I'm using service stacks basic auth plugin. When I access any of the auth routes it adds like /register, or /auth from the machine the service is running on (localhost) the routes work fine.
When I access the routes from one of my clients on another machine I get 401 not authorized errors on all of these routes.
I already have the Cors plugin enabled, and my non authentication routes are working fine from remote clients.
Is there something else that needs configured to allow access to the auth routes to work from remote clients/ips?
The response is always a 401 it appears if the authentication user or password is wrong or doesn't exist. With an existing user or password it is fine.
Related
I have been scratching my head for days on this issue so thought I would try and seek some help here.
So I have a Wildfly server and an external keycloak server used for autentication.
My keycloak server uses OICD and a public client.
Usually the flow works fine, the user logs in, and subsequent resources authenticate properly with Keycloak. However the issue comes when I deploy my custom plugins to my wildfly server. Each plugin needs to authenticate to the keycloak server, usually this happens without issue on the first request. However some of my plugins are REST only, so their first request is an XHR request and this request fails as it gets redirected to the login page of keycloak which it does not understand. I am unsure how this flow is meant to work like.
If I set my XHR request withCredentials to true, it triggers CORS on my keycloak server, which is fine I have that setup correctly, however what is baffling to me is that the return request from keycloak then triggers CORS on my wildfly server, and because Keycloak redirects uses a no-refferer policy the origin is null! Setting my wildfly server to accepting null would not be acceptable.
I preferably would want a solution where each plugin would not need to authenticate towards my keycloak if the user has already done the login process but I cannot find any way of enabling session sharing between deployed plugins.
A simple ASP.NET Core 3.1 backend is running on an Azure App Service, where the Incoming Client Certificate option is set to Allow (the app integrates with other apps, using SSL certificate based authentication). Nothing was configured in Startup.cs to do any magic with the incoming certificates (where the app's interested in the incoming certificate, the controller just reads it via Request.Headers["X-ARR-ClientCert"])
However, a React frontend (running in another App Service) uses MSAL to authenticate with the backend App Service, using Azure Active Directory/OAuth 2, not SSL certificates, the X-ARR-ClientCert header is not populated at all (the HTTP client being axios).
Some users, when trying to access the app get a popup from seemingly all different browsers, asking to specify which certificate to use for authentication (Site "backend" needs your credentials):
Not all users are prompted with this popup, it happens seldomly. Is there any known way to configure either something in the App Service, React frontend (axios) or even in the Startup of the ASP.NET code to not-trigger this popup? In the App Service, it'd be impossible to put all routes into the Certificate exclusion path.
One idea seems to be to set rejectUnauthorized to false when setting up axios, however I'm unsure if this is a safe approach:
axios.create({
httpsAgent: new https.Agent({
rejectUnauthorized: false,
})
});
I currently have the following architecture
APP -> API -> KeyCloak
I want the APP to be able to send requests to my API which will then internally proxy certain requests to KeyCloak. For example, I'd like to make a request to the /userinfo endpoint in KeyCloak through my API. If I can figure this out I can then perform more complex features.
APP -> http://api:port/api/userinfo
API -> http://keycloak:port/auth/realms/quartech/protocol/openid-connect/userinfo
I have a valid JWT Bearer token. As I can directly make the request to KeyCloak successfully, however if I attempt to make the request via my API it returns 401. Even though it is using the same JWT Bearer token.
I believe it has something to do with configuring the KeyCloak client to allow requests to come from the API. But so far I haven't been able to figure it out.
I've discovered it required a DNS entry to local development within a Docker container.
I've edited the hosts file and added a 127.0.0.1 keycloak and then al
I have been struggling with getting Windows authentication to work on IIS10 for a .Net Core API. The error I am getting is 401.2:
You are not authorized to view this page due to invalid authentication headers.
I have made the following configurations:
Only windows authentication has been enabled on the site (Anonymous is disabled)
SPNs have been created for the site and the server has been enabled for delegation.
The application pool is configured to run under a domain account
Both cURL and Postman give me the same result. Interestingly, when I make use of the SwaggerUI on the API directly, I get the expected behavior, but when making external calls (from another server), I get the 401.2 error.
Some additional content from the error is that the Logon Method and Logon User is Not Yet Determined.
How do I resolve this issue?
I was under the assumption that Postman and cURL were sending the NTLM credentials/token as a part of the request by default, but was incorrect. I had to enable Failed Request Tracing on IIS and saw that they were trying to make use of anonymous authentication. Apparently Postman does not support NTLM authentication so I made use of cURL and appended the credentials. With this I could get the authentication to work with cURL.
I have a setup using apache and mod_auth_kerb to authenticate users and proxy them to the destination web server using a HTTP header with username (X-Remote-User).
How do i setup a proper logout mechanism from the destination web server?
- URL to call or similar?
Our setup works like this:
We have one url, which is protected by Kerberos:
/kerberos_login
Once client access it, Kerberos authentication is performed. If successful, client is redirected to / — this is not protected by Kerberos.
To log out, clients have to access logout url (that one is also not protected by Kerberos):
/logout