I have a SPA client in Angular which logs into Azure AD successfully and generates a token which I then pass it to the .Net Core(3.0) API via Authorization: Bearer ${token} I then try to validate the token with [Authorize] to check and then allow access to the REST Api calls, we are still using "ver": "1.0" and there is no nonce in the JWT header. I have the below code in ConfigureServices method:
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.Authority = "https://login.microsoftonline.com/common";
options.RequireHttpsMetadata = false;
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidIssuer = options.Authority,
ValidateLifetime = true,
ValidateAudience = true,
ValidAudience = "{myClientID}",
IssuerValidator = (issuer, token, parameter) => "https://sts.windows.net/{MyIssuer}/"
};
});
services.AddAuthorization(options =>
{
options.DefaultPolicy =
new AuthorizationPolicyBuilder(JwtBearerDefaults.AuthenticationScheme)
.RequireAuthenticatedUser()
.Build();
});
When I run the project with locahost, it works fine, but I deploy the code to a server, I got the below error message :
Exception occurred while processing message.
Exception:
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://login.microsoftonline.com/common/.well-known/openid-configuration'.
---> System.IO.IOException: IDX20804: Unable to retrieve document from: 'https://login.microsoftonline.com/common/.well-known/openid-configuration'.
---> System.Net.Http.HttpRequestException: No connection could be made because the target machine actively refused it.
---> System.Net.Sockets.SocketException (10061): No connection could be made because the target machine actively refused it.
at System.Net.Http.ConnectHelper.ConnectAsync(String host, Int32 port, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
The above message indicates that something is not allowing me to connect to the site to validate, are my parameters correct? I used jwt.io to check the token and it says the Signature is valid and on the body I get to see the values I expect for "aud:","iss:" "amr":["pwd"] etc. I am new to Azure AD and token validation, so please bear with me. Is there anything I am missing? Thank you
That error is caused by the app being unable to connect to the Azure AD metadata endpoint.
It needs to load configuration from there at the start, including public keys that the app can use to verify token signatures.
Either something is blocking the connection (like a firewall), or Azure AD is down (extremely unlikely).
Related
I'm using AppAuth framework for authentication in my Swift app, I can login but after login and coming back to my app, I can't exchange the code and get error invalid client.
My client configuration is:
var client = new Client
{
ClientId = "IOS.Client",
ClientName = "IOS Client",
RedirectUris = { "com.mysite.accounts:/oauthredirect" },
AllowedGrantTypes = GrantTypes.Code, //AuthorizationCode
AllowedScopes = { "openid", "profile", "offline_access" },
};
I set ClientSecret (SHA-256) and my ClientId is ok but I get error invalid client.
I checked my logs and there is an error: secret validators could not validate secret
what's wrong?
IIRC in IS3 you had to set a client secret. We didn't allow empty ones.
Either you set a secret on client and server, or upgrade to IS4 - IS3 is deprecated since quite some time.
When using IdentityServer3 and AppAuth you should not use special characters in ClientSecret and set your grant AuthorizationCodeWithProofKey.
this link is useful
I followed the documentation here: and here: Trying to integrate to a Personality Insights service via Android Java.
However, after the app runs, and using the correct username and password as mentioned in the guide... (the guide is not clear (2nd bullet point in "Before you begin") on which set of credentials to use - It says get the "service credentials" and credentials from the new service created - I tried with both and both fail with the same error below.)
Error:
12-11 01:49:56.201 29584-29632/? I/CredentialUtils: JNDI string lookups is not available. 12-11 01:49:56.269 29584-29632/? D/NetworkSecurityConfig: No Network Security Config specified, using platform default 12-11 01:49:56.723 29584-29632/? D/OkHttp: --> POST https://gateway.watsonplatform.net/personality-insights/api/v3/profile?version=2017-10-13 http/1.1 (1297-byte body) 12-11 01:49:56.803 29584-29632/? D/OkHttp: <-- 401 Not Authorized https://gateway.watsonplatform.net/personality-insights/api/v3/profile?version=2017-10-13 (78ms, unknown-length body) 12-11 01:49:56.863 29584-29632/? E/WatsonService: POST https://gateway.watsonplatform.net/personality-insights/api/v3/profile?version=2017-10-13, status: 401, error: Not Authorized 12-11 01:49:56.865 29584-29632/? E/ERROR: Unauthorized: Access is denied due to invalid credentials
com.ibm.watson.developer_cloud.service.exception.UnauthorizedException: Unauthorized: Access is denied due to invalid credentials at com.ibm.watson.developer_cloud.service.WatsonService.processServiceCall(WatsonService.java:492) at com.ibm.watson.developer_cloud.service.WatsonService$2.execute(WatsonService.java:254) at com.upen.personalityapp.MainActivity$RetrieveFeedTask.doInBackground(MainActivity.java:105) at com.upen.personalityapp.MainActivity$RetrieveFeedTask.doInBackground(MainActivity.java:87) at android.os.AsyncTask$2.call(AsyncTask.java:306) at java.util.concurrent.FutureTask.run(FutureTask.java:237) at android.os.AsyncTask$SerialExecutor$1.run(AsyncTask.java:244) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1133) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607) at java.lang.Thread.run(Thread.java:761) 12-11 01:49:56.866 29584-29584/?
This is the code I am using; I am trying to pass a "text" input to the service.
service = new PersonalityInsights("2017-10-13");
service.setUsernameAndPassword("{myUsername}", "{myPassword}");
Profile profile = service.getProfile(text).execute();
System.out.println(profile);
return profile.toString();
I am using the com.ibm.watson.developer_cloud:personality-insights:3.8.0 dependency.
I tried connecting to the URL in the error (https://gateway.watsonplatform.net/personality-insights/api/v3/profile?version=2017-10-13 ) via a browser. It prompts for a username/password combo. I entered my details from my IBM Cloud Lite service but it throws the HTTP Error 405. Is this how it's supposed to work on the browser?
For someone in the future;
Instead of service.setUsernameAndPassword(username, password);, I tried service.setUsernameAndPassword("username", "password"); and it worked.
Please help!
I need my asp application to request remote systems with credentials of impersonated user. But always get 401 Unauthorized errors.
I made all configurations from here: https://support.microsoft.com/en-us/help/810572/how-to-configure-an-asp-net-application-for-a-delegation-scenario
Kerberos is configured and working in my app and my test remote app(i see kerberos tickets in fiddler). Delegation, spns and everything is configured.
Thats my code usnig System.Net.Http.httpclient:
HttpClientHandler handler = new HttpClientHandler()
{
UseDefaultCredentials = true,
PreAuthenticate = true
};
using (HttpClient client = new HttpClient(handler))
{
client.DefaultRequestHeaders.Accept.Clear();
var method = new HttpMethod("GET");
var request = new HttpRequestMessage(method, "http://testdelegationapp.avp.ru/");
var response = client.SendAsync(request).Result;
}
In fact http request is made by Apppool account (I get 401 error when restricting access to Apppool account in remote app IIS)
Here: How to get HttpClient to pass credentials along with the request?
is claimed that HttpClient cant pass security token to another thread, and its better to use synchronous methods of System.Net.WebClient
Code using webclient:
var wi = (WindowsIdentity)HttpContext.User.Identity;
var wic = wi.Impersonate();
try
{
string URI = "http://testdelegationapp.avp.ru/";
using (WebClient wc = new WebClient())
{
wc.UseDefaultCredentials = true;
string response = wc.DownloadString(URI);
}
}
finally
{
wic.Undo();
}
Result is even worse, the same 401 error, but in fiddler i can see that webclient using NTLM ticket to get to remote app!
Configuring of flowing tokens throw threads from here :Unable to authenticate to ASP.NET Web Api service with HttpClient
doesnt help either. SecurityContext.IsWindowsIdentityFlowSuppressed() is false.
WindowsIdentity.GetCurrent().Name and Thread.CurrentPrincipal.Identity.Name shows impersonated user as it should be.
All that time problem was in chrome browser, by default it prohobits kerberos delegation. You shoud add the following to registry:
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome ;
string: AuthNegotiateDelegateWhitelist ;
value: *.avp.ru
So, now my working configuration is
HttpClient for web requests.
ASP impersonation ON in IIS if you want to execute all your app under
delegated credentials. If you want method specific delegation, then use:
var wi = (WindowsIdentity)HttpContext.User.Identity;
var wic = wi.Impersonate();
wic.Undo();
HttpClient executes request in another thread , so in aspnet_config.config we need following changes:
<legacyImpersonationPolicy enabled="false"/>
<alwaysFlowImpersonationPolicy enabled="true"/>
You can find aspnet_config.config in:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet.config
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet.config
I have an integration test which connects to salesforce, and gets back an authentication token.
public AuthenticationResponse getAuthenticationResponse()
{
MultiValueMap<String, String> map = new LinkedMultiValueMap<String, String>();
map.add("client_id", consumerKey);
map.add("client_secret", consumerSecret);
map.add("grant_type", GRANT_TYPE);
map.add("username", username);
map.add("password", password);
return new RestTemplate().postForObject(LOGIN_URI, map, AuthenticationResponse.class);
}
^ That's the code the test runs.
public void testConnect(){
AuthenticationResponse response = dataDotComClient.getAuthenticationResponse();
assertNotNull(response);
assertNotNull(response.getAccess_token());
}
^ And that's the test itself.
This works fine from my, and other desktops. However, it never works in jenkins, always returning a 400 status code with no real error message behind it. Is there something I have to do in Jenkins to allow post requests to external sites?
http 400 means
Bad Request - Invalid URL"
OR
"HTTP Error 400. The request hostname is invalid."
Please make sure that your destination host is reachable from jenkins machine.
Try to login to jenkins machine and run the curl/telnet command to check the connectivity.
Could someone please help me? I am trying to create a project in project server programatically (PSI webservice) but am failing to do so because of the error below. Does anyone know what might be the issue? I am also getting this error when attempting to update the web service in VS2008.
Here is the error and it happens when I call QueueCreateProject (see code below):
System.ServiceModel.Security.MessageSecurityException: The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'NTLM'. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.
at System.Net.HttpWebRequest.GetResponse()
at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
--- End of inner exception stack trace ---
Here is the code:
objProject = new pstest.ProjectWS.ProjectSoapClient();
dsProjectDataSet = new pstest.ProjectWS.ProjectDataSet();
ProjectWS.ProjectDataSet.ProjectRow projectRow = dsProjectDataSet.Project.NewProjectRow();
Guid _projectGUID = Guid.NewGuid(); // new GUID for each project
projectRow.PROJ_UID = _projectGUID;
projectRow.PROJ_NAME = "My new Project";
projectRow.PROJ_INFO_START_DATE = System.DateTime.Now;
projectRow.PROJ_TYPE = 0; //0 is for project and 1 is for template
dsProjectDataSet.Project.AddProjectRow(projectRow);
//create a project using project.asmx
objProject.QueueCreateProject(Guid.NewGuid(), dsProjectDataSet,false);
Most likely your app.config is misconfigured. Depending on your security configuration, you probably need to change part of it:
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Ntlm"/>
</security>
Take a look at this thread for more information.