Lets say I want my Admin (area) to run on HTTPS
and the default site runs on HTTP.
Is this possible? How?
How to force SSL in MVC 2.0
public AccountController: Controller{
[RequireHttps(Order=1), Authorize(Roles="Users",Order=2)]
public ActionResult Login(){
// Add login logic
return View();
}
}
The only other thing you will need to do is setup your SSL cert in IIS, but don't require it if you only want to use it in certain areas/controllers/functions.
Related
We have an ASP Core 2.0 App working nicely with Azure AD on a public network. Our Test environment is running in an Azure ASE. The user starts with a public address that passes through the Azure Application Gateway and gets routed to 1 of 2 App servers in the ASE. The application is registered in Azure AD with response URL's that specify the public address.
The problem is when the user redirects to login, the request address presented to Azure AD is an internal address from one of the 2 servers. Then the response URL's don't match and we get an error at login.
The question is how to present the public address to Azure AD so the response URL's match and the token is posted back to the app using the same? The app gateway, I'm told, is configured to populate x-forwarded-for header which has the original address. I don't see where in the web application this can be controlled.
startup.cs
services.AddAuthentication(sharedOptions =>
{
sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
sharedOptions.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddAzureAd(options =>
{
Configuration.Bind("AzureAd", options);
AzureAdOptions.Settings = options;
})
.AddCookie();
AccountController.cs
public IActionResult SignIn()
{
var redirectUrl = _azureAdOptions.WebBaseUrl;
return Challenge(
new AuthenticationProperties { RedirectUri = redirectUrl },
OpenIdConnectDefaults.AuthenticationScheme);
}
I would think this is a common configuration - passing public to private servers with SSO integrated.
[Edit]
Based on the link provided in the comments, which was very helpful, we tried several things including explicitly setting UseforwardedHeaders in startup.cs even though this is supposed to be enabled by default. Nothing we did changed the URL bolded in the URL below.
https://login.microsoftonline.com/2ff13e34-f33f-498b-982a-7cb336e12bc6/oauth2/authorize?client_id=998c48ae-bbcf-4724-b6f4-6517e41d180a&redirect_uri=**http%3A%2F%2Flocalhost%3A2345%2Fsignin-oidc**&resource=https%3A%2F%2Fgraph.windows.net&response_type=id_token%20code&scope=openid%20profile&response_mode=form_post......
However, and maybe this is a clue, if we comment out the [Authorize] on the home controller and login after the user clicks a button to login, it works. Why?
Note: IDs/GUIDs above have been scrambled to protect the innocent
I came across this post explaining how Application Gateway did not implement the standard x-forwarded-host headers. I'm hoping this gets fixed so the code below would not be required. The solution that worked in our configuration was to force both the public domain and scheme (HTTPS) on every request because the app gateway wasn't (and apparently couldn't be) configured to pass SSL to the backend servers.
Added to startup.cs
app.Use((ctx, next) =>
{
ctx.Request.Host = new HostString(options.Value.CustomDomain;
ctx.Request.Scheme = "https";
return next();
});
Now when the application redirects for any secure resource -- [Authorize] controller methods, or code that explicitly calls Challenge(x, y, z) the public domain on HTTPS is used as the origin host and scheme. Thanks to #juunas for pointing in the right direction.
I now have identityserver3 setup, i have 3 identityproviders configured:
- Local
- Google
- ADFS
I have multiple clients using Oidc-Client-JS (https://github.com/IdentityModel/oidc-client-js).
Now i would like to specify which identityprovider a client should use to login. so lets say:
Client A lets the user choose which provider to use
Client B logs in with local
Client C logs in with google
Client D logs in with ADFS
The situation of Client A is the default behavior and i have that working. My question is how do i set up clients B,C and D?
Check the following function in your start up see what you called your Identityprovider in my case "Google".
public static void ConfigureIdentityProviders(IAppBuilder app, string signInAsType)
{
app.UseGoogleAuthentication(new GoogleOAuth2AuthenticationOptions
{
AuthenticationType = "Google",
In your client set the acr_value for idp to what ever you have set.
let userManagerSettings: Oidc.UserManagerSettings = {
acr_values: "idp:Google",
Now the client will automatically redirect to the correct identityprovider
According to the IdentityServer3 documentation, you need to configure the IdentityProviderRestrictions for each clients. In case of only one identity provider is configured, the IdSrv3 will automatically redirect.
I am hosting and developer on my DNN portal. I need to redirect users using client IP. I think may be two ideas for this work.
1- DNN Setting
Maybe DNN has settings for it that I can set specific URL for client IP addresses and automatically DNN redirects to specific URL.
I read many topic but I could not find setting to do it.
Is there a way to do this?
2- New Module
I have a ascx that onload method has this code:
var IP = Server.HtmlEncode(Request.UserHostAddress).ToString();
using (Entities db = new Entities())
{
var retVal = db.URLAddresses.Where(u => u.IPAdress == IP).FirstOrDefault();
if (retVal != null)
Response.Redirect(retVal.URL);
}
But I should add this code to any ascx for redirect using client IP. This is impossible because maybe I haven't source code modules.
I think I should create new module. So I can add it to page. Module changes onload page and redirect to URL using client IP.
In this scenario, I try to create new module but I don't know how I can change onload method each page that is added module to it?
You can use IHttpModule and make a new Module for Including your class then you should add your IHttpModule to web.config .
For e.g
<add name="YourModule" type="YourAssembly, YourNameSpace" preCondition="managedHandler" />
See this Sites:
HTTP Handlers and HTTP Modules Overview
and How To Create an ASP.NET HTTP Module
DNN does have a Host setting that will allow or deny access to users logging in based on their IP address. It's in Host Settings > Advanced Settings > Login IP Filters. I don't think that will give you the desired result.
I would not suggest creating a module. It can be difficult copying it to all pages and ensuring one instance is added to every page.
Rather, I would create a skin (theme) token. To do this, create a simple class library project. Create an .ascx and ascx.cs file. You can leave the .ascx empty because you don't have any html to add to the pages. In the .cs, put something like this:
namespace MyCompany.DNN.Skin
{
public partial class IpRedirect : SkinObjectBase
{
protected override void OnLoad(EventArgs e)
{
base.OnLoad(e);
// Put your redirect logic here
}
}
}
Then, in your theme/skin ascx pages, include the following:
<%# Register TagPrefix="myco" TagName="IPREDIRECT" Src="~/DesktopModules/MyCompany/IpRedirect/IpRedirect.ascx" %>
<myco:IPREDIRECT ID="pageRedirect" runat="server" />
This will ensure that this functionality will execute on all pages in the site that use the skin/theme.
I am using IdentityServer3 for authentication. Users are stored using AspnetIdentity framework. I wanted to provide reset password functionality to users. I want to provide this functionality in IdentityServer hosting application. I have gone through several posts here here here and this what I have done so far:
1>I have created custom user service derived from AspNetIdentityUserService.
2>Created resetpassword.html and put it in template folder. (documentation)
3>It's not necessary to create a CustomViewService, so I added LoginPageLink in AuthenticationOptions and now the link is available on login page.
4>Created ResetPasswordController
public class ResetPasswordController : Controller
{
public ActionResult Index()
{
return View();
}
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult ResetPassword(string username)
{
// call customservice here and reset password
return View();
}
}
Issue
when i click on the resetpassword link, i get error
The view 'Index' or its master was not found or no view engine
supports the searched locations. The following locations were
searched: ~/Views/resetpassword/Index.aspx
~/Views/resetpassword/Index.ascx ~/Views/Shared/Index.aspx
~/Views/Shared/Index.ascx ~/Views/resetpassword/Index.cshtml
~/Views/resetpassword/Index.vbhtml ~/Views/Shared/Index.cshtml
~/Views/Shared/Index.vbhtml
I know why the error is, its because we don't have corresponding view in Views folder where MVC framework in looking for. My view resetpassword.html is in template folder. And that's the confusion. Identity server is using Angular to build its views.
If I decide to use angular then
1>How do I create and pass model to resetpassword.html.
2>How do I wire-up my CustomUserService to controller.
If I use ASP.NET MVC then
1>I need to add resetpassword.cshtml in Views folder and also a new Layout.cshtml in shared folder.
2>Doing so MVC scafolding will add bootstrap resources (css,js, jquery). The version may not match with IdentityServer's embedded resources.
I am comfortable coding ASP.NET MVC but worried adding bootstrap resources twice in the solution.
What is the best and easy approach here. Any sample example will be greatly appreciated.
I am using external providers to login to my web app. (for example Google). In my custom userservice I get to AuthenticateExternalAsync and from there I want (if need to) redirect to Angular page.
public override Task AuthenticateExternalAsync(ExternalAuthenticationContext context)
{
...
...
context.AuthenticateResult = new AuthenticateResult("~/externalregistration", user.Subject, name, identityProvider: user.Provider);
return Task.FromResult(0);
}
i have html page
at https://localhost:44300/Content/app/externalregistration.html
How do I map externalregistration to this page?
At the moment I get an error
https://localhost:44300/identity/externalregistration#
HTTP Error 404.0 - Not Found
thank you
Mark
The page for the partial login has to be with IdentityServer - see that it's looking for it at /identity/ and not /Content/app/.
If from your user service you issue a partial login, then that web page is entirely up to you to serve up from the server. If that partial login page needs to know the identity of the user, then it needs to be hosted in the same path as IdentityServer so the partial login cookie can be read on the server. If you then want that page to be a SPA, then you'd have to have some server side code issue something into the browser for your SPA to know the identity of the user. If you want that page to be a SPA and make Ajax calls back to the server, you need to include some XSRF protection.
All in all, custom partial pages are easiest implemented as standard server-rendered MVC pages.