After going through walkthroughs I had a test mvc app, test web api, and identityserver3 all working perfectly on my machine. I deployed IdentityServer3 to our servers in AWS behind a load balancer. I followed all the instructions in the Deployment wiki. I am able to hit the .wellknown configuration fine after deployment from a browser on my machine.
I changed the authority url for the mvc and api test apps to point to the aws deployment. Clients, Scopes, users, etc are all configured identically as they are hitting the same database as it was when running on local machine.
I can get an access token using RequestResourceOwnerPasswordAsync just fine so I think ids is installed fine.
However, both the API and the MVC app just trying to use implicit flow are now failing. FOr instance, when I try to hit a mvc controller action marked with [Authorize] I get an error stating "An invalid request URI was provided. The request URI must either be an absolute URI or BaseAddress must be set".
If I try to hit the webapi from the mvc app (both running locally on my machine) after a successful RequestResourceOwnerPasswordAsync call, I get the error "Response status code does not indicate success: 401 (Unauthorized)." after what seems like a timeout.
Any help would be greatly appreciated.
Figured out the problem. When specifying PublicOrigin, it has to be a full URL and not just the domain. I had left off https:// prefix.
The web api issue was related to connectivity to the identity server. There was some incorrect proxy settings for the app.
Related
We have recently migrated to a new hosting environment so have installed a fresh instance of Shibboleth. When we generate sp metadata files, the urls are non-secure (ie http) even though the url used to generate the metadata uses https.
When using the test connection from our own Azure AD system, we see the obvious error: "The reply URL specified in the request does not match the reply URLs configured for the application:"
I have limited knowledge of configuring the system beyond working on shibboleth2.xml and attribute-map.xml so would be very grateful if anyone can point me in the right direction to fix this.
I'm not sure if you managed to configure it but i'm currently working on this as well, and i think i can help.
So the ReplyURL you need to provide in the Azure Portal, is the reply URL that accepts the authentiaction reply message from the identity provider.
In the case of Shibboleth it is:
http[s]://yoursitename/Shibboleth.SSO/Auth/Saml
So if your webpage is for instance:
https://localhost/Foo
The replyURL should be:
https://localhost/Shibboleth.SSO/Auth/Saml
Notice that the page "Foo" is not in the replyURL.
After the authentication the browser should send the IDP reply to https://localhost/Shibboleth.SSO/Auth/Saml, after which Shibboleth should redirect you back to https://localhost/Foo
At least that's the default behaviour.
TL:DR - How can I get the Azure Application Gateway to pass 5.xx errors from the App Service to my browser? Currently the Application Gateway swallows any 5.xx error generated by the App Service and delivers a "502 - Web server received an invalid response while acting as a gateway or proxy server" error. I want to see the underlying error. And, I guess have the Application Gateway ignore the error and just pass everything directly through from the App Service to my browser.
I've turned on Application Logging for the App Service. I can see some 5.xx errors in the LogFiles/DetailedErrors folder. But I think I'm missing some understanding of what Kentico does when it throws a 5.xx error. Normally if you're on a normal server or locally, you don't see the generic 503 page as your browser is redirected to the 'Invalid license key' page.
I don't know what sort of internal (black) magic Kentico does to deliver this page, rather than the normal asp.net 503 Service Unavailable page. But this page is very useful to see, as it gives an idea of what's really wrong with the Kentico configuration.
Background:
Kentico seems to use some 5.xx errors for information. eg, the licence check throws a 503 error, instead of a useful 200 status with a message that you need to check your license.
We have a MVC Kentico 11 MVC site. It hosts multiple websites. We are trying to set up an Azure Application Gateway that points to two App Services, one MVC, one for Kentico admin.
So far I have the Kentico admin working properly - multiple domains can all access the CMSDesk via the Application Gateway. However, the MVC site is problematic. I can only get the default domain for the App Service to work. All other domains show a 502 error.
I'm thinking that the 'default' domain of the App Service works properly because the Application Gateway isn't forwarding the domain properly to the App Service, but I don't know how to verify this. And it's just my latest theory, and it's pretty shaky - if I remove the app, and just put static .htm files there, I can browse to them without error.
It seems that the "502 - Web server received an invalid response while acting as a gateway or proxy server" message is served up by the Application Gateway for any 5.xx error generated by the App Service, essentially hiding details of any Server Errors issues that may arise. eg: The Kentico license error generates a 503 that is preseneted as a problem with this module: "PageHandlerFactory-Integrated-4.0", rather than the obvious 'invalid license' screen that you normally see when Kentico is hosted on a normal server.
The Invalid license error will only show for the Admin site, not the MVC site. Never looked into what happens when that error is displayed, just always go in and add my missing license. If you want to get the full error, I would make sure you are logging all errors in your MVC into the Event log in Kentico.
In your Global.asax.cs file, you can probably do something like this:
public void Application_Error(Object sender, EventArgs e)
{
Exception exception = Server.GetLastError();
EventLogProvider.LogException("MVC", "EXCEPTION", exception);
}
Then you should be able to see the error in the Admin Event log.
This post may help with capturing errors in MVC better. I did something like this answer for displaying errors on the MVC site.
As soon as the Application Gateway detects a backend as unhealthy, you'll see the 502 error.
You can adjust the Health probe in your Application Gateway, so that the probe matching conditions include code 503. For example, set the condition to 200-503.
After you've done that, you should see the 503 page from Kentico.
I have the following issue.
After upgrading an application to ASP.NET 2.0 I get a 400 (bad request) status response whenever trying to authenticate in production.
This error does not reproduce locally and doesn't reproduce when using the production container locally.
The only difference that exists between production and local is that there is a reverse proxy in production that implements SSL for all requests.
I've tried moving the authentication code from middleware (as it was initially implemented) into a controller and I've changed the path to the route that was used for authentication. I still get the error.
All other requests work fine (provided you have a jwt token attached to them).
I should also mention that the CORS headers aren't set on the 400 response.
Any ideas?
This issue was caused by an upstream reverse proxy that was stripping some headers from the requests. Requests with verbs Post & Put were affected.
Set the log level of your application to Information to see what Kestrel is actually complaining about.
In our case we had to switch hosting providers because of the issue.
I am getting a 401 and some cross domain issues when trying to access IBM Weather REST API from either client (browser) or server.
If I generate a URL and try and access it directly from a browser (eg paste it in it works fine and the JSON weather report is returned).
When I try and run the Javascript HTTP request from either the browser or server it seems like it's only allowed to run from an ibm.com domain.
Failed to load https://twcservice.au-syd.mybluemix.net/api/weather/v1/geocode/-33.00/151.00/forecast/daily/7day.json?units=m&language=en-US: The 'Access-Control-Allow-Origin' header contains multiple values 'https://*.ibm.com, https://*.ibmcloud.com', but only one is allowed. Origin 'http://localhost:3000' is therefore not allowed access.
I am using the free service on Bluemix. Is this restricted to only run via a Bluemix server? or are there some options I can pass when I create the service on Bluemix
Note, when I make the request I am using the credentials supplied via the Bluemix console. Again, this works via the browser URL bar, but not via code.
Update/More info: if I hit past the URL above into the browser (with creds) it works as above, then if hit it via the web app in the same session it works.
Hmmm. So the IBM server is sending the following response header:
Access-Control-Allow-Origin: https://*.ibm.com, https://*.ibmcloud.com
That's an invalid response from IBM. Unfortunately, I think your only option is to complain to IBM, and convince them to
Return a valid Access-Control-Allow-Origin response header (with only one value)
Allow people outside of IBM to access it
Without that, I fear you're out of luck.
I'm using Azure mobile services with .net backend. My API controller works OK on my pc but as soon as I deploy it to Azure, Upon pinging from Postman gives "Authorization has been denied for this request." message with HttpStatusCode 401
Note that... I'm using table storage for storage instead of SQL Server and in the process removed all of Entity Framework related code. Also, None of the endpoints do not require any authentication.
Thanks.
The default authentication for mobile services is anonymous (i.e., no authentication required) when running locally, and application (i.e., at least the application key needs to be supplied).
If you're using Postman, try adding a "x-zumo-application" header to the request, with the application key (which you can get in the Azure portal) as the value. The request should work then.