if you don't change anything else and click OK, it will by default store the generated certificate in your Personal store for LocalMachine so below config should work:
"IdentityServer": {
"Key": {
"Type": "Store",
"StoreName": "Personal",
"StoreLocation": "LocalMachine",
"Name": "YourName"
}
}
It is worthwhile noting that if you try to import certificate from somewhere else - it must be at least 2048 bit key for Identity Server 4 purposes.
Create a new certificate in Powershell as Administrator if you don't have a certificate already:
New-SelfSignedCertificate -DnsName "blazortest" -CertStoreLocation "cert:\CurrentUser\My"
I then used mmc.exe to export the certificate as a .pfx file.
If you host on IIS you need to import the .pfx certificate to the Personal folder for Local Computer and then select Manage Private Keys... and give access to the user running the Application Pool.
Complete answer from other thread with IdentityServerBuilderConfigurationExtensions publish exception:
https://stackoverflow.com/a/66448397/3850405
Related
I'm using Doxygen to generate documentation on a C++ project. I want to share this documentation with various team members without them having to build the docs themselves. In an ideal world, there's a service to privately host the static HTML that's generated from Doxygen, and gate it behind some sort of login. I think literally all this service needs to do is have some authentication middleware before serving the HTML. Just password protecting a directory is not good enough for what I'd like to do.
Does anyone know of a service like this that already exists? Am I taking the wrong approach?
What you are asking for is a service that host static pages but provide the authentication functionality. I don't know if something like that exists and I have not found anything in a quick search.
However, there's another approach, much more simple. Just generate the documentation and upload it wherever you want that requires authentication (Google Drive, a private repository in GitHub or Bitbucket, etc). Give access to your team members and they will just have to keep it up to date with the remote one and open the index.html locally in their browsers.
Azure has a static web app host available.
You can configure it so users must log in before anything is served up.
This is a bare bones config that will require people log into an app reg I made available to them, otherwise it will redirect to the azure ad login page.
We are already using Azure for our cloud needs, so this wasn't much to stand up for the documentation host.
Custom authentication in Azure Static Web Apps
Authentication and authorization for Azure Static Web Apps
{
"auth": {
"identityProviders": {
"azureActiveDirectory": {
"userDetailsClaim": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"registration": {
"openIdIssuer": "https://login.microsoftonline.com/TENANT_ID",
"clientIdSettingName": "AZURE_CLIENT_ID",
"clientSecretSettingName": "AZURE_CLIENT_SECRET"
}
}
}
},
"routes": [
{
"route": "/*",
"allowedRoles": [
"authenticated"
]
}
],
"responseOverrides": {
"401": {
"statusCode": 302,
"redirect": "/.auth/login/aad"
}
}
}
I have an asp.net core app that uses:
app.UseSpa(x =>
{
if (env.IsDevelopment())
{
x.Options.SourcePath = "ClientApp";
x.UseProxyToSpaDevelopmentServer("http://localhost:4200");
}
else
{
// x.Options.SourcePath
x.Options.DefaultPageStaticFileOptions = new StaticFileOptions
{
OnPrepareResponse = context =>
{
context.Context.Response.Headers.Add("Cache-Control", "no-cache, no-store");
context.Context.Response.Headers.Add("Expires", "-1");
}
};
}
});
angular is started with:
ng serve which then serves the site on http://localhost:4200
The --public-host does not seem to respect the schema.
The docs says: The URL that the browser client (or live-reload client, if enabled) should use to connect to the development server. Use for a complex dev server setup, such as one with reverse proxies.
My API is hosted in the asp.net core app.
The browser tries to connect to: https://localhost:4200/sockjs-node/info?t=1605229799939 ... which is not running. Notice the https, which is gets from the asp.net core app which is being served over https.
I can get it to work if I start the angular dev server with --ssl, trust the certicate in my certificate store in Windows, so .NET trusts that certificate. The issues is that there is no override for the UseSpa as I have found, to trust self signed certificates, when running in development.
I want the setup to be as clean as possible, with the least amount of hacks, like trusting self signed certs on local machine.
Is there any way to let the HMR/nodejs/angular-cli know what it needs to connect to?
Well ... setting --public-host to localhost:5000 solved the issue.
Then it's just going though the asp.net core app which acts as a proxy. Not sure why I didn't think of that before creating this issue.
I create a blazor web assembly with visual studio template, with "Asp.net core hosted" option and "Progressive web app" option too.
All works fine in "localhost" and in the publish website (develop environment) when i visit my website with a computer.
But when i visit the same website with mobile devices, i have this error:
HTTP Error 500.30 - ANCM In-Process Start Failure
I change the hosting model of asp.net core to "Out of Process", but i had the same result, only the message has changed.
HTTP Error 502.50 - ANCM Out-Of-Process Start Failure
Any help will be appreciate
I had a similar problem - don't know if you were using Identity but I was and the following fixed the issue:
Ensure you have a folder with write permissions in the published root folder called "obj". I think Identity creates a token key in here.
Also ensure you have the Identity key set up in appsettings.cs as follows (probably shouldn't use development in production though):
"IdentityServer": {
"Key": {
"Type": "Development"
}
}
I have an asp.net core 2.1 application hosted in azure, with a basic log in system. I am using Identity to manage accounts, and signInManager for login/logout access.
so, i got to mysite.com and log in, it redirects to the correct page.
if i log out, I am redirected back to the mysite.com page.
While logged in, if I go to mysite.com/controller/1, it goes to the page correctly.
If logged out and i go to /mysite.com/controller/1, instead or redirecting back to the login page at mysite.com, it redirects to mysite.azurewebsites.net
I am unsure if its a code issue or a azure portal configuration issue
Any help appreciated
UPDATE
Login with Identity
I download sample code from Microsoft and test it, it works fine.
I don't change anything in code, so you can compare the difference between your code and the official example.
My test steps are as follows:
Publish sample code to restore azure sql sb.
Bind the domain name
No other operations.
My Suggestion:
Follow my step to check your code.
Raise a support ticket on portal, and let Microsoft help you to check logs.
PRIVIOUS
Login with AAD
I think your problem has nothing to do with Identity. Your problem must be the integrated AD login. Below I will tell you how to solve it.
You must make sure that the value of Domain in your appsetting.json is mysite.com.
My test domain value is https://test.jasonp2.com/.
{
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "https://test.jasonp2.com/",
"TenantId": "organizations",
"ClientId": "3b417786-****-4fc4-****-716****928ad",
"CallbackPath": "/signin-oidc"
},
"Logging": {
"LogLevel": {
"Default": "Warning"
}
},
"AllowedHosts": "*"
}
You need set Redirect URIs and Logout URL in App registrations on azure portal.
After confirming the above two steps, your problem can be solved.
Assume I create an ASP.NET Core 2.0 App in Visual Studio 2017:
I can integrate with Azure Active Directory by clicking the Change Authentication dialog.
Then after entering my MSDN credentials 2 or three times it will register my application with Azure Active Directory:
That creates the following snippet in appsettings.json:
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "XXXXXXXX.onmicrosoft.com",
"TenantId": "XXXXXXXXX",
"ClientId": "XXXXXXXXX",
"CallbackPath": "/signin-oidc"
},
Tenant Id matches what this question said it would. And ClientId matches Azure ID. However, I don't see where this Key, that Visual Studio created during the app provisions, is stored:
Where is that stored?
AFAIK, the template of Visual Studio does't save the secret when it create it on the Azure. If you want a secret for this app, you can delete the old one and create a new.
Please Note: Once you left that page, the secret was not able to see again.