I tried TFS 2015 REST API Authentication
However, it mentions request object (as I can't use javascript), not sure where is the request object or what type of it.
I am trying to pass query id and the code should execute the query and get result via API.
The solution works from my local, however, after publishing to server it does not seems working.
I also checked that the TFS is accessible from server using the credentials.
My code below:
private HttpClientHandler GetTfsCredentials()
{
HttpClientHandler handler2 = new HttpClientHandler { UseDefaultCredentials = true };
handler2.Credentials = new NetworkCredential("username", "password", "domain");
return handler2;
}
private async Task<object> GetQueryResults(string queryId)
{
string tfsApiUrl = ConfigurationManager.AppSettings["TfsApiUrl"];
string tfsProjectName = ConfigurationManager.AppSettings["TfsProjectName"];
string TfsProjectGuid = ConfigurationManager.AppSettings["TfsProjectGuid"];
//I tried both credentials and credentials2, but none of them working
string credentials = Convert.ToBase64String(System.Text.ASCIIEncoding.ASCII.GetBytes($"{""}:{"password"}"));
string credentials2 = Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes("domain\\username:password") );
if (!string.IsNullOrEmpty(tfsApiUrl) && !string.IsNullOrEmpty(tfsProjectName)
&& !string.IsNullOrEmpty(Id))
{
log.Info("GetQueryResults:: Config values found");
using (var client = new HttpClient(GetTfsCredentials()) { BaseAddress = new Uri(tfsApiUrl) })
{
client.DefaultRequestHeaders.Accept.Clear();
client.DefaultRequestHeaders.Accept.Add(new System.Net.Http.Headers.MediaTypeWithQualityHeaderValue("application/json"));
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Basic", credentials2);
HttpResponseMessage response = client.GetAsync($"{tfsProjectName}/_apis/wit/wiql/{Id}").Result;
log.Info("GetQueryResults:: response.ReasonPhrase" + response.ReasonPhrase.ToString());
log.Info("GetQueryResults:: response" + response.ToString());
log.Info("GetQueryResults:: response.IsSuccessStatusCode" + response.IsSuccessStatusCode.ToString());
string workItemList = null;
if (response.IsSuccessStatusCode)
{
//do something
}
}
}
return null;
}
The error I received is:
2020-03-20 16:17:35,382 INFO GetQueryResults:: response.ReasonPhrase Unauthorized
2020-03-20 16:17:35,382 INFO GetQueryResults:: responseStatus Code: 401, ReasonPhrase: 'Unauthorized', Version: 1.1, Content: System.Net.Http.StreamContent, Headers:
{
X-TFS-ProcessId: 115b5bba-0bf4-45e2-a3b2-2913ccc93f09
ActivityId: bb21d947-99a3-44dc-bdb7-317d7af34934
X-TFS-Session: bb21d947-99a3-44dc-bdb7-317d7af34934
X-VSS-E2EID: bb21d947-99a3-44dc-bdb7-317d7af34934
X-FRAME-OPTIONS: SAMEORIGIN
X-TFS-SoapException: %3c%3fxml+version%3d%221.0%22+encoding%3d%22utf-8%22%3f%3e%3csoap%3aEnvelope+xmlns%3asoap%3d%22http%3a%2f%2fwww.w3.org%2f2003%2f05%2fsoap-envelope%22%3e%3csoap%3aBody%3e%3csoap%3aFault%3e%3csoap%3aCode%3e%3csoap%3aValue%3esoap%3aReceiver%3c%2fsoap%3aValue%3e%3csoap%3aSubcode%3e%3csoap%3aValue%3eUnauthorizedRequestException%3c%2fsoap%3aValue%3e%3c%2fsoap%3aSubcode%3e%3c%2fsoap%3aCode%3e%3csoap%3aReason%3e%3csoap%3aText+xml%3alang%3d%22en%22%3eTF400813%3a+The+user+%27CWOPA%5cSTCTCAPD006%24%27+is+not+authorized+to+access+this+resource.%3c%2fsoap%3aText%3e%3c%2fsoap%3aReason%3e%3c%2fsoap%3aFault%3e%3c%2fsoap%3aBody%3e%3c%2fsoap%3aEnvelope%3e
X-TFS-ServiceError: TF400813%3a+The+user+%27CWOPA%5cSTCTCAPD006%24%27+is+not+authorized+to+access+this+resource.
Server: Microsoft-IIS/8.5
WWW-Authenticate: Bearer
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
P3P: CP="CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOC CNT"
Lfs-Authenticate: NTLM
X-Content-Type-Options: nosniff
Date: Fri, 20 Mar 2020 20:17:35 GMT
Content-Length: 82
Content-Type: text/plain; charset=utf-8
}
2020-03-20 16:17:35,382 INFO GetQueryResults:: response.IsSuccessStatusCode False
It looks like you are doing authentication in two different ways at once:
In the GetTfsCredentials-Method you set up Windows Authentication (NTLM or Kerberos)
By adding client.DefaultRequestHeaders.Authorization your try to set up Basic Authentication
Your TFS indicates (see WWW-Authenticate Header) that it supports Bearer, Negotiate and NTLM; but not Basic.
I would try:
Remove client.DefaultRequestHeaders.Authorization, credentials and credentials2. This should remove Basic-Authentication
Remove UseDefaultCredentials = true since you set explicit credentials the next line. UseDefaultCredentials tells HttpClientHandler to access TFS with the credentials of the running process, which is probably your account when executing locally and a service account when executing on the server.
Whithout this line, the specified NetworkCredential should be used to access TFS.
I've tried adding the following to my currently working apigateway API setup
resource "aws_api_gateway_method" "enable_head_request" {
provider = "aws.default"
rest_api_id = "${aws_api_gateway_rest_api.petshop.id}"
resource_id = "${aws_api_gateway_rest_api.petshop.root_resource_id}"
http_method = "HEAD"
authorization = "NONE"
# api_key_required = "False"
}
resource "aws_api_gateway_integration" "enable_head_request" {
provider = "aws.default"
rest_api_id = "${aws_api_gateway_rest_api.petshop.id}"
resource_id = "${aws_api_gateway_rest_api.petshop.root_resource_id}"
http_method = "${aws_api_gateway_method.enable_head_request.http_method}"
integration_http_method = "POST"
type = "AWS_PROXY"
uri = "${aws_lambda_function.petshop.invoke_arn}"
}
resource "aws_api_gateway_method_response" "200_for_head_request" {
provider = "aws.default"
rest_api_id = "${aws_api_gateway_rest_api.petshop.id}"
resource_id = "${aws_api_gateway_rest_api.petshop.root_resource_id}"
http_method = "${aws_api_gateway_method.enable_head_request.http_method}"
status_code = "200"
}
However after deploying and trying to curl the endpoint I get;
curl --head https://test.com
HTTP/1.1 403 Forbidden
Date: Thu, 01 Mar 2018 18:47:07 GMT
Content-Type: application/json
Content-Length: 42
Connection: keep-alive
x-amzn-RequestId: f1811ce9-1d80-11e8-b15c-cf44af523470
x-amzn-ErrorType: MissingAuthenticationTokenException
EDIT:
The issue is indeed that the deployment is not redeployed. But I found a better way to do it as mentioned in my answer.
The issue is that the deployment does not get redeployed. Here's a better way to do it than in the linked question
resource "aws_api_gateway_deployment" "petshop" {
provider = "aws.default"
stage_description = "${md5(file("apigateway.tf"))}"
rest_api_id = "${aws_api_gateway_rest_api.petshop.id}"
stage_name = "prod"
}
This saves you redeploying on every minor change and will only be triggered by changes in the apigateway.tf file
I am trying to use SASL between my kafka broker and zookeeper. When I start the kafka server
KAFKA_OPTS="-Djava.security.auth.login.config=/home/kafka/kafka/config/kafka_server_jaas.conf -Djava.security.krb5.conf=/etc/krb5.conf" \
./kafka-server-start.sh ../config/server.properties
I get the following error:
INFO TGT refresh thread started. (org.apache.zookeeper.Login)
DEBUG Client principal is "kafkabroker1/kafka.eigenroute.com#EIGENROUTE.COM". (org.apache.zookeeper.Login)
DEBUG Server principal is "krbtgt/EIGENROUTE.COM#EIGENROUTE.COM". (org.apache.zookeeper.Login)
INFO TGT valid starting at: Sat Dec 16 00:32:52 EST 2017 (org.apache.zookeeper.Login)
INFO TGT expires: Sat Dec 16 10:32:52 EST 2017 (org.apache.zookeeper.Login)
INFO TGT refresh sleeping until: Sat Dec 16 08:55:41 EST 2017 (org.apache.zookeeper.Login)
INFO Opening socket connection to server devel-2.sjml.com/173.243.38.81:2181. Will attempt to SASL-authenticate using Login Context section 'Client' (org.apache.zookeeper.ClientCnxn)
DEBUG Closing ZkClient... (org.I0Itec.zkclient.ZkClient)
INFO Terminate ZkClient event thread. (org.I0Itec.zkclient.ZkEventThread)
DEBUG Closing ZooKeeper connected to zookeeper.eigenroute.com:2181 (org.I0Itec.zkclient.ZkConnection)
DEBUG Closing session: 0x0 (org.apache.zookeeper.ZooKeeper)
DEBUG Closing client for session: 0x0 (org.apache.zookeeper.ClientCnxn)
WARN Client session timed out, have not heard from server in 6004ms for sessionid 0x0 (org.apache.zookeeper.ClientCnxn)
DEBUG An exception was thrown while closing send thread for session 0x0 : Client session timed out, have not heard from server in 6004ms for sessionid 0x0 (org.apache.zookeeper.ClientCnxn)
DEBUG Ignoring exception during shutdown input (org.apache.zookeeper.ClientCnxnSocketNIO)
java.net.SocketException: Socket is not connected
My questions are: what is going on? And how to do I fix this?
Below are my configuration files. The first is server.properties:
# server.properties
broker.id=0
delete.topic.enable=true
listeners=SASL_PLAINTEXT://kafka.eigenroute.com:9092
sasl.mechanism.inter.broker.protocol=GSSAPI
sasl.enabled.mechanisms=GSSAPI
sasl.kerberos.service.name=kafkabroker1
inter.broker.listener.name=SASL_PLAINTEXT
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
super.users=User:kafkabroker1
...
zookeeper.connect=zookeeper.eigenroute.com:2181
zookeeper.connection.timeout.ms=6000
Here is kafka_server_jaas.conf
KafkaServer {
com.sun.security.auth.module.Krb5LoginModule required
refreshKrb5Config=true
useKeyTab=true
storeKey=true
keyTab="/home/kafka/keytabs/kafka_broker1.keytab"
principal="kafkabroker1/kafka.eigenroute.com#EIGENROUTE.COM";
};
Client {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
refreshKrb5Config=true
useKeyTab=true
storeKey=true
keyTab="/home/kafka/keytabs/kafka_broker1.keytab"
principal="kafkabroker1/kafka.eigenroute.com#EIGENROUTE.COM";
};
This is the zookeeper file in /etc/init.d:
#!/bin/bash
export ZOOCFGDIR="/etc/zookeeper/conf/"
export SERVER_JVMFLAGS="-Djava.security.auth.login.config=/etc/zookeeper/conf/zookeeper.jaas -Djava.security.krb5.conf=/etc/krb5.conf"
echo "$#"
/usr/share/java/zookeeper-3.4.10/bin/zkServer.sh $# /etc/zookeeper/conf/zoo.cfg
Here is my zookeeper configuration file zoo.cfg:
tickTime=2000
initLimit=10
syncLimit=5
dataDir=/var/lib/zookeeper
clientPort=2181
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
requireClientAuthScheme=sasl
jaasLoginRenew=3600000
I have enabled useTicketCache=true in the zookeeper.jaas file (does it belong there?):
Server {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
refreshKrb5Config=true
useKeyTab=true
keyTab="/home/kafka/keytabs/zookeeper.keytab"
storeKey=true
principal="zookeeper/zookeeper.eigenroute.com#EIGENROUTE.COM";
};
Finally, the keytab files are all readable:
$ ll /home/kafka/keytabs/
total 24
drwxr-xr-x 2 sjamal sjamal 4096 Dec 12 11:32 .
drwxr-xr-x 10 kafka kafka 4096 Dec 12 11:57 ..
-rw-r--r-- 1 root root 366 Dec 12 11:24 kafka_broker1.keytab
-rw-r--r-- 1 root root 426 Dec 12 11:31 testkafkaconsumer1.keytab
-rw-r--r-- 1 root root 426 Dec 12 11:31 testkafkaproducer1.keytab
-rw-r--r-- 1 root root 370 Dec 12 11:32 zookeeper.keytab
I have consulted the following resources:
apache-kafka-security-authorization-authentication-encryption.
Kafka SASL zookeeper authentication (this says to add the zookeeper.set.acl=true to server.properties, but this has no effect on the issue I am experiencing)
https://kafka.apache.org/documentation/#configuration (the official documentation, which could use improvement in some areas)
https://coheigea.blogspot.ca/2017/05/securing-apache-kafka-with-kerberos.html (a set of instructions that I initially started following)
Can someone suggest what the problem might be, and how to fix this? Thanks!
UPDATE: I ran netstat -tulnp | grep 2181 and ps aux | grep zookeeper, the output below shows that Zookeeper is running and listening on port 2181:
root#devel-2:~# netstat -tulnp | grep 2181
tcp6 0 0 :::2181 :::* LISTEN 3366/java
root#devel-2:~# ps aux | grep zookeeper
root 3366 0.0 0.6 3474796 26000 ? Sl Dec16 1:43 java -Dzookeeper.log.dir=. -Dzookeeper.root.logger=INFO,CONSOLE -cp /usr/share/java/zookeeper-3.4.10/bin/../build/classes:/usr/share/java/zookeeper-3.4.10/bin/../build/lib/*.jar:/usr/share/java/zookeeper-3.4.10/bin/../lib/slf4j-log4j12-1.6.1.jar:/usr/share/java/zookeeper-3.4.10/bin/../lib/slf4j-api-1.6.1.jar:/usr/share/java/zookeeper-3.4.10/bin/../lib/netty-3.10.5.Final.jar:/usr/share/java/zookeeper-3.4.10/bin/../lib/log4j-1.2.16.jar:/usr/share/java/zookeeper-3.4.10/bin/../lib/jline-0.9.94.jar:/usr/share/java/zookeeper-3.4.10/bin/../zookeeper-3.4.10.jar:/usr/share/java/zookeeper-3.4.10/bin/../src/java/lib/*.jar:/etc/zookeeper/conf/: -Dsun.security.krb5.debug=true -Dlog4j.configuration=file:/etc/zookeeper/conf/log4j.properties -Djava.security.auth.login.config=/etc/zookeeper/conf/zookeeper.jaas -Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/etc/zookeeper/conf/jaas.conf -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.local.only=false org.apache.zookeeper.server.quorum.QuorumPeerMain /etc/zookeeper/conf/zoo.cfg
UPDATE: The software versions are:
Kerberos 5 version 1.12.1
Zookeeper 3.4.10
Kafka 0.11.0.0
UPDATE: Below is the content of my /etc/krb5.conf file:
[libdefaults]
default_realm = EIGENROUTE.COM
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
EIGENROUTE.COM = {
kdc = krb.eigenroute.com
admin_server = krb.eigenroute.com
default_domain = eigenroute.com
}
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu:88
kdc = kerberos-1.mit.edu:88
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
MEDIA-LAB.MIT.EDU = {
kdc = kerberos.media.mit.edu
admin_server = kerberos.media.mit.edu
}
ZONE.MIT.EDU = {
kdc = casio.mit.edu
kdc = seiko.mit.edu
admin_server = casio.mit.edu
}
MOOF.MIT.EDU = {
kdc = three-headed-dogcow.mit.edu:88
kdc = three-headed-dogcow-1.mit.edu:88
admin_server = three-headed-dogcow.mit.edu
}
CSAIL.MIT.EDU = {
kdc = kerberos-1.csail.mit.edu
kdc = kerberos-2.csail.mit.edu
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
krb524_server = krb524.csail.mit.edu
}
IHTFP.ORG = {
kdc = kerberos.ihtfp.org
admin_server = kerberos.ihtfp.org
}
GNU.ORG = {
kdc = kerberos.gnu.org
kdc = kerberos-2.gnu.org
kdc = kerberos-3.gnu.org
admin_server = kerberos.gnu.org
}
1TS.ORG = {
kdc = kerberos.1ts.org
admin_server = kerberos.1ts.org
}
GRATUITOUS.ORG = {
kdc = kerberos.gratuitous.org
admin_server = kerberos.gratuitous.org
}
DOOMCOM.ORG = {
kdc = kerberos.doomcom.org
admin_server = kerberos.doomcom.org
}
ANDREW.CMU.EDU = {
kdc = kerberos.andrew.cmu.edu
kdc = kerberos2.andrew.cmu.edu
kdc = kerberos3.andrew.cmu.edu
admin_server = kerberos.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
CS.CMU.EDU = {
kdc = kerberos.cs.cmu.edu
kdc = kerberos-2.srv.cs.cmu.edu
admin_server = kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc = kerberos.dementix.org
kdc = kerberos2.dementix.org
admin_server = kerberos.dementix.org
}
stanford.edu = {
kdc = krb5auth1.stanford.edu
kdc = krb5auth2.stanford.edu
kdc = krb5auth3.stanford.edu
master_kdc = krb5auth1.stanford.edu
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
}
UTORONTO.CA = {
kdc = kerberos1.utoronto.ca
kdc = kerberos2.utoronto.ca
kdc = kerberos3.utoronto.ca
admin_server = kerberos1.utoronto.ca
default_domain = utoronto.ca
}
[domain_realm]
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.slac.stanford.edu = SLAC.STANFORD.EDU
.toronto.edu = UTORONTO.CA
.utoronto.ca = UTORONTO.CA
.eigenroute.com = EIGENROUTE.COM
eigenroute.com = EIGENROUTE.COM
[login]
krb4_convert = true
krb4_get_tickets = false
[logging]
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmin.log
default = FILE:/var/log/kerberos/krb5lib.log
In my project, I can compile and run without problems, my project is a project in akka-http and I provide services of type json, but when calling the service this error appears:
> run
[info] Running net.claritysales.api.Main
[DEBUG] [11/02/2017 11:08:32.360] [run-main-0] [EventStream(akka://default)] logger log1-Logging$DefaultLogger started
[DEBUG] [11/02/2017 11:08:32.361] [run-main-0] [EventStream(akka://default)] Default Loggers started
[DEBUG] [11/02/2017 11:08:33.253] [run-main-0] [AkkaSSLConfig(akka://default)] Initializing AkkaSSLConfig extension...
[DEBUG] [11/02/2017 11:08:33.258] [run-main-0] [AkkaSSLConfig(akka://default)] buildHostnameVerifier: created hostname verifier: com.typesafe.sslconfig.ssl.DefaultHostnameVerifier#5160a3bd
[DEBUG] [11/02/2017 11:08:34.687] [default-akka.actor.default-dispatcher-5] [akka://default/system/IO-TCP/selectors/$a/0] Successfully bound to /127.0.0.1:9000
[DEBUG] [11/02/2017 11:08:40.607] [default-akka.actor.default-dispatcher-5] [akka://default/system/IO-TCP/selectors/$a/0] New connection accepted
[ERROR] [11/02/2017 11:08:41.795] [default-akka.actor.default-dispatcher-5] [akka.actor.ActorSystemImpl(default)] Error during processing of request: 'No configuration setting found for key 'c
ors''. Completing with 500 Internal Server Error response.
[ERROR] [11/02/2017 11:08:43.467] [default-akka.actor.default-dispatcher-5] [akka.actor.ActorSystemImpl(default)] Error during processing of request: 'No configuration setting found for key 'c
ors''. Completing with 500 Internal Server Error response.
[DEBUG] [11/02/2017 11:09:49.232] [default-akka.actor.default-dispatcher-5] [akka://default/user/StreamSupervisor-0/flow-1-0-unknown-operation] Aborting tcp connection to /127.0.0.1:64741 beca
use of upstream failure: HTTP idle-timeout encountered, no bytes passed in the last 1 minute. This is configurable by akka.http.[server|client].idle-timeout.
since insomnia this appears:
My application.conf is:
akka {
loglevel = DEBUG
}
http {
interface = "localhost"
interface = ${?HTTP_INTERFACE}
port = 9000
port = ${?HTTP_PORT}
}
database = {
cs {
profile = "slick.jdbc.PostgresProfile$"
db {
url = "jdbc:postgresql://localhost:5432/cs2_company"
url = ${?PSQL_URL}
user = "postgres"
user = ${?PSQL_USER}
password = "qwerty"
password = ${?PSQL_PASSWORD}
}
}
}
I read my configuration from a trait called Config, it has:
package net.cs.api.utils
import com.typesafe.config.ConfigFactory
trait Config {
private val config = ConfigFactory.load()
private val httpConfig = config.getConfig("http")
private val databaseConfig = config.getConfig("database.cs")
val httpHost = httpConfig.getString("interface")
val httpPort = httpConfig.getInt("port")
val jdbcUrl = databaseConfig.getString("db.url")
val dbUser = databaseConfig.getString("db.user")
val dbPassword = databaseConfig.getString("db.password")
}
additionally I have another application.conf file in the test resources, because I want to perform the tests with H2 and execute the application with Postgres
My application.conf for the test is:
akka {
loglevel = WARNING
}
database = {
cs {
profile = "slick.jdbc.H2Profile$"
db {
driver = "org.h2.Driver"
url = "jdbc:h2:mem:cs2_company;MODE=PostgreSQL;DB_CLOSE_DELAY=-1;IGNORECASE=TRUE;DATABASE_TO_UPPER=false"
url = ${?PSQL_TEST_URL}
user = "sales"
user = ${?PSQL_TEST_USER}
password = "sales"
password = ${?PSQL_TEST_PASSWORD}
}
}
}
What is the error? any help I would appreciate it. Thanks!
it seems that something was looking for a key called cors in the configuration and can not find it, in my configuration I added:
cors.allowed-origin = "*"
everything works!
Our IdentityServer3 services is acting oddly, when we try to login from a client using hybrid flow and then login from a different client using implicit flow. The second user is stuck in a loop where the STS fails to recognize the authorization and sends the user back to the login page repeatedly. We can recreate this behavior and see it in our log files. Also, which client is logged on first that can login successfully, while the second one gets stuck in the loop. We have implemented a custom login process using the hooks for IdentityServer3. Below is the code for the login process:
public class EmsUserService : UserServiceBase
{
private IEmsEntities _context
{
get
{
var container = DependencyResolver.Current;
var service = container.GetService<IEmsEntities>();
service.ChangeReadUncommittedSetting(true);
return service;
}
}
public override Task PreAuthenticateAsync(PreAuthenticationContext context)
{
var request = HttpContext.Current.Request;
if (HttpContext.Current.Request.IsAuthenticated)
{
var personId = HttpContext.Current.User.Identity.Name;
var user = _context.Person.Include(p => p.PersonLogin).First(x => x.PersonId.ToString() == personId);
context.AuthenticateResult = new AuthenticateResult(personId, user.PersonLogin.LoginName);
}
return Task.FromResult(0);
}
public override Task AuthenticateLocalAsync(LocalAuthenticationContext context)
{
var password = context.Password;
var encryptPassword = Password.Encrypt(password);
var allUserLoginRecords = Utilities.GetUserLoginRecords(_context, encryptPassword, context.UserName);
//We want to make sure that we recognize if a user already exists but is locked out. "Locked out" is determined by a username/password
//that matches but is not currently active
if (allUserLoginRecords.Any())
{
if (allUserLoginRecords.Any(u => u.PersonLogin.IsActive))
{
var active = allUserLoginRecords.First(u => u.PersonLogin.IsActive);
var isOld = Utilities.IsOld(active.PersonLogin);
var isComplex = Utilities.IsComplex(context.Password);
var resetRequired = active.PersonLogin.IsResetRequired;
if (isOld || !isComplex || resetRequired)
{
context.AuthenticateResult = new AuthenticateResult(String.Format("~/ChangePassword/{0}", isOld),
active.PersonId.ToString(),
active.PersonLogin.LoginName);
}
else
{
context.AuthenticateResult = new AuthenticateResult(active.PersonId.ToString(),
active.PersonLogin.LoginName);
}
}
else
{
context.AuthenticateResult =
new AuthenticateResult(
"This account has been locked. Please contact OSPI Customer Support to re-activate it.");
}
}
else
{
context.AuthenticateResult =
new AuthenticateResult(
"The username and password combination does not match. Your username must be an email address and the password is case-sensitive.");
}
return Task.FromResult(0);
}
public override Task GetProfileDataAsync(ProfileDataRequestContext context)
{
var claims = new List<Claim>();
var subjectId = context.Subject.GetSubjectId();
// issue the claims for the users
var user = _context.Person.Include(p => p.PersonLogin).First(x => x.PersonId.ToString() == subjectId && x.PersonLogin.IsActive);
if (user != null)
{
var emailClaim = new Claim(ClaimTypes.Email, user.PersonLogin.LoginName);
claims.Add(emailClaim);
var nameClaim = new Claim(ClaimTypes.Name, user.PersonId.ToString());
claims.Add(nameClaim);
context.IssuedClaims = claims;
}
return Task.FromResult(0);
}
public override Task IsActiveAsync(IsActiveContext context)
{
var subjectId = context.Subject.GetSubjectId();
// Look up the user to make sure that they're active
var user = _context.Person.Include(p => p.PersonLogin).First(x => x.PersonId.ToString() == subjectId && x.PersonLogin.IsActive);
if (user == null)
{
context.IsActive = false;
return Task.FromResult(0);
}
context.IsActive = true;
return Task.FromResult(0);
}
}
Here are the IdentityServer logs for the second client trying to log in:
> w3wp.exe Information: 0 : 2016-09-29 10:07:08.008 -07:00 [Information] User is not authenticated. Redirecting to login.
w3wp.exe Information: 0 : 2016-09-29 10:07:08.009 -07:00 [Information] End authorize request
w3wp.exe Information: 0 : 2016-09-29 10:07:08.010 -07:00 [Information] Redirecting to login page
2016-09-29 10:07:08.011 -07:00 [Debug] Protecting message: "{\"ReturnUrl\":\"https://localhost/OspiSts/identity/connect/authorize?client_id=.....&redirect_uri=......&response_mode=form_post&response_type=code%20id_token%20token&scope=openid%20profile%20authApi&state=OpenIdConnect.AuthenticationProperties%.....\",\"ClientId\":\"....",\"AcrValues\":[],\"Created\":636107656279778454}"
w3wp.exe Information: 0 : 2016-09-29 10:07:08.018 -07:00 [Information] Login page requested
2016-09-29 10:07:08.019 -07:00 [Debug] signin message passed to login: "{
\"ReturnUrl\": \"......",
\"ClientId\": \"...",
\"IdP\": null,
\"Tenant\": null,
\"LoginHint\": null,
\"DisplayMode\": null,
\"UiLocales\": null,
\"AcrValues\": [],
\"Created\": 636107656279778454
}"
w3wp.exe Information: 0 : 2016-09-29 10:07:12.847 -07:00 [Information] rendering login page
w3wp.exe Information: 0 : 2016-09-29 10:07:21.148 -07:00 [Information] Login page submitted
w3wp.exe Information: 0 : 2016-09-29 10:07:27.417 -07:00 [Information] Login credentials successfully validated by user service
w3wp.exe Information: 0 : 2016-09-29 10:07:27.419 -07:00 [Information] {
"Category": "Authentication",
"Name": "Local Login Success",
"EventType": "Success",
"Id": 1010,
"Details": {
"LoginUserName": "...",
"SignInId": "...",
"SignInMessage": {
"ReturnUrl": "....",
"ClientId": "...",
"AcrValues": [],
"Created": 636107656279778454
},
"PartialLogin": false,
"SubjectId": "141480",
"Name": "..."
},
"Context": {
"ActivityId": "77206837-cc1c-475b-a3e0-9b362b9dad29",
"TimeStamp": "2016-09-29T17:07:27.4199277+00:00",
"ProcessId": 1712,
"MachineName": "WKS-C070421",
"RemoteIpAddress": "::1"
}
}
w3wp.exe Information: 0 : 2016-09-29 10:07:27.421 -07:00 [Information] Calling PostAuthenticateAsync on the user service
w3wp.exe Information: 0 : 2016-09-29 10:07:27.425 -07:00 [Information] issuing primary signin cookie
w3wp.exe Information: 0 : 2016-09-29 10:07:27.428 -07:00 [Information] redirecting to: ....
w3wp.exe Information: 0 : 2016-09-29 10:07:27.442 -07:00 [Information] Start authorize request
w3wp.exe Information: 0 : 2016-09-29 10:07:27.443 -07:00 [Information] Start authorize request protocol validation
w3wp.exe Information: 0 : 2016-09-29 10:07:27.479 -07:00 [Information] "Authorize request validation success"
"{
\"ClientId\": \"...",
\"ClientName\": \"Data Quality\",
\"RedirectUri\": \"...",
\"AllowedRedirectUris\": [
\"...",
\"....",
\"....",
\"...."
],
\"SubjectId\": \"unknown\",
\"ResponseType\": \"code id_token token\",
\"ResponseMode\": \"form_post\",
\"Flow\": \"Hybrid\",
\"RequestedScopes\": \"openid profile authApi\",
\"State\": \"OpenIdConnect.AuthenticationProperties=....",
\"Nonce\": \"..",
\"Raw\": {
\"client_id\": \"...",
\"redirect_uri\": \"...",
\"response_mode\": \"form_post\",
\"response_type\": \"code id_token token\",
\"scope\": \"openid profile authApi\",
\"state\": \"OpenIdConnect.AuthenticationProperties=...",
\"nonce\": \"..."
}
}"
w3wp.exe Information: 0 : 2016-09-29 10:07:27.480 -07:00 [Information] User is not authenticated. Redirecting to login.
w3wp.exe Information: 0 : 2016-09-29 10:07:27.481 -07:00 [Information] End authorize request
w3wp.exe Information: 0 : 2016-09-29 10:07:27.483 -07:00 [Information] Redirecting to login page
2016-09-29 10:07:27.484 -07:00 [Debug] Protecting message: "{\"ReturnUrl\":\"..",\"ClientId\":\"...",\"AcrValues\":[],\"Created\":636107656474419255}"
w3wp.exe Information: 0 : 2016-09-29 10:07:27.493 -07:00 [Information] Login page requested
2016-09-29 10:07:27.495 -07:00 [Debug] signin message passed to login: "{
\"ReturnUrl\": \"...",
\"ClientId\": \"...",
\"IdP\": null,
\"Tenant\": null,
\"LoginHint\": null,
\"DisplayMode\": null,
\"UiLocales\": null,
\"AcrValues\": [],
\"Created\": 636107656474419255
}"
w3wp.exe Information: 0 : 2016-09-29 10:07:28.657 -07:00 [Information] rendering login page
You can see that I am redirected to the login, I login in successfully, but the STS fails to recognize the authentication. This occurs for the second client when logging in regardless of which one that is.
Thanks in advance for the help.
There is a bug in Microsoft's Owin implementation for System.Web. The one that is being used when running Owin applications on IIS. Which is what probably 99% of us do, if we're using the new Owin-based authentication handling with ASP.NET MVC5.
The bug makes cookies set by Owin mysteriously disappear on some occasions.
This middleware is a fix for that bug. Simple add it before any cookie handling middleware and it will preserve the authentication cookies. Here is the link
https://github.com/KentorIT/owin-cookie-saver