I need help regarding Identity Server on the following:
Do reference tokens use Signing Certificate?
On http://localhost application is working fine, on binding to a public URL with https, the login call returns a token, but consecutive WebApi(client) calls return "401 - Authorization has been denied for this request". Is it because of SSL certificate or due to NLB (two different Identity servers are deployed on the backend) - I am using Entity framework for storing the reference tokens. Do multi domain SSL certificate (SAN) work fine for Identity Server?
Do I need to add machine keys on both Identity server config files to sync or is this requirement only for JWT approach?
Thanks.
Related
I have an application with multiple services. One of them is the auth service that takes care of creating the jwt after checking that the client id (i.e. browser or app) is valid and provided username/password is also valid.
I have another service (gateway) that redirect to other services any requests from the users using the jwt token for authentication.
All this works and has been working for a few years. It is based on Spring Boot using Spring Security (starter v2.1.5). It is soon time to renew our certificate and at the same time move to our new domain. The new certificate has been applied to the Google Cloud Platform load balancer.
The call for health check using the Spring Actuator is responding with the proper "UP" (in json) response. When I try to make the call from same Postman request (with new domain name used) I get the following response with a 401 code:
{
"error": "unauthorized",
"error_description": "Full authentication is required to access this resource"
}
I do have the proper clientid and password/secrete encoded using base64 (hey it worked before and nothing else was changed).
I tried to debug setting #EnableWebSecurity(debug = true), but it generates zero logs from the request.
If I switch back the certificate to old one (and old domain), it works again without any other changes. This has been driving me a bit on the crazy side to say the least. Any help, suggestion, ideas would be appreciated.
It ended up being an error on my part. When I added a A class resources during the copy paste of Load Balancer IP, I put the same IP for both of my services (i.e. one of the copy didn't stick). Ending up in calling security on the gateway service when asking for the auth token.
Thanks for the comment #Boris-Treukhov
I am working with access to an api with access control using Oauth2. I use DotNetOpenAuth
server.AuthorizationEndpoint = new Uri("https://api.xxxxxx.com/oauth/authorize");
var client = new DotNetOpenAuth.OAuth2.WebServerClient(server, client_id, client_secret);
client.GetClientAccessToken();
Which results in..
AuthenticationException: The remote certificate is invalid according to the validation procedure.
They have certificate errors, that won't be solved before....well...before the project is actually released, but I need to work on it now.....
DotNetOpenAuth will not allow the auth. url without HTTP
How can I make the code either accept the invalid certificate OR make DotNetOpenAuth accept a HTTP auth. url?
I have tried fiddling with the web.config settings, and to see if the trick with a "forgiving" servicePointManager could be used, but I don't know where to attach that
Found it... in web.config:
<dotNetOpenAuth>
<messaging relaxSslRequirements="true"/>
This made it ignore the fact that the provider of the webservice had an invalid certificate on their test server
We are using IdentityServer V2 as our Identity Provider using WsFed/SAML2. We now want to federate. I tried adding our WsFederation endpoint as one of the Identity Providers but can't seem to get it to work.
When I add the STS itself, it won't work work... see results below for each WsFederation URL I've tried:
https://localhost:44306/FederationMetadata/2007-06/FederationMetadata.xml
(this just opens the federation xml page)
https://localhost:44306/issue/wsfed
(this just opens a blank page and doesn't prompt for credentials)
https://localhost:44306/issue/wstrust/mixed/username
(same as above - blank page)
Can the Identity Server V2 use its own WsFed endpoint as one of the identity providers or do I need to host it separately to be able to use it? If so, what URL do I use for the WsFederation Endpoint?
UPDATE: This was resolved... Specifically:
Each Identity Provider needs to point to the '/issue/wsfed' endpoint (for WsFederation anyway)
Each WsFederation Endpoint needs to have a Relying Party configured which points back to the federating STS
Each Relying Party above needs to have the realm name of the federating STS (not the client RP)
Each Relying Party above needs to have the return URLs set to the '/issue/hrd' endpoint for the federating STS (NOT the client RP)
Once I configured everything like this, it worked.
Our project(web application C# ASP.NET MVC3) is hosted on IIS 7.5 and we use certificate authentication. So we have SSL-require configured IIS.
Now we have a business task to allow some users to use our system. And there is no way to provide client certificates for them. In that case we need to use some additional authentication model (user-password or ntdomain based).
I don't know how to realize such model:
User gets on our project url;
If he has valid client certificate - we let him iteract with our application;
If he hasn't cert we show him a login form with "user-password";
If we use SSL-required configured IIS users would not be able to iteract with application without valid certificate at all right? And how to authenticate with certificate if IIS is configured with SSL-Accept?
Maybe you can configure two sites on your IIS? One with SSL and another without it? Your url will point to the SSL enabled site, and when a user without a valid certificate arrives you use some backup code to send him to the SSL free site?
Just guessing actually... I think this probably deserves a more meditated answer...
The problem was not so large as i thought before. IIS provides a check box to require certificate even if combobox(in SSL options of web application) is set to Accept instead of require. In that case IIS tries to get certificate at first. And if there is no cert it lets the user to iteract with application. And we can make custom authentication on that level.
With MVC (v.3+) there is nice way to use IAuthorizationFilter in that case
How to access the secured "HTTPS" webservice in Windows Phone 7. The secured certificate is not given, I should either skip or ignore the error message. Any help?
The site you're accessing needs to have a valid certificate from an issuer recognised by the platform. The latest list of these issuers I've seen is here.
push notifications from authenticated services
Note Geotrust will give you a 30 day trial certificate which is handy for testing.