We Keep Coding

OpenIddict in abp framework - deploy in containerized environment (k8s)

abp version 6.0, tiered (.Web, .HttpApi.Host, .AuthServer), MVC.
The following messages appear in .AuthServer.
Client validation failed because 'https://webpage_url/signin-oidc' was not a valid redirect_uri for AppName_Web.
The authorization request was rejected because the redirect_uri was invalid: 'https://webpage_url/signin-oidc'.
How to properly set appsettings.json in .Web, .HttpApi.Host, .Web and .DbMigrator projects for deployment into containerized environments?
Where should be set internal (k8s) url address for auth server and when outer url (which is accessible via internet).
Url https://webpage_url/signin-oidc in the log is outer address (which is accessible via internet).
changing appsettings.json

Client validation failed because 'https://webpage_url/signin-oidc' was
not a valid redirect_uri for AppName_Web. The authorization request
was rejected because the redirect_uri was invalid:
'https://webpage_url/signin-oidc'.
Probably your redirect uri is not seeded, You can check your database if the redirect uri is added correctly for that client (application).
How to properly set appsettings.json in .Web, .HttpApi.Host, .Web and
.DbMigrator projects for deployment into containerized environments?
Where should be set internal (k8s) url address for auth server and
when outer url (which is accessible via internet).
Url https://webpage_url/signin-oidc in the log is outer address (which
is accessible via internet).
You don't change the redirect uri based on your deployment environment. It should point to a valid reachable endpoint that the openid-provider redirects to after signin.
As far as I understand, apart from normal login flow, you are having problems when interacting to openid-provider in isolated network (k8s, docker).
Since you have auth-server on real domain endpoint (like https://my-authserver.com), you are getting error from containers that tries to reach to domain (https://my-authserver.com/.well-known/openid-configuration) and you receive SSL error or not found error.
So you want internal requests done to the internal container (like http://my-auth-container/.well-known/openid-configuration) while user interacted login/logout should be done using the public domain name (https://my-authserver.com).
Instead of changing the public issuer, you can add OpenIdConnectOptions based on your deployment to configure MetadataAddress as:
context.Services.Configure<OpenIdConnectOptions>("oidc", options =>
{
options.MetadataAddress = configuration["AuthServer:MetaAddress"].EnsureEndsWith('/') +
".well-known/openid-configuration";
var previousOnRedirectToIdentityProvider = options.Events.OnRedirectToIdentityProvider;
options.Events.OnRedirectToIdentityProvider = async ctx =>
{
// Intercept the redirection so the browser navigates to the right URL in your host
ctx.ProtocolMessage.IssuerAddress = configuration["AuthServer:Authority"].EnsureEndsWith('/') +
"connect/authorize";
if (previousOnRedirectToIdentityProvider != null)
{
await previousOnRedirectToIdentityProvider(ctx);
}
};
var previousOnRedirectToIdentityProviderForSignOut =
options.Events.OnRedirectToIdentityProviderForSignOut;
options.Events.OnRedirectToIdentityProviderForSignOut = async ctx =>
{
// Intercept the redirection for signout so the browser navigates to the right URL in your host
ctx.ProtocolMessage.IssuerAddress = configuration["AuthServer:Authority"].EnsureEndsWith('/') +
"connect/endsession";
if (previousOnRedirectToIdentityProviderForSignOut != null)
{
await previousOnRedirectToIdentityProviderForSignOut(ctx);
}
};
This way, login/logout requests will be redirected to the configuration["AuthServer:Authority"] which should be a public domain (like https://my-authserver.com) and the internal requests will be redirected to the configuration["AuthServer:MetaAddress"] which should be an internal service (like http://my-auth-container)
For more details, check out:
eShopOnAbp Public-Web application configuration
eShopOnAbp Azure deployment configuration

Nextjs redirect path has a redirection from HTTP to HTTPS

Im running my nextjs (UI only) application on localhost http://localhost:3000/, this localhost has to connect to BE API (another hosted service) say https://test-api/api/graphql. This API is called from FE on path http://localhost:3000/api/graphql which connect to https://test-api/api/graphql with the help of nextjs rewrite function
async rewrites() {
const rewrites = [];
rewrites.push({
source: "/api/graphql",
destination: "https://test-api/api/graphql",
});
return rewrites;
},
Now looks like my BE api https://test-api/api/graphql is doing a force direct for path http://localhost:3000/api/graphql to https://localhost/api/graphql
And now since https://localhost/api/graphql is not existing, I'm unable to connect to the BE API. Any idea what can i do in nextjs config so that even if redirect is happening I'm still able to connect to my BE API
Facing this issue only on local environment, hosted nextjs application is not having this issue as it is already on https

Use axios proxy trough OpenVPN protected frontend in VueJS

hope you are all good.
I'm facing an issue with my frontend instance.
Actually, we have a frontend hosted and secured by OpenVPN credentials. That means, no one can access it without a connection to our VPN. That configuration works well, but still one issue with axios proxies.
Quick notes:
we are not using server-side rendering
frontend hosted in AWS CloudFront
backend deployed to AWS EC2 instances
This is the current configuration in my nuxtjs frontend nuxt.config.js file:
{
...,
proxy: {
'/api/': {
target: !process.env.FLAVOR
? 'http://localhost:8009'
: (process.env.FLAVOR === 'production'
? 'https://api.domain.tld'
: 'https://' + process.env.FLAVOR + '-api.domain.tld'),
pathRewrite: { '^/api/': '/v1/' }
}
},
...
}
This solution helps me to avoid all environments easily, without setting each URL inside my environment variable in Dockerfile, and also the CORS policy.
In that way, if I check the console inspector and verify the network tab, I got access denied because not connected to the client. How do VPN and proxy really work? Are the requests called client-side or server-side?
Thanks by advance for helping me.

IBM Cloud: How do I retrieve information about private endpoints from credentials or service bindings?

I have my account enabled for VRF and private service endpoints. When I create service credentials, typically I only see URIs for the public endpoint. How can my bound app working with the credentials obtain the URI for the enabled private endpoint?
Here are the credentials for a Watson Assistant instance enabled for private endpoints. It only has the public URI.
{
"apikey": "myApiKeyValueWouldBeHere",
"iam_apikey_description": "Auto-generated for key 9197a2b1-xxxx-xxxx-xxxx-7a99966e0056",
"iam_apikey_name": "Service credentials test",
"iam_role_crn": "crn:v1:bluemix:public:iam::::serviceRole:Manager",
"iam_serviceid_crn": "crn:v1:bluemix:public:iam-identity::a/1234567890abcdefghijklmnopqrstuvwxyz::serviceid:ServiceId-a2072c22-xxxx-xxxx-xxxx-xxx3a714f525",
"url": "https://api.eu-de.assistant.watson.cloud.ibm.com/instances/932d30c1-xxxx-xxxx"
}

Your private network endpoint should be displayed in the Manage tab for the service instance.
In the service details page, click the Manage tab, and then click Private Network Endpoint.
See Public and private network endpoints and Protecting sensitive information [in Assistant].

It is possible to generate credentials for private endpoints from both the UI, CLI, terraform, etc.
For the CLI, add the --service-endpoint parameter with value private:
ibmcloud resource service-key-create myCreds Manager
--instance-name myWatsonAssistant_PLUS --service-endpoint private
The above also works with ibmcloud resource service-binding-create.
When using the IBM Cloud console (UI) and the add credentials dialog, go to the advanced options and add inline configuration options. There, add the following value:
{"service-endpoints":"private"}
This will lead to credentials for the private endpoint be generated. You can pass the same key / value in other interfaces like the API or in terraform.
The generated credentials have the additional key private_endpoint set to true.

Call Bluemix service from outside app

I've built a simple translate service with Node-Red and Watson. The service is ok when called directly from the browser but I have an error ( CORS ) when call the service via http from my Angular app.
Does Bluemix allow CORS ?
Thanks in advance.

Generally speaking Bluemix supports applications that are composed of many independent services deployed to different hostnames. For each application (which can be a service API) that you push to Bluemix, the name you provide will be prepended to .mybluemix.net. If your application follows the best practices of a microservices architecture you will probably have two or more subcomponents that live on different hostnames. Now if you have a front-end that needs to aggregate information from these other Bluemix apps (your AngularJS app) by default the access to other subdomains will be forbidden.
The solution is to take advantage of the standard HTTP headers that are available to control cross-origin resource sharing (CORS) on the Bluemix services that you wish to provide to JavaScript clients:
Access-Control-Allow-Origin
Access-Control-Allow-Methods
Access-Control-Allow-Headers
Take a look at the following blog post: Cross-origin resource sharing for Bluemix APIs.

add these code lines in your bluemix-settings.js and repush your app
// The following property can be used to configure cross-origin resource sharing
// in the HTTP nodes.
// See https://github.com/troygoode/node-cors#configuration-options for
// details on its contents. The following is a basic permissive set of options:
httpNodeCors: {
origin: "*",
methods: "GET,PUT,POST,DELETE"
},
Add this code after " functionGlobalContext: { }, "