Auth0 Legacy Lock API Deprecation - authentication

I went through the Legacy Lock API Deprecation documentation provided link
I have few clarifications
Its mentioned that by July 16, 2018 deprecated services will be removed.
And the criteria are given to identify whether I will get affected or not, below listed
Use of /usernamepassword/login endpoint directly from applications
Use of /user/ssodata endpoint directly from applications
In my application I have integrated auth0-js and I been using auth0.redirect.loginWithCredentials() function to send the username and password along with connection (database connection).
This function actually calls co/authenticate REST end-point.Does my current implementation needs a migration, will I be affected by services that will be stopped by Jul 16.
Another question:
In the advanced settings of a tenant, its advised to disable the Legacy Lock API option under Migrations (see below image). If I do so I get pre-flighted error which is a CORS issue, any relation between this problem and previous question or how do I solve this issue

Related

Persistent access control exception error message on Moodle

I am trying to enroll a user on my Moodle site via using the Moodle API.
My Moodle instance is hosted on AWS and all relevant ports are open and listening. So, from the network perspective, I can commit that is all ok.
The steps I have already done based on Moodle Documentation:
I have enabled web services on Administration > Mobile app >Mobile settings
I have gone through the 10 steps on the overview of allowing an external system to control Moodle as explained in the documentation (shown also in this Youtube video)
For testing purposes, I am using Postman. Some requests are going through (e.g. getting the token for a certain user, getting the list of all courses, etc.)
Example:
But when I try to i.e. create a user or enroll a user in an existing course I am getting this error:
{
"exception": "webservice_access_exception",
"errorcode": "accessexception",
"message": "Access control exception"
}
The way I am trying to i.e. create the user is as follows:
In the body section I am sending the following data:
users[0][username]
users[0][email]
users[0][lastname]
users[0][firstname]
users[0][password]
Based on my research, most of the contributors suggested enabling web services, but as mentioned above I have enabled them but the problem persists.
Can someone help me solve the issue here or maybe suggest a way of debugging it?
Fortunately, I managed to solve the issue for both user creation and user enrollment.
Here is a great guide that helped me. In addition, you need to add some additional functions to the web service (roles wary based on what you want to do in Moodle) and also you need to alter the permissions of the new user (again depending on what you want to do)...

identity server multiple issues after deployment

My current setup is like this. The entire project was built using the official docs here - https://identityserver4.readthedocs.io/en/latest/
API Server
Auth Server with local login, google login and github login
Console based c# client
JS based client
MVC based client.
(all of it, as described in the official docs)
Locally, all of them work beautifully. Able to login, access api endpoints, logout, redirect, the whole thing works smooth.
I have deployed all 5 of them to five different azure web apps. They all have the standard xyz.azurewebsites.net domains ready to use. Now, I have run into some problems.
the console C# client is able to talk to the deployed auth server, collect token using a local account on the auth server and make calls to the deployed API server. Based on this, I assume that both the api server and the auth server working hand in hand, as they should.
Problem #1 - the JS client keeps saying
'The login is blocked because of CORS Missing Allow Origin '
Problem #2 - the MVC client loads the auth server, and then the auth server gives me this error.
Sorry, there was an error : unauthorized_client
Request Id: 80005c0f-0000-eb00-b63f-84710c7967bb
Note : I have set the CORS policy on the auth server, both these clients, under client definition as follows. I am not too concerned about keeping the auth server open, so dont mind if any and every domain can call the auth server.
AllowedCorsOrigins = { "*.*" },
Also Note : I have set the URLS in the code before deployment. all loclahost:port number lines have been replaced correctly with the corresponding now published URLs.
So, what am I missing out here?
Update 1
I was able to solve the CORS issue. Have posted a answer here on another question.
Not able to enable CORS for identity server 4 in asp.net core
Update 2
So, now, both the JS client and the MVC client, are giving identical errors.
Sorry, there was an error : unauthorized_client
Request Id: 80005c0f-0000-eb00-b63f-84710c7967bb
Update 3
I have opened an issue which has log details.
https://github.com/IdentityServer/IdentityServer4/issues/4691
I am not sure if this counts as an answer, but posting for my own question, as it might might help others. Also, this is only a guess at this point.
I found out that the redirects were permanently stored in the database I used with EF migrations. That mean, local in memory redirects were being overwritten anyway by the database stored migrations. I believe this is the issue.
I also realized that the console app is working fine for it does not depend on redirect URLs where as the JS and MVC based clients dont work because they do depend on redirect URLs.
At this point, the best thing to do and for you (if you used EF migrations to store your auth server configuration) on database would be start over and switch to in memory only. Alternatively, you can try and update the database to suit your deployment requirements.
Ultimately, I believe, unless it is absolutely necessary, keep the auth server config (like redirects and CORS settings) in memory as they dont take up much value and are rarely changed.

Azure API Management - Versioning

We are currently having all our APIs in Azure API Management Portal. The versioning in the API code is handled using the version header. These APIs were deployed into our Production environment mid of Last year. I guess we did not have the versioning concept in the Old API Management Portal and the vendors who are using the APIs which are in Production works without passing the version header (if the version header is not passed, it will fallback to the initial version).
We could see that, currently API Management does have ability to create versions. But, if I create a new version for the existing API – I could see that the existing version (which currently works with or without version header) stops working. It is giving resource not found error. If we go into the API settings page for the Existing version, we could see that the Version Header field is mandatory and not filled.
Is there any way we can default the version header to the initial version through API Management?
This is old but probably worth answering for someone asking in the future.
You can set a header on all API operations in the Azure portal.
Select the API version and then ensure All operations is selected in the list of operations.
Then in the Inbound Processing section click + Add policy.
Set headers is one of the options.
Select that and add the details for the header.
Save and repeat for the other versions you have defined, obviously setting the correct version each time.
Hope this helps.
You may also define passing the version as a header parameter when initially adding the API to API Management as Open API Specification Full definition and then set the Header definition in Versioning scheme.

Azure App Service Authentication - Pulled data even when authentication failed

I have a Xamarin Forms application that is targeting Windows UWP. I have successfully setup Offline Sync and Authentication by following the Microsoft docs such as this article: https://learn.microsoft.com/en-us/azure/app-service-mobile/app-service-mobile-windows-store-dotnet-get-started-users
I have also successfully setup a background (out-of-process) task to run using a Windows Universal Runtime Component.
The process flows as:
1) User runs the application for the first time, they must login and authenticate to Active Directory. The application then caches their token and registers the background task.
2) The background task kicks off on a Timer. During testing, I did NOT have it refreshing the token because I wanted to test the 1-hour token expiration and refresh process.
In my testing, I discovered two things that I am not completely understanding and which I found odd (not behaving as I expected).
1) When I examine the expiration date of the token the user receives upon first login, the expiration date is set for 30 days in the future. I thought it was supposed to expire after 1 hour. Why does it show 30 day expiration date? (This isn't too big of a concern as I did confirm that it does stop allowing access after an hour, just an oddity that I am observing).
2) This is the one I have a concern about. Even though the background task was not able to authenticate after the 1-hour period, it still was able to pull data from Azure to the device. The push data sync failed because authentication failed, but the pull data sync succeeded. This is concerning because I do not want unauthorized attempts to be able to pull data. Has anyone else ran into this? Is this a bug? Did I configure authentication incorrectly somehow?
My Settings:
Azure App Service > Easy Tables (Node.js backend) has all permissions set to "Authenticated Access only".
Azure App Service > Settings > Authentication/Authorization >
App Service Authentication is set to On,
Action to take when request is not authenticated is set to Log in with Azure Active Directory,
Authentication Providers is set Configured for Azure Active Directory.
Mobile App Code:
MobileServiceClient client;
IMobileServiceSyncTable<TableToPull> tableToPullDataFrom;
IMobileServiceSyncTable<TableToPush> tableToPushDataTo;
this.client = new MobileServiceClient(Constants.ApplicationURL);
this.client.CurrentUser = new MobileServiceUser(Settings.UserId);
this.client.CurrentUser.MobileServiceAuthenticationToken = Settings.AuthToken;
store.DefineTable<TableToPull>();
store.DefineTable<TableToPush>();
The Push Async Code is (which fails when authentication fails, as expected):
await this.client.SyncContext.PushAsync();
The Pull Async Code, which should fail when authentication fails but did not (this is my concern) is:
await this.tableToPullDataFrom.PullAsync("tableQuery",this.tableToPullDataFrom.CreateQuery());
I am concerned that the background task was able to pull data from Azure even though authentication failed. I am hopeful that I am misunderstanding this concept in some way and someone can explain to me why this happens? Or if I need to configure something differently? I need to make sure unauthorized logins cannot pull data.
The background task attempts to push and pull data in sequence and I can see that it fails due to invalid authentication during the push task but then succeeds during the pull task. I can also verify this because the pull task does grab updated data from the SQL Azure DB (I can view it using Isolated Storage Explorer and SQLite Browser) but it doesn't send changed data to the SQL Azure DB (viewed in SSMS).
The "action to take when authentication fails" is wrong. You need to set it to "No action". This is so that the authentication can be handled by your code.
If you are using Easy Tables, adjust the permissions on the table to "Authenticated". If you are using ASP.NET, add the [Authorize] attribute to your class.
Authentication is covered in depth in my book - chapter 2 of http://aka.ms/zumobook.

Force logout a ServiceStack user by id

I'm implementing "Block user" feature on my ServiceStack 3.9 project, when a site administrator is able to block/remove registered users. But unfortunately I couldn't find a way to close opened session for a blocked (removed) user.
Updated:
I'm just a novice and I use the most common default configuration (MS SQL Server) with nothing special (e.g. Redis etc.). I had seen SocialBootstrapApi project as example.
Question:
So the question is how to logout a user by its id on the server side?